由于普通的Domain Users没有进行注册表写入及复制文件到All Users桌面的权限,因此昨天分享的登录脚本还需要两个辅助脚本,这两个辅助脚本都是通过Runasspc来实现的。
根据MVP亮亮的建议,我在脚本中适当的加入了中文的注释,希望能够更多的帮助到大家,如果您对VBScript有兴趣,建议多去看看TechNet的脚本中心,以及Scripting Guy,这里有更详细以及更多的介绍。
进入今天的正题,这两个辅助脚本分别为Default_Admin_Program.vbs和Special_Admin_Program.vbs,在昨天的分享中,有这样一段代码
- '省略部分代码....
- Case "Print-Screen-User"
- RegInfo = 1
- '省略部分代码....
- If RegInfo = 1 Then
- wshell.Run("\\" & VCsite & "2k3dc01\netlogon\runasspc.exe /cryptfile:" & "\\" & VCSite & "2k3dc01\netlogon\Admin_Program\Special_Admin_Program.spc /quiet")
- Else
- wshell.Run("\\" & VCsite & "2k3dc01\netlogon\runasspc.exe /cryptfile:" & "\\" & VCSite & "2k3dc01\netlogon\Admin_Program\Default_Admin_Program.spc /quiet") End If End if
以上代码用于判断当前用户是否属于Print-Screen-User组,如果是则执行Special_Admin_Program.vbs,否则则执行Default_Admin_Program.vbs,这两个脚本的内容几乎完全一致,唯一不同之处在于Special通过注册表实现了将PrnScr键位映射的调整,从而失用户无法通过该键来打印屏幕。
以下分别为这两个VBS的代码,带有简单中文注释。
- '***********************************************************************
- ' Script : Special Users Policy
- ' Creation Date : 2010-07-22
- ' Version : 2.1
- '***********************************************************************
- '定义无须UsbStor安全策略的计算机列表
- On Error Resume Next
- Const HKEY_LOCAL_MACHINE = &H80000002
- arrEnUsbStorPClist = Array("HZPC01","HZPC02","HZPC03"_
- "SHPC01","SHPC02",_
- "NJPC01","NJPC02",_
- "FZPC01","FZPC02"_
- "XMPC01","XMPC02"_
- "SZPC01")
- '定义无需VNC安全策略的计算机列表
- arrVNCNoQueryConPClist = Array("HZPUB01","HZPUB02","HZPUB03"_
- "SHPUB01","SHPUB02",_
- "NJPUB01","NJPUB02",_
- "FZPUB01","FZPUB02"_
- "XMPUB01","XMPUB02"_
- "SZPUB01")
- '------------------------------------------------------------------------------------------------------------
- Set WShell = CreateObject("wscript.shell")
- Set objNetwork = CreateObject("wscript.network")
- Set objFSO = CreateObject("scripting.FileSystemObject")
- strComputer = objNetwork.ComputerName
- VCsite = Left(strComputer,2)
- EnableUSB = 0
- EnableVNC = 0
- 'Copy ICA Lnk 复制ICA快捷键到目标计算机All user桌面
- objFSO.CopyFile "\\" & VCSite & "2k3dc01\Resources\Icon\***\LinkName1.lnk","C:\Documents and Settings\All Users\桌面\",True
- objFSO.CopyFile "\\" & VCSite & "2k3dc01\Resources\Icon\***\LinkName2.lnk","C:\Documents and Settings\All Users\桌面\",True
- objFSO.CopyFile "\\" & VCSite & "2k3dc01\Resources\Icon\***\LinkName3.lnk","C:\Documents and Settings\All Users\桌面\",True
- 'Disable Print Screen 通过更改PRNScr键位映射,达到禁用屏幕打印键功能
- Set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
- strKeyPath = "SYSTEM\CurrentControlSet\Control\Keyboard Layout"
- strValueName = "Scancode Map"
- arrValues = Array(&h00,&h00,&h00,&h00,&h00,&h00,&h00,&h00,&h03,&h00,&h00,&h00,&h46,&h00,&h37,&he0,&h46,&h00,&h54,&h00,&h00,&h00,&h00,&h00)
- objReg.SetBinaryValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,arrValues
- 'USB Security Policy 遍历arrEnUsbStorPClist数组,判断当前计算机名称是否在列表中,如果在,则分别写入相应的注册表键值
- For lngIndex = 0 To UBound(arrEnUsbStorPClist)
- If arrEnUsbStorPClist(lngIndex) = strComputer Then
- EnableUSB = 1
- Exit For
- Else
- EnableUSB = 0
- End If
- Next
- If EnableUSB =1 Then
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect","1","REG_DWORD" '禁止写入
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\Start","3","REG_DWORD" '启用USBStor
- Else
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect","1","REG_DWORD" '禁止写入
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\Start","4","REG_DWORD" '禁用用USBStor
- End if
- 'VNC Security Policy
- For lngIndex = 0 To UBound(arrVNCNoQueryConPCList)
- If arrVNCNoQueryConPCList(lngIndex) = strComputer Then
- EnableVNC = 1
- Exit For
- Else
- EnableVNC = 0
- End If
- Next
- If EnableVNC =1 Then
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4\QueryConnect","0","REG_DWORD" '禁用VNC连接确认
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4\QueryOnlyIfLoggedOn","0","REG_DWORD"
- Else
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4\QueryConnect","1","REG_DWORD" '启用VNC连接确认
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4\QueryOnlyIfLoggedOn","1","REG_DWORD"
- End If
- 'Enable Remote Desktop 启用RDP功能
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections","0","REG_DWORD"
- 'Reset Terminal Services Licensing 用于解决终端服务Lincens90天过期的问题
- WShell.RegDelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing\"
- 'Disable Firewall Services 禁用系统内置Firewall服务
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start","4","REG_DWORD"
- 'The end
- '***********************************************************************
- ' Script : Default Users Policy
- ' Creation Date : 2010-07-22
- ' Version : 2.1
- '***********************************************************************
- '定义无需UsbStor安全策略的计算机列表
- On Error Resume Next
- Const HKEY_LOCAL_MACHINE = &H80000002
- arrEnUsbStorPClist = Array("HZPC01","HZPC02","HZPC03"_
- "SHPC01","SHPC02",_
- "NJPC01","NJPC02",_
- "FZPC01","FZPC02"_
- "XMPC01","XMPC02"_
- "SZPC01")
- '定义无需VNC安全策略的计算机列表
- arrVNCNoQueryConPClist = Array("HZPUB01","HZPUB02","HZPUB03"_
- "SHPUB01","SHPUB02",_
- "NJPUB01","NJPUB02",_
- "FZPUB01","FZPUB02"_
- "XMPUB01","XMPUB02"_
- "SZPUB01")
- '------------------------------------------------------------------------------------------------------------
- Set WShell = CreateObject("wscript.shell")
- Set objNetwork = CreateObject("wscript.network")
- Set objFSO = CreateObject("scripting.FileSystemObject")
- strComputer = objNetwork.ComputerName
- VCsite = Left(strComputer,2)
- EnableUSB = 0
- EnableVNC = 0
- 'Copy ICA Lnk 复制ICA快捷键到目标计算机All user桌面
- objFSO.CopyFile "\\" & VCSite & "2k3dc01\Resources\Icon\***\LinkName1.lnk","C:\Documents and Settings\All Users\桌面\",True
- objFSO.CopyFile "\\" & VCSite & "2k3dc01\Resources\Icon\***\LinkName2.lnk","C:\Documents and Settings\All Users\桌面\",True
- objFSO.CopyFile "\\" & VCSite & "2k3dc01\Resources\Icon\***\LinkName4.lnk","C:\Documents and Settings\All Users\桌面\",True
- 'Enable Print Screen 删除Scanncode MAP 键值,从而达到启用PRNScr键的功能(需重新登录或重启才能生效)
- WShell.RegDelete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout\Scancode Map"
- 'USB Security Policy 遍历arrEnUsbStorPClist数组,判断当前计算机名称是否在列表中,如果在,则分别写入相应的注册表键值
- For lngIndex = 0 To UBound(arrEnUsbStorPClist)
- If arrEnUsbStorPClist(lngIndex) = strComputer Then
- EnableUSB = 1
- Exit For
- Else
- EnableUSB = 0
- End If
- Next
- If EnableUSB =1 Then
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect","1","REG_DWORD" '禁止写入
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\Start","3","REG_DWORD" '启用USBStor
- Else
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect","1","REG_DWORD" '禁止写入
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\Start","4","REG_DWORD" '禁用用USBStor
- End if
- 'VNC Security Policy
- For lngIndex = 0 To UBound(arrVNCNoQueryConPCList)
- If arrVNCNoQueryConPCList(lngIndex) = strComputer Then
- EnableVNC = 1
- Exit For
- Else
- EnableVNC = 0
- End If
- Next
- If EnableVNC =1 Then
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4\QueryConnect","0","REG_DWORD" '禁用VNC连接确认
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4\QueryOnlyIfLoggedOn","0","REG_DWORD"
- Else
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4\QueryConnect","1","REG_DWORD" '启用VNC连接确认
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4\QueryOnlyIfLoggedOn","1","REG_DWORD"
- End If
- 'Enable Remote Desktop 启用RDP功能
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections","0","REG_DWORD"
- 'Reset Terminal Services Licensing 用于解决终端服务Lincens90天过期的问题
- WShell.RegDelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing\"
- 'Disable Firewall Services 禁用系统内置Firewall服务
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start","4","REG_DWORD"
- 'The end
在这两个脚本中,您可以学习到如何使用VBScript能过WMI对注册表进行相关的操作。