由於普通的Domain Users沒有進行註冊表寫入及複製文件到All Users桌面的權限,因此昨天分享的登錄腳本還需要兩個輔助腳本,這兩個輔助腳本都是通過Runasspc來實現的。
根據MVP亮亮的建議,我在腳本中適當的加入了中文的註釋,希望能夠更多的幫助到大家,如果您對VBScript有興趣,建議多去看看TechNet的腳本中心,以及Scripting Guy,這裏有更詳細以及更多的介紹。
進入今天的正題,這兩個輔助腳本分別爲Default_Admin_Program.vbs和Special_Admin_Program.vbs,在昨天的分享中,有這樣一段代碼
- '省略部分代碼....
- Case "Print-Screen-User"
- RegInfo = 1
- '省略部分代碼....
- If RegInfo = 1 Then
- wshell.Run("\\" & VCsite & "2k3dc01\netlogon\runasspc.exe /cryptfile:" & "\\" & VCSite & "2k3dc01\netlogon\Admin_Program\Special_Admin_Program.spc /quiet")
- Else
- wshell.Run("\\" & VCsite & "2k3dc01\netlogon\runasspc.exe /cryptfile:" & "\\" & VCSite & "2k3dc01\netlogon\Admin_Program\Default_Admin_Program.spc /quiet") End If End if
以上代碼用於判斷當前用戶是否屬於Print-Screen-User組,如果是則執行Special_Admin_Program.vbs,否則則執行Default_Admin_Program.vbs,這兩個腳本的內容幾乎完全一致,唯一不同之處在於Special通過註冊表實現了將PrnScr鍵位映射的調整,從而失用戶無法通過該鍵來打印屏幕。
以下分別爲這兩個VBS的代碼,帶有簡單中文註釋。
- '***********************************************************************
- ' Script : Special Users Policy
- ' Creation Date : 2010-07-22
- ' Version : 2.1
- '***********************************************************************
- '定義無須UsbStor安全策略的計算機列表
- On Error Resume Next
- Const HKEY_LOCAL_MACHINE = &H80000002
- arrEnUsbStorPClist = Array("HZPC01","HZPC02","HZPC03"_
- "SHPC01","SHPC02",_
- "NJPC01","NJPC02",_
- "FZPC01","FZPC02"_
- "XMPC01","XMPC02"_
- "SZPC01")
- '定義無需VNC安全策略的計算機列表
- arrVNCNoQueryConPClist = Array("HZPUB01","HZPUB02","HZPUB03"_
- "SHPUB01","SHPUB02",_
- "NJPUB01","NJPUB02",_
- "FZPUB01","FZPUB02"_
- "XMPUB01","XMPUB02"_
- "SZPUB01")
- '------------------------------------------------------------------------------------------------------------
- Set WShell = CreateObject("wscript.shell")
- Set objNetwork = CreateObject("wscript.network")
- Set objFSO = CreateObject("scripting.FileSystemObject")
- strComputer = objNetwork.ComputerName
- VCsite = Left(strComputer,2)
- EnableUSB = 0
- EnableVNC = 0
- 'Copy ICA Lnk 複製ICA快捷鍵到目標計算機All user桌面
- objFSO.CopyFile "\\" & VCSite & "2k3dc01\Resources\Icon\***\LinkName1.lnk","C:\Documents and Settings\All Users\桌面\",True
- objFSO.CopyFile "\\" & VCSite & "2k3dc01\Resources\Icon\***\LinkName2.lnk","C:\Documents and Settings\All Users\桌面\",True
- objFSO.CopyFile "\\" & VCSite & "2k3dc01\Resources\Icon\***\LinkName3.lnk","C:\Documents and Settings\All Users\桌面\",True
- 'Disable Print Screen 通過更改PRNScr鍵位映射,達到禁用屏幕打印鍵功能
- Set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
- strKeyPath = "SYSTEM\CurrentControlSet\Control\Keyboard Layout"
- strValueName = "Scancode Map"
- arrValues = Array(&h00,&h00,&h00,&h00,&h00,&h00,&h00,&h00,&h03,&h00,&h00,&h00,&h46,&h00,&h37,&he0,&h46,&h00,&h54,&h00,&h00,&h00,&h00,&h00)
- objReg.SetBinaryValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,arrValues
- 'USB Security Policy 遍歷arrEnUsbStorPClist數組,判斷當前計算機名稱是否在列表中,如果在,則分別寫入相應的註冊表鍵值
- For lngIndex = 0 To UBound(arrEnUsbStorPClist)
- If arrEnUsbStorPClist(lngIndex) = strComputer Then
- EnableUSB = 1
- Exit For
- Else
- EnableUSB = 0
- End If
- Next
- If EnableUSB =1 Then
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect","1","REG_DWORD" '禁止寫入
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\Start","3","REG_DWORD" '啓用USBStor
- Else
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect","1","REG_DWORD" '禁止寫入
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\Start","4","REG_DWORD" '禁用用USBStor
- End if
- 'VNC Security Policy
- For lngIndex = 0 To UBound(arrVNCNoQueryConPCList)
- If arrVNCNoQueryConPCList(lngIndex) = strComputer Then
- EnableVNC = 1
- Exit For
- Else
- EnableVNC = 0
- End If
- Next
- If EnableVNC =1 Then
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4\QueryConnect","0","REG_DWORD" '禁用VNC連接確認
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4\QueryOnlyIfLoggedOn","0","REG_DWORD"
- Else
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4\QueryConnect","1","REG_DWORD" '啓用VNC連接確認
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4\QueryOnlyIfLoggedOn","1","REG_DWORD"
- End If
- 'Enable Remote Desktop 啓用RDP功能
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections","0","REG_DWORD"
- 'Reset Terminal Services Licensing 用於解決終端服務Lincens90天過期的問題
- WShell.RegDelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing\"
- 'Disable Firewall Services 禁用系統內置Firewall服務
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start","4","REG_DWORD"
- 'The end
- '***********************************************************************
- ' Script : Default Users Policy
- ' Creation Date : 2010-07-22
- ' Version : 2.1
- '***********************************************************************
- '定義無需UsbStor安全策略的計算機列表
- On Error Resume Next
- Const HKEY_LOCAL_MACHINE = &H80000002
- arrEnUsbStorPClist = Array("HZPC01","HZPC02","HZPC03"_
- "SHPC01","SHPC02",_
- "NJPC01","NJPC02",_
- "FZPC01","FZPC02"_
- "XMPC01","XMPC02"_
- "SZPC01")
- '定義無需VNC安全策略的計算機列表
- arrVNCNoQueryConPClist = Array("HZPUB01","HZPUB02","HZPUB03"_
- "SHPUB01","SHPUB02",_
- "NJPUB01","NJPUB02",_
- "FZPUB01","FZPUB02"_
- "XMPUB01","XMPUB02"_
- "SZPUB01")
- '------------------------------------------------------------------------------------------------------------
- Set WShell = CreateObject("wscript.shell")
- Set objNetwork = CreateObject("wscript.network")
- Set objFSO = CreateObject("scripting.FileSystemObject")
- strComputer = objNetwork.ComputerName
- VCsite = Left(strComputer,2)
- EnableUSB = 0
- EnableVNC = 0
- 'Copy ICA Lnk 複製ICA快捷鍵到目標計算機All user桌面
- objFSO.CopyFile "\\" & VCSite & "2k3dc01\Resources\Icon\***\LinkName1.lnk","C:\Documents and Settings\All Users\桌面\",True
- objFSO.CopyFile "\\" & VCSite & "2k3dc01\Resources\Icon\***\LinkName2.lnk","C:\Documents and Settings\All Users\桌面\",True
- objFSO.CopyFile "\\" & VCSite & "2k3dc01\Resources\Icon\***\LinkName4.lnk","C:\Documents and Settings\All Users\桌面\",True
- 'Enable Print Screen 刪除Scanncode MAP 鍵值,從而達到啓用PRNScr鍵的功能(需重新登錄或重啓才能生效)
- WShell.RegDelete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout\Scancode Map"
- 'USB Security Policy 遍歷arrEnUsbStorPClist數組,判斷當前計算機名稱是否在列表中,如果在,則分別寫入相應的註冊表鍵值
- For lngIndex = 0 To UBound(arrEnUsbStorPClist)
- If arrEnUsbStorPClist(lngIndex) = strComputer Then
- EnableUSB = 1
- Exit For
- Else
- EnableUSB = 0
- End If
- Next
- If EnableUSB =1 Then
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect","1","REG_DWORD" '禁止寫入
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\Start","3","REG_DWORD" '啓用USBStor
- Else
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect","1","REG_DWORD" '禁止寫入
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\Start","4","REG_DWORD" '禁用用USBStor
- End if
- 'VNC Security Policy
- For lngIndex = 0 To UBound(arrVNCNoQueryConPCList)
- If arrVNCNoQueryConPCList(lngIndex) = strComputer Then
- EnableVNC = 1
- Exit For
- Else
- EnableVNC = 0
- End If
- Next
- If EnableVNC =1 Then
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4\QueryConnect","0","REG_DWORD" '禁用VNC連接確認
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4\QueryOnlyIfLoggedOn","0","REG_DWORD"
- Else
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4\QueryConnect","1","REG_DWORD" '啓用VNC連接確認
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4\QueryOnlyIfLoggedOn","1","REG_DWORD"
- End If
- 'Enable Remote Desktop 啓用RDP功能
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections","0","REG_DWORD"
- 'Reset Terminal Services Licensing 用於解決終端服務Lincens90天過期的問題
- WShell.RegDelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing\"
- 'Disable Firewall Services 禁用系統內置Firewall服務
- WShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start","4","REG_DWORD"
- 'The end
在這兩個腳本中,您可以學習到如何使用VBScript能過WMI對註冊表進行相關的操作。