10.22 Self-service password reset from login prompt

When users forget their password, they should be able to use P-Synch to reset it for themselves, rather than calling on the help desk. P-Synch supports this with a web-based self-service password reset facility (Section HERE and Chapter HERE).

Some users may forget their initial workstation / network login password, and so be unable to access their own web browser. P-Synch offers assistance to these users using a Secure Kiosk Account (SKA).

A Secure Kiosk Account is a network login account defined on a Windows NT domain, Windows 2000 Active Directory domain, Novell 3.x file server or Novell NDS tree. You typically define the account with a HELP login ID and no password. You then create a security profile and associate it with the Secure Kiosk Account, so that when users log into it they get their default web browser in kiosk mode, instead of the Windows shell.

The Secure Kiosk Account eliminates the requirement for a costly desktop software deployment, while still enabling users to securely reset their own forgotten password from their workstation login prompt.

Configuration of a Secure Kiosk Account depends on two variables:

• The type of workstation from which users might connect to the network:
  • Windows 95/98/ME: Requires a security profile called config.pol on the NT/2000 domain or Novell login server.
  • Windows NT: Requires a security profile called ntconfig.pol on the NT/2000 domain or Novell login server.
  • Windows 2000 logging into Windows 2000 Active Directory domain: Define a group policy object in Active Directory.
  • Windows 2000 otherwise: Use the instructions for Windows NT workstations.

• The type of network login:
  • Windows NT domain: store policy files on the netlogon share of domain controllers.
  • Windows 2000 Active Directory domain:
    • Store policy files on the netlogon share of domain controllers, for access by Windows 95/98/ME and Windows NT workstations that don't use the DSCLIENT software.
    • Define group policy objects for Windows 2000 workstations connecting natively to Active Directory, and other workstations that connect using DSCLIENT.
  • Novell NetWare: Store policy files on the system/winnt directory.

Read the following sections to learn how to:

• Create the Secure Kiosk Account account.
• Create the security profile.
• Apply the security profile to the Secure Kiosk Account account.

10.22.1 Windows 95/98/ME workstations on Windows NT domains

Read this section to learn how to set up a Secure Kiosk Account Windows 95/98/ME for a Windows 95/98/ME workstation with a Windows NT domain.

10.22.1.1 Creating a help user

To create a HELP user to serve as a Secure Kiosk Account on a Windows 95/98/ME workstation:

1. Log into the domain as an administrator.
2. Open User Manager for Domains.
3. Create a new user called help.
4. Clear the password fields.
5. Check the following boxes:
   • User cannot change password
   • Password never expires
6. Clear the following boxes:
   • User must change password at next logon
   • Account disabled
7. Click Groups, then add the user to the DOMAIN USERS group, then click OK.
8. Click Profile, and type helpuser.bat under Logon Script Name, then click OK.
9. Click Account, and make sure that this account is set up as a Global Account in the Account Type frame. Click OK then Add.
10. If User Manager for Domains prompts for a server, click Cancel.
11. Close User Manager for Domains.

10.22.1.2 Creating logon script for help user

When the help user logs on, there needs to be some way to tell the client to launch the browser and to go to a specific webpage. This is done by creating a batch file in the NETLOGON netbios share.

1. Copy the files RUNURL.EXE, LOGOFF.EXE, and RUNURL.VXD from the directory:

   <instance name>\utils

   into the NETLOGON share's absolute directory.
   

   (Usually \winnt\system32\repl\import\scripts, unless directory replication is enabled, in which case you should install the file on the PDC in the \export\scripts directory.)

2. If that directory does not exist, create it and share it as NETLOGON. Be sure to set permissions to give everybody read-only access.
3. Create a file called helpuser.bat here, and type:
   • The full netbios path to the RUNURL.EXE program through the NETLOGON share.
   • Arguments such as:
     • -k (starts the default web browser in kiosk mode, with no navigation buttons)
     • -logoff (Log off the user after running runurl.exe)
     • -wait (waits for the browser to exit before logging off)
     • -no_icw (Prevent the Internet Connection Wizard from starting)
     • -url http://psynch-server/psynch/nph-pss.exe?qa_ext=response.pss (the URL for the P-Synch self-service password reset login page).
     • -nospawn (Prevents RUNURL from crashing because of a loss of network share.

     See Section HERE for a full list of arguments.

   For example, type:

       \\psynch-server\netlogon\runurl.exe -k -logoff -wait -url http://...
   

4. Save the batch file

10.22.1.3 Creating the security policy

To create the policy file that the Windows 95/98/ME workstation apply to the Secure Kiosk Account:

10.22.1.3.1 Create a policy file:

Open the System Policy Editor. If you don't know where it is, look for POLEDIT.EXE on the Windows NT server operating system CD.

1. On the primary domain controller (PDC), look for a file called CONFIG.POL- normally found in the following folder on the PDC if you have Directory Replication enabled:

   \Winnt\System32\Repl\Export\Scripts

   If you do not have Directory Replication between the PDC and your BDCs, look in:

   \Winnt\System32\Repl\Import\Scripts

2. If the file exists, open it in the System Policy Editor and proceed to the next step.

   If the file does not exist, use the menu option File, New Policy in the System Policy Editor. You will be presented with checkboxes for Default User and Default Computer. Clear both checkboxes before proceeding.

10.22.1.3.2 Add the help user to this profile:

Select the Edit-$>$ Add User menu option and press the Browse button. Select the help user defined earlier and click Add button, then OK button.

10.22.1.3.3 Restrict the help user's rights:

Double click the icon for the help user in the main System Policy Editor window. This will open a window with the user's properties. Set the following properties:

1. Select the check boxes under Control Panel\Display\Restrict Display and all options beneath it:
   • Deny access to display icon
   • Hide Background tab
   • Hide Screen Saver tab
   • Hide Appearance tab
   • Hide Settings tab

2. Clear the check boxes under Desktop:
   • Wallpaper
   • Color scheme

3. Select the following check boxes under Shell\Restrictions.
   • Remove Run command from Start menu
   • Remove folders from Settings on Start menu
   • Remove Taskbar from Settings on Start menu
   • Remove Find command from Start menu
   • Hide drives in My Computer
   • Hide Network Neighborhood
   • No Entire Network in Network Neighborhood
   • No workgroup contents in Network Neighborhood
   • Hide all items on desktop
   • Disable Shut Down command
   • Don't save settings at exit

4. Select the check box under System\Restrictions\Disable Registry.

5. Clear the check box under System\Restrictions\Run only allowed Windows applications.

After defining the properties for the TEST user, click OK to close the HELP user's policy properties window.

10.22.2 Windows NT/2000 Professional workstations on a Windows NT domains

Read this section to learn how to set up a secure kiosk account for a Windows NT/Windows 2000 professional workstation with a Windows NT domain.

10.22.2.1 Creating a help user

To create a HELP user to serve as a Secure Kiosk Account on a Windows NT/Windows 2000 professional workstation:

1. Log into the domain as an administrator.
2. Open User Manager for Domains.
3. Create a new user called HELP.
4. Clear the password fields.
5. Check the following boxes:
   • User cannot change password
   • Password never expires
6. Clear the following boxes:
   • User must change password at next logon
   • Account disabled
7. Click Groups, then add the user to the DOMAIN USERS group, then click OK.
8. Click Account, and make sure that this account is set up as a Global Account in the Account Type frame. Click OK then Add.
9. If User Manager for Domains prompts for a server, click Cancel.
10. Close User Manager for Domains.

10.22.2.2 Creating the security policy

To create the policy file that the Windows NT/2000 workstation will apply to the Secure Kiosk Account:

10.22.2.2.1 Create a policy file:

Open the System Policy Editor. If you don't know where it is, look for POLEDIT.EXE on the Windows NT server operating system CD.

1. On the primary domain controller (PDC), look for a file called NTCONFIG.POL- normally found in the following folder on the PDC if you have Directory Replication enabled:

   \Winnt\System32\Repl\Export\Scripts

   If you do not have Directory Replication between the PDC and your BDCs, look in:

   \Winnt\System32\Repl\Import\Scripts

2. If the file exists, open it in the System Policy Editor and proceed to the next step.

   If the file does not exist, use the menu option File, New Policy in the System Policy Editor. You will be presented with icons showing the Default User and Default Computer. Delete both icons before proceeding.

10.22.2.2.2 Add the help user to this profile:

Choose the Edit>Add User menu option and press the Browse button. Select the help user defined earlier and click Add button, then OK button.

10.22.2.2.3 Restrict the help user's rights:

Double click the icon for the help user in the main System Policy Editor window. This will open a window with the user's properties. Set the following properties:

1. Select the check boxes under Control Panel\Display\Restrict Display and all options beneath it:
   • Deny access to display icon
   • Hide Background tab
   • Hide Screen Saver tab
   • Hide Appearance tab
   • Hide Settings tab

2. Clear the check boxes under Desktop:
   • Wallpaper
   • Color scheme

3. Select the following check boxes under Shell\Restrictions.
   • Remove Run command from Start menu
   • Remove folders from Settings on Start menu
   • Remove Taskbar from Settings on Start menu
   • Remove Find command from Start menu
   • Hide drives in My Computer
   • Hide Network Neighborhood
   • No Entire Network in Network Neighborhood
   • No workgroup contents in Network Neighborhood
   • Hide all items on desktop
   • Disable Shut Down command
   • Don't save settings at exit

4. Select the check box under System\Restrictions\Disable Registry.

5. Clear the check box under System\Restrictions\Run only allowed Windows applications.

6. Select the check box under Windows NT Shell\Custom user interface\Custom Shell

   In the text field for the default shell, type the full netbios path to the RUNURL.EXE program above, followed by four arguments:

   • -k (starts the default web browser in kiosk mode, with no navigation buttons)
   • -logoff (Log off the user after running runurl.exe)
   • -no_icw (Prevent the Internet Connection Wizard from starting)
   • -wait (waits for the browser to exit before logging off)
   • -url http://psynch-server/psynch/nph-pss.exe?qa_ext=response.pss (the URL for the P-Synch self-service password reset login page).
   For example, type:

   \\pdc-server\netlogon\runurl.exe -k -logoff -wait -url http://...

   Note:

   Be sure to copy all the files from the <instance name>\runurl directory into the location in which you will save the ntconfig.pol file. See Applying the security policy to the help user on Page .

   
    

7. Clear the check boxes under Windows NT Shell\Custom folders.

8. Under Windows NT Shell\Restrictions:
   • Clear Only use approved shell extensions
   • Select:
     • Remove View-$>$Options menu from Explorer (if applicable)
     • Remove Tools-$>$GoTo menu from Explorer (if applicable)
     • Remove File menu from Explorer
     • Remove common program groups from Start Menu
     • Disable context menus for the taskbar
     • Disable Explorer's default context menu
     • Remove the ``Map Network Drive'' and ``Disconnect Network Drive'' options
     • Disable link file tracking

9. Under Windows NT System
   • Clear:
     • Parse autoexec.bat
     • Run logon scripts synchronously
     • Disable Logoff (if applicable)
     • Show welcome tips at logon

   • Select:
     • Disable Task Manager
     • Disable Lock Workstation (if applicable)
     • Disable Change Password (if applicable)
10. Clear these checkboxes under Windows NT User Profiles (if applicable):
    • Limit profile size
    • Exclude directories in roaming profile

After defining the properties for the TEST user, click OK to close the HELP user's policy properties window.

10.22.2.3 Applying the security policy to the help user

To apply the security policy to the HELP user on a Windows NT/2000 workstation:

1. In the System Policy Editor, save the policy file as ntconfig.pol in the Windows NT NETLOGON share. This is usually in the following directory on the PDC:

   C:\winnt\system32\repl\export\scripts

   If you do not have Windows NT Directory Replication enabled or configured, save the policy file, directly to the NETLOGON share. This should be in the following directory on the PDC:

   C:\winnt\system32\repl\import\scripts

   If you do not have a NETLOGON share on your Windows NT PDC, create one in the directory above. Be sure to set up the permissions to say that everyone has read only access.

   Note:

   The policy file must be called NTCONFIG.POL

   
    

2. Log in as the user HELP and test the configuration. You should not be able to do anything other than access the P-Synch self-service password reset facility in the default web browser.
3. To close the browser (and log off), press Alt+F4.

10.22.3 Windows 2000 Active Directory

Read this section to learn how to set up a secure kiosk account for a Windows NT/Windows 2000 professional workstation with a Windows NT domain.

10.22.3.1 Creating a help user

1. Log into the domain as an administrator.
2. Open Active Directory Users and Computers.
3. Create a new user called help.
4. Clear the password fields.

   Note:

   You may have to set your password strength rules to require a minimum length of 0 before this will work.

   
    

5. Check the following boxes:
   • User cannot change password
   • Password never expires
6. Clear the following boxes:
   • User must change password at next logon
   • Account is disabled
7. Close Active Directory Users and Computers.

10.22.3.2 Creating the security policy

If the workstation logs into a Windows NT domain, please refer to HERE. Otherwise, for workstations that log into active directory, use the following instructions:

Open the Microsoft Management Console. If you don't know where it is, open Start-$>$Run and type in mmc.

10.22.3.2.1 Create a policy:

On a domain controller, open Microsoft Management Console and click on the Console menu. Click on Add/Remove Snap-in... and add a Group Policy snap-in. While adding the snap-on, create and name the Group Policy appropriately (Help Account Policy is a good name for the policy) and select it as the Group Policy this snap-in is utilizing.

10.22.3.2.2 Add the help user to this profile:

Right click on the new policy that was created and click on Properties. You will be presented with three tabs, one of which is Security. Click on the Security tab. Click on the Add... button and select the help user. Under the permissions for the help user, ensure that the Apply Group Policy permission is checked under the Allow column.

10.22.3.2.3 Restrict the help user's rights:

Expand the tree under the Help Account Policy: -$>$ User Configuration -$>$ Administrative Templates

1. Start Menu & Taskbar:

   Set the following options to Disabled:

   • Disable Logoff on the Start Menu

   Set the following options to Enabled:

   • Disable and remove the Shut Down command

2. Desktop:

   Set the following options to Enabled:

   • Hide all icons on Desktop
   • Remove My Documents icon from desktop
   • Hide My Network Places icon on desktop
   • Hide Internet Explorer icon on desktop
   • Don't save settings at exit

3. Desktop\Active Desktop:

   Set the following options to Disabled:

   • Active Desktop wallpaper
   • Allow only bitmapped wallpaper

   Set the following options to Enabled:

   • Disable all items
   • Prohibit changes
   • Prohibit adding items
   • Prohibit deleting items
   • Prohibit editing items
   • Prohobit closing items

4. Control Panel:

   Set the following options to Disabled:

   • Disable Control Panel

5. Control Panel\Display:

   Set the following options to Enabled:

   • Disable Display in Control Panel
   • Hide Background tab
   • Disable changing wallpaper
   • Hide Appearance tab
   • Hide Settings tab
   • Hide Screen Saver tab
   • No screen saver

6. System:

   Set the following options to Enabled:

   • Custom user interface In the Interface file name box type the full path to the runurl.exe program (should be the UNC name of the domain controller with the SYSVOL share. ie: \\dmnctrlr\sysvol\runurl.exe) with the following arguments:
     • -k (starts the default web browser in kiosk mode, with no navigation buttons)
     • -wait (Waits for the web browser to close before continuing)
     • -logoff (Forces a log off once the browser closes)
     • -no_icw (Prevent the Internet Connection Wizard from starting)
     • -url http://password/psynch/nph-pss.exe?qa_ext=response.pss (the URL for the P-Synch self-service password reset login page).

     In the C:\Program Files\P-Synch\utils
     directory is a utility called runurl.exe. Save this utility to the SYSVOL share of the Domain Controller specified in full path to runurl.exe.

   • Disable registry editing tools
   • Disable Autoplay Set the Disable Autoplay on: value to: All drives

7. System\Logon/Logoff:

   Set the following options to Disabled:

   • Disable Logoff

   Set the following options to Enabled:

   • Disable Task Manager
   • Disable Lock Computer
   • Disable Change Password
   • Run logon scripts synchronously

10.22.3.3 Applying the security policy to the help user

After setting the group policy object (GPO) options in MMC, click on the Console menu and click Save. If an option to save it as a specific name pops up, enter a name you can identify this Management Console as.

After saving the changes, this Group Policy will be in effect every time the help user logs in to the domain. Should it appear that the Group Policy is not applying properly, please check to ensure that your Windows 2000 workstations are using the Windows 2000 Domain Controller as their primary DNS server.

10.22.4 Novell NetWare NDS

Read this section to learn how to set up a secure kiosk account Novell NDS for a Novell Netware NDS network login.

Note:

This procedures in this section were carried out using ZENworks 2

 

10.22.4.1 Creating a help user

1. Log into the tree as an appropriate administrative user.
2. Open NETWARE ADMINISTRATOR.
3. Create a new user called help in the appropriate container.
4. For that new help user, open the details and define the following:
   • Create a home directory for the user and specify it in the Home Directory property under the Environment page.
   • Under the Login Script page, create a login script to map a drive to location of the runurl.exe stored on the Novell file server. For example: map F:=server-nw5/sys:

10.22.4.2 Creating the security policy

To create a security policy:

1. Log in to your NDS tree as an admin user that has the ability to:
   • Create User Packages/ZENworks Policies
   • Apply the ZENworks policy to the help user.

2. Open NETWARE ADMINISTRATOR. It should be located under a Novell Program Group under the Start menu or under the SYS\Public\Win32 directory on your Novell file server (as the NWADMIN32.EXE file).

3. Create a policy package
4. Restrict the help user's rights.

10.22.4.2.1 Creating a policy package:

1. Through NETWARE ADMINISTRATOR, create a new Policy Package object. The POLICY PACKAGE WIZARD should appear. Select the WinNT-Win2000 User Package Policy Package and click Next.

2. Name the User Package appropriately and make sure that the context that the Policy Package is being created in is correct. Click Next.

3. Select the Dynamic Local User Policy. Click on the Details... button when it is available.

4. Select Enable Dynamic Local User. Make sure that Use NetWare credentials and Volatile User (Remove NT user after logout) are selected as well. Add the user to the Administrators group (this will be a temporary assignment). Click OK.

5. When the Details dialog box closes, select the NT Desktop Preferences Policy. Click on the Details... button when it is available.

6. Click Roaming Profile. Make sure that Roaming Profiles and Enable Storage of Roaming Profiles are enabled and the Store User Profile in User Home Directory radio button is selected. Click OK.

7. When the Details dialog box closes, select the NT User System Policies Policy.

10.22.4.2.2 Restricting the help user's rights:

1. Write a file named runurl.cfg to include arguments for the RUNURL.EXE command, which runs the utility to find the default web browser on a Windows workstation, and open it with a given starting URL.
   This is strongly recommended because the length of the URL string can cause instability. The command must also be executed from a share. Include the following arguments in the file:
   • -k (starts the default web browser in kiosk mode, with no navigation buttons)

   • -logoff (Log off the user after running runurl.exe)
   • -wait (waits for the browser to exit before logging off)
   • -no_icw (Prevent the Internet Connection Wizard from starting)
   • -url http://password/psynch/nph-pss.exe?qa_ext=response.pss (the URL for the P-Synch self-service password reset login page).

2. Make sure that the NT User System Policies option is selected (do not uncheck it, just highlight it).
3. Click on the Details... button when it is available.
4. Set the following properties:
   1. Shell\Restrictions\Hide all items on desktop

      Check this box.

   2. Shell\Restrictions\Disable Shutdown

      Check this box.

   3. System\Restrictions\Disable Registry editing tools

      Check this box.

   4. Windows NT Shell\Custom user interface\Custom Shell

      Check this box.

      In the text field for the default shell, type the full path to the RUNURL.EXE program, followed by the argument -cfg \FILEPATH\runurl.cfg.

   5. Windows NT System\Run logon scripts synchronously

      Check this box.

   6. Windows NT System\Disable Task Manager

      Check this box.

5. Once that you have the necessary NT User System Policies defined, close the Details dialog box.
   The next step is to apply the policy package to the help user.

10.22.4.3 Applying the security policy to the help user

To apply the security policy to the help user:

1. Add the help user to the policy package.
2. Ensure the NDS environment is configured for the help user.

10.22.4.3.1 Adding the help user to the policy package:

When the Details dialog box closes for the NT User System Policies, click Next. The next step is to associate the Policy Package to the help user.

1. Click Add....
2. Browse to the help user object and select that object.
3. Once the help user object is highlighted, click OK.

The help user object should now be associated to the Policy Package. Click Next. Confirm your selections and click Finish.

10.22.4.3.2 Final Configuration:

The NDS environment requires some additional configuration to be handled before a successful SKA account can be deployed. If you do not have either INTERNET EXPLORER or the INTERNET EXPLORER CONNECTION WIZARD, you may not need to carry out these steps. However, it may be necessary to carry out similar steps if your environment requires some initial configuration for a user.

1. Using a machine that is part of the domain, log in as the help user you just created.

   If everything was applied correctly and the Dynamic Local User was set up properly, INTERNET EXPLORER will start when you log in.

   • If the login process prompts you for an NT password for the help user, you may have some local password strength rules that conflict with the password (or lack thereof) that was defined for the help user under NDS. In these cases NDS will be unable to create the Dynamic Local User successfully. The solution is to fix the local workstation's password strength rules or change the password for the help user under NDS.
   • If Desktop items or the Start bar appears instead of an Internet Explorer or Internet Explorer Connection Wizard window, it is likely that the Policy Package was not applied to the user correctly or that the path to the RUNURL.EXE command was not correctly specified. Review your configuration and make adjustments.
2. If INTERNET EXPLORER STARTS up the INTERNET EXPLORER CONNECTION WIZARD, proceed through the wizard and configure it to utilize your current network environment. These settings are made on a per-user basis and need to be set to the help user's profile before regular users can successfully use this account to perform self-service resets.
3. Once the Internet Explorer Connection Wizard has completed, press CTRL-ALT-DEL and click the Logout... button. Log the help user out of the workstation. At this point, the Windows NT profile will be saved to the Novell server in the help user's home directory. This includes all the necessary Internet Explorer settings.
4. Once the help user is logged out, log in as an administrative user in the NDS environment and open NETWARE ADMINISTRATOR setting up secure kiosk account:
   1. Open the details window on the Policy Package you created for the help user and highlight the Dynamic Local User policy and click the Details... button.
   2. Remove the help user from the Administrators group.
   3. Click OK.
   4. Close the details window for the Policy Package.
5. Modify the execution of the runurl utility in the runurl.cfg file to include to include -wait -logoff -no_icw after the -k option.
6. To ensure that no changes are made to the help user's personal environment, open the help user's home directory in an Explorer or Command Prompt window. There you will find a "Windows NT 4.0 Workstation Profile" directory. Open that directory and you will find a NTUSER.DAT file. Rename that file to NTUSER.MAN to force it to a Mandatory Roaming Profile. This will prevent further changes to the help user's profile from being kept.
7. Ensure that Enable WorkStation Manager is checked under Network Properties -> Novell WorkStation Manager, and that the correct tree is listed.

With those final settings, the help user should be available to all users to perform self-service resets from the login prompt.

10.22.5 Setting up a HELP dial-in account

Read this section to learn how to enable limited user access to your network through a Windows 2000 Server via Dial up or VPN. The user should be limited to accessing the P-Synch server via a web-browser.

10.22.5.1 Pre-requisites

Before carrying out this procedure, you must:

• Have a good understanding of your VPN and/or Dial-up Server. This section describes the procedure using Windows RAS server, however you can apply these same concepts to any vendor specific VPN or dial-up solution.
• Have a Windows 2000 server (or Advanced Server) running Active Directory.
• Have a Windows 2000 server (or Advanced Server) running routing and remote access that authenticates to the Active Directory.
• Set up a locked down user account(HERE).

10.22.5.2 Creating the HELP dial-up account

To create a HELP dial-up account:

1. Set up a group and add the HELP account as a member.
   1. As a Domain Administrator open the Active Directory Users and Computers dialog box by choosing Start -> Program Files -> Administrative Tools -> Active Directory Users and Computers
   2. Create a new user group called dialinhelp:
      1. Select the OU where the group should be created by choosing Action -> New -> Group
      2. In the Group Name Field type: dialinhelp
      3. Set the Group scope to Global.
      4. Set the Group Type to Security Click OK
   3. Edit the Properties of the dialinhelp group account
      1. Select the group dialinhelp that you just created
      2. Click Action, then Properties, then select the General tab.
      3. In the Description Field type Dial in account for P-Synch Access
      4. Type notes about this account as required.
      5. Select the Members tab.
      6. Add the HELP account that was created when configuring the HELP SKA User (HERE).
      7. Select the Security tab and edit the properties to comply to your organization's policy.

   4. Edit the Properties of the HELP user account.
      1. Select the HELP user
      2. Click Action, then Properties.
      3. Select the Dial-in tab.
      4. Select Allow Access in the Remote Access Permissions box.
      5. Click OK
   5. Close the Active Directory Users and Computers dialog box.

2. Create a Remote Access Policy that restricts user access and apply the Remote Access Policy to the dial in help group.
   1. As Domain Administrator open the Routing and Remote Access dialog box by choosing Start -> Program Files -> Administrative Tools -> Routing and Remote Access.
   2. Select the server that the HELP user will dial into.
   3. Select the Remote Access Policies under that server.
   4. Click Action -> New -> Remote Access Policy to see the Add Remote Access Policy dialog box.
   5. Type dialinhelp in the Policy Friendly Name field.
   6. Click Next
   7. In the Conditions dialog box, click Add.
   8. On the Select Attribute dialog box, select Windows-Groups, then click Add.
   9. On the Groups dialog box click Add.
   10. On the Select Groups dialog box, select the dialinhelp group.
   11. Click Add, then OK.
   12. On the Groups dialog box, click OK.
   13. On the Add Remote Access Policy window click Next.
   14. Select Grant remote access Permission.
   15. Click Next.
   16. Edit the Dial in Profile:
       1. Click Edit Profile to see the Edit Dial in Profile dialog box.
       2. Select the Dial-in Constraints tab.
       3. Check the Disconnect if idle for check-box and set the value to 1 minute (recommended setting).
       4. Check the Restrict maximum session to checkbox, and set the value to 5 minutes (recommended setting).
       5. Select the IP tab.
       6. Set IP Packet Filters to allow only for authentication to the network and HTTP traffic to the P-Synch server.
       7. On the Edit dial in Profile dialog box, click OK.
   17. On the Add Remote Access Policy dialog box, click OK.
   18. While the dialinhelp policy is selected set it to order 1 by clicking the up arrow in the menu bar.
3. Test your configuration by dialling (or VPN) to the RAS server.

10.22.6 Advertising the help account

Once a generic help account has been created on the network, users must be educated to use it when they cannot remember their passwords, or when their password has been locked out.

There are several ways to do this:

1. Add instructions to the help desk voice response system, so that users who call for help are instructed to try to log in with the help account.

2. Deploy a login screen background image to user workstations, so that the instructions to try the help account are always on the user's screen.

3. Add instructions about the help account to whatever media are distributed to users to tell them about the corporate help desk. For example, some companies print information about how to call the help desk on mouse pads.

10.22.6.1 Replacing the Windows login screen background

If you elect to advertise the presence of the help account by replacing the login screen background image on user workstations, follow these steps:

1. Create a background image. Due to variable display resolution, an image with 640x480 pixels is appropriate. The image should contain your corporate logo, as well as a message like the following:

   If you have trouble logging into your workstation or the network, log in with the user ID help and no password.

2. On Windows NT and 2000 workstations, name the bitmap file winnt256.bmp and copy it to the winnt directory.

3. On Windows 95 and 98 workstations, name the bitmap file pslogin1.bmp and copy it to the WINDOWS directory. Next, apply the following registry patch to each workstation:

        REGEDIT4
    
        [HKEY_USERS\.default\Control Panel\Desktop]
        "TileWallpaper"="0"
        "Wallpaper"="\\WINDOWS\\PSLOGIN1.BMP"
    
        [HKEY_CURRENT_USER\Control Panel\Desktop]
        "TileWallpaper"="0"
        "Wallpaper"="\\WINDOWS\\PSLOGIN1.BMP"
   

   You can also change other visual formatting parameters. For example:
   • Set "WallpaperStle"="2" to strech the bitmap to fill the screen.
   • Specify WallpaperOriginX" and "WallpaperOriginY" to offset the bitmap from the upper left corner.

If the changes were made while a user was logged into his workstation, then they will only take effect after he logs out.

Note:

You can apply the above changes using a policy, or by using the regutil program provided with P-Synch. See Section HERE.