Incorporating Connection Manager with logon security

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Incorporating Connection Manager with logon security

On computers running Windows 2000, Windows XP, or a member of the Windows Server 2003 family, a user can choose to log on to Windows using a Connection Manager profile.

Logging on using a Connection Manager profile

A user can log on using a dial-up connection (including a Connection Manager connection) only if the computer is a member of a domain. If the computer is not a member of a domain, the Log on using dial-up connection check box does not appear.

In the Log On to Windows dialog box, the user can select the Log on using dial-up connection check box. After clicking OK, the user is prompted to choose a network connection.

After the user chooses a connection, the Connection Manager logon screen appears. Connection Manager starts the connection process when the user clicks Connect.

Administrative issues when using Connection Manager profiles to log on

If you intend to build and distribute a service profile that will be regularly used to log on, you might want to consider the following:

  • By default, Connection Manager uses the credentials the user types at the Windows logon screen. If you want Connection Manager to ignore those credentials, add the key UseWinLogonCredentials=0 to the [Connection Manager] section of the .cms file for your service profile.

  • Users who select the Log on using dial-up connection check box gain access to Windows through an account designed for this method of logging on. Any customized settings for Connection Manager are applied to the Log on to Windows account, rather than to the account of the user who logged on. The user can customize the Log on to Windows account in the same ways as any other account (for example, save settings for phone numbers). However, permissions granted to specific users, such as access to Help, are not granted to users logging on to Windows, even after the connection completes.

For security reasons, the following functionality is not available when a user logs on to Windows using a dial-up connection:

  • If the .cms file for the profile contains the ResetPassword key, any value for that key is ignored.

  • Custom buttons do not appear or function.

  • The View Log button is disabled.

  • The Advanced tab does not appear in the properties dialog box for the service profile.

  • Keys in the .cmp file that provide user credentials for first-time use (such as UserName) are not available. Internet connection credential keys such as InternetUserName are available.

  • Macromedia animation does not display. If you are building a profile that uses Macromedia animation, you should include a default bitmap to display in this circumstance.

  • Custom actions do not run unless those actions have been enabled by editing the registry. Even after custom actions have been enabled, the custom action will not automatically work with registered shell extensions. You must indicate the program to use with the file, as well as the path to the file.

  • Connection Manager Help (including context-sensitive help) is disabled during the connection process.

  • If a system component is missing when the user attempts to log on using a dial-up connection, the connection attempt fails. The user will not be able to install the system component until he or she logs on.

Enabling custom actions that run when a user logs on by using a dial-up connection

For a custom action to run during the logon process, you must enable that action by specifying a value for the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Connection Manager\ProfileName\WinLogon Actions

The format for the value of the registry key is:

Field Description

Name

The name of the executable file that will run.

Type

REG_DWORD

Data

A value indicating the location of the executable.

Supported values for the Data field are:

Value Location of executable

0x00000000(0)

%windir%\system32

0x00000001(1)

Profile directory

Caution

  • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

The following example enables automatic phone book downloads at connection time. If you set the value of:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Connection Manager\Profile Name\WinLogon Actions

as:

cmdl32.exe REG_DWORD 0x00000000(0)

then you must also include:

[Xnstall.AddReg.AllUsers] "HKLM", "%AppAct%\%ServiceName%\WinLogon Actions","cmdl32.exe",0x00010001,0

in the .inf file of the profile.

Important

  • Modifying .inf files can cause significant installation problems. Thoroughly test all service profiles containing custom .inf entries for version, file, or other conflicts. Be sure that the file location is specified correctly.

  • If a custom action runs when users log on to Windows, the custom action runs with system permissions. You should ensure that any custom actions that you enable do not pose unintended security risks.

  • Any user can modify the .cms and .cmp files of a service profile that is installed on a computer running Windows 98 or Windows Millennium Edition. Users who install profiles for individual use on computers that are running Windows Server 2003, Windows XP, or Windows 2000 can modify .cms and .cmp files of the profiles they install. Only members of the Administrators or System Operators groups can modify .cms and .cmp files of profiles installed for All Users on computers that are running Windows Server 2003, Windows XP, or Windows 2000. All members of the Administrators group on a local computer can modify the .cms and .cmp files of any service profile that is installed on that computer.