The system logon/out, startup/shutdown script are already built in by Microsoft, and you can give them privilege via group policy setting. Today I will introduce a solution to schedule an action upon user switching, which is not an login/out action. This scenario is typically useful for a proxy session monitoring, which usually require system to disable fast user switch, so they can monitor the only active session for the network accounting. But with this scheduled action, you can achieve accurate accounting while keep the fast user switch enabled.
The fast user switch can be enabled/disabled here:
Computer Configuration > Administrative Templates > System > Logon > Hide entry points for Fast User Switching to Enabled.
We will utilize the scheduled task to do this job, and luckily there is an option called “On connection to user session” in the Trigger condition.
Setup a scheduled task for user session change
Step 1. Create a GPO and go to User Configuration > Preferences > Control Panel Settings > Scheduled Tasks
Right click and select New > Scheduled Task (At least Windows 7)
Step 2. Give it a name to your preference, mine is “Switching user trigger Cyber hound logout”.
Step 3. Security options: click Change User or Group… button, in the new window, type “Interactive” in “Enter the object name to select”, click OK, system will automatically fill it with “NT Authority\Interactive”.
Step 4. Select Run only when user is logged on, tick “Run with highest privileges”.
Keep others default, and click trigger.
Step 5. Go to Triggers tab, click New… button.
Select “On connection to user sessoin” under “Begin the task”; select “connection from Local computer”. make sure “Enabled” is ticked.
Step 6. Go to Actions Tab, click new… button. Select start a program, Click Browse… to select the program you want to run when a user login. I will choose Powershell, because I would like it to run a powershell script to logout a cyberhound session. And my script is saved under \\yourdomain.com\sysvol\cyberhound_logout.ps1, and this script is shown below to hit a url “http://auth.localnetwork.zone/logout” to logout current session.
$IE=new-object -com internetexplorer.application $IE.navigate2("http://auth.localnetwork.zone/logout") $IE.visible=$false
In my case setting is:
- Program/script: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- Add arguments(optional): -file “\\youdomain.com\sysvol\cyberhound_logout.ps1”
Step 7. Go to Conditions tab.
I unticked “Start the task only if the computer is on AC power” because it will not need that long time to run this script therefore won’t drain the laptop battery. This task will only be successful if the network is available, so I ticked “Start only if the following network connection is available:” and select “Any connection”
Now we are pretty much done with the task scheduler setup.
Deal with powershell security settings
If you test it with a powershell script with switching user, you may find the script does not run as expected or get an security warning for the script executing every time you switch user.
- Go to Computer Configuration > Policies > administrative Template > Windows component > Windows PowerShell , find Turn on Script Execution, and change execution policy to “Allow all scripts”
- Now you still may get a warning regarding to the security of the script, because some machines treat UNC paths as the big bad internet, so PowerShell treats them as remote files. Do following setting to apply this setting to target machine:
To set trusted sites via GPO
- Open the Group Policy Management Editor.
- Go to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page.
- Select the Site to Zone Assignment List.
- Select Enabled and click Show to edit the list. The zone values are as follows: 1 — intranet, 2 — trusted sites, 3 — internet zone, 4 — restricted sites.
- Add your domain name to the box here, zone value as 2. For a SMB share: the format is : File://*.yourdomain.com,
- Click OK.
- Click Apply and OK.
By enabling this policy setting, you can manage a list of sites that you want to associate with a particular security zone.
Restricting users from changing security zone policies
- Open the Group Policy Management Editor.
- Go to Computer Configuration > Administrative Templates > Windows Components > Internet Explorer.
- Double-click Security Zones: Do not allow users to change policies.
- Select Enabled.
- Click Apply and OK
Now the action triggered by user switching should be fully functional.