NT Logons as Management Tool

As 1999 was winding down, the trade press reported a flurry of new viruses that were infecting the Windows user community. Alarmed by these reports, one of my NT systems management friends began considering the risk to her company.

She breathed a sigh of relief when she learned that all of her company's NT workstations were equipped with a late-model anti-virus software package. The product, she was assured, included a scheduling feature that was programmed on each of her NT machines to automatically download vendor-supplied definitions for the new viruses. These crucial definitions enable the anti-virus software to identify and eliminate the viruses, and to trigger periodic scans to find and fix infected files stored on locally attached drives.

Still, as the New Year approached, she wondered whether these features were working. After spot-checking a few NT desktops, she found all of the sampled machines were months behind the latest available virus definitions, and none had triggered a scan in over a year. Completely vulnerable and with only a few weeks to go to Y2K, she had to quickly consider her options.

She decided against visiting each of the company's 4,500 desktops, scattered around 15 far-flung offices, to reconfigure the automatic features of their anti-virus software. She didn't have the manpower for this, and even if she did, she doubted whether she could trust the scheduling and downloading features to do the job, considering they had already dismally failed her. What she needed was an unattended, sure-shot treatment method guaranteed to reach 4,500 NT users.

She found it in her company's Windows NT domain logon script.

A domain logon script is a custom-written procedure, generally coded as an NT command (.BAT) file, that runs every time a user logs onto a Windows NT domain. A user's NT domain account record specifies the name of the file containing the logon procedure. At logon-time, the user's workstation finds and executes this file from the NETLOGON share of the nearest NT domain controller.

She discovered that, as in most NT shops, the company's NT logon script did little more than synchronize her workstations' system clocks, and hadn't been touched in years. Still, there it was, faithfully running day in and day out every time anyone logged on. She checked the anti-virus software package's documentation for instructions on executing the package from a command line, then coded the commands to update virus definitions and trigger virus scans into the logon script. Within a day, users were virus-protected, and the company made it through the change to 2000 unscathed by viruses.

Since then, she's found additional uses for the company's logon script, from installing small software updates to poking the correct registry settings into users' browsers, media players, and networking software. My friend tells me anyone can turn their logon scripts into a powerful network and configuration management tool, just by following four simple rules.

*Consolidate the many different logon scripts you might be using into a single logon script, and make sure that all user accounts specify this script for logon. If you need to perform conditional branches in your logon script to handle the needs of different users in your company, consider using the IFMEMBER utility in the NT resource kit to check for, and branch on, a user's membership in a domain group during logon.

*For performance, especially in lengthy and complicated logon scripts, consider using the KIX command processor in the NT Resource Kit. Alternatively, you might consider using Microsoft's Windows Scripting Host. Note that you'll find everything you need to run a WSH script in Windows 2000, but, unlike KIX, you'll need to install special software on NT 4.0 systems before they can execute WSH routines.

*Keep it simple. An over-complicated domain logon script, like any large computer program, can present you with unexpected software maintenance headaches.

*Make sure you've got your domain directory replication act together, so that all of your domain controllers will always reliably have a copy of your latest logon script in their NETLOGON share.

There you have it! Maybe my friend's Y2K lesson -- namely, the power in her NT domain logon script -- can work a little configuration management magic for you. --Al Cini is a senior consultant with Computer Methods Corp. (Marlton, N.J.) specializing in systems and network integration. Contact him at al.cini@computermethods.com.