MyLogon: The Configuration File
The MyLogon.ini file allows for a much greater range of adjustment of MyLogon's behaviour than does the GUI configurator.
Most settings in this file are used directly, and take immediate effect. There are a few settings which pertain to registry-keys, and these are not loaded automatically unless the AutoUpdateRegistry flag is set. (see below)
The MyLogon.ini file is located in the {Windows}\MyLogon folder. Direct editing of the settings should be performed with a text-editor. Notepad is fine. Please be aware, though, that Microsoft Word is NOT a text-editor, it is a wordprocessor. Use of a wordprocessor is likely to trash the file.
All Boolean values must be either one or zero, T/F or Y/N are not accepted.
Here we'll run through the main options in MyLogon.ini:
The [Global] section contains all of the general settings for the program itself. Any section other than [Global] is assumed to be an entry for a specific network. In principle the main settings are normally found in [Global] however all settings are applicable to all sections, and any settings placed in a network section will override those in the [Global] section.
Lines beginning with ; are comments. Other lines are settings.[Global]
; User Items
; These settings are dynamic, changing whenever Save in the MyLogon GUI is pressed.
Username=fred
; Self-explanatory
LogonNetwork=Site Network
; Refers to thename of the network-section at end of file.
vpn=Direct Connection
; "Direct Connection" or blank means don't dial anything before
logging-on. Otherwise, MyLogon will attempt to make a VPN (remote access) connection to the server
using the specified connectoid (Which must exist in the Networks
Control Panel of the computer) before attempting a logon.
InterfaceStyle=FullFeatured ; (Standard | Minimalist)
; Show all the widgets on the logon screen. Or some. Or only the
password dialog. This option is user-selectable from the MyLogon menu.
; User-Interface Items:
ShowProgress = 1
; A progress dialog is shown while the logon is taking place, pausing
briefly to display the results of each stage. Setting ShowProgress to
zero will in fact still show the dialog, but without the pauses,
allowing the logon process to run much faster.
Debug = 0
; Provide tooltips, with more detailed information at each stage of the
logon. Note that this option slows the process considerably, so should
only be set on if there is a need for it.
PurgeConnections = 1
; Clear any existing connections before commencing
(Recommended:1) -WinXP 'remembers' previous drive-mappings even when
not appropriate, and these can interfere with the establishment of
connections to the selected network. This option makes sure any
historical shares from previous sessions are removed.
ShareCleanup = 1
; Remove any defunct drive-letters from user's desktop after logon completes (ones for which the user has no access-rights)
AutoUpdateRegistry=0
; Set this to 1, and any changes to the shell-integration or registry
settings will be auto-updated the next time MyLogon runs. (The user
will be asked for confirmation first) This is very handy for rollouts,
as it allows a modified .ini file to be "self-installed" by simply
copying it to the computer(s). The AutoUpdateRegistry value self-resets
to zero on success, preventing unwanted repeats.
; Remote-access settings:
; If you need to dial-in for remote-access with nonstandard credentials, enter them here.
;
Otherwise your normal user/pass will be used for VPN as well as logon.
vpnUsername=
vpnPassword=
; Windows Startup-Integration:
SecureMode = 1
;Determines whether MyLogon should demand a password at Windows startup.
SelfRepair = 1
;Check for, and repair, registry-damage to MyLogon done by some anti-spyware programs.
(If MyLogon won't run at startup, run it manually and it should offer to repair the damage)
; Passwords
AcceptLastUsed = 1
; Allow the last
network-password to be used for standalone access. Note that this does
have a small security-issue as the password-hash must be stored locally
if you select this option. It is no less secure than some Microsoft
arrangements, however.
AllowNullPassword = 0
; Zero-length passwords allowed.. or not.
Your call. I wouldn't ;-)
StandaloneOverrides=0
;
Setting to 1 emulates Version 1 behaviour, where typing a standalone
password always results in a local logon regardless of which button is
pressed. 0(zero) sets Version 2 behaviour, attempt a logon,
then offer to enter standalone mode only if the logon fails.
Standalone =45943874398789347984
AdminOverride=3476414767433230121139251477
;These
are hashes of the local-access passwords. The Standalone one is
configurable via the GUI. You need the administrator's hash-generator
tool to create new ones outside of the GUI.
; Registry Items for Shell Integration Mode
; These are the items in the "Advanced > Security" GUI dialog.
; Advised Changes
RestrictTaskMan =1
;Don't allow user to run Task Manager until after logon. (because it allows the starting of programs)
HideUserCPL =1
; Stop itchy fingers from changing the profile settings in Control Panel.
NoWelcomeScreen =1
; If user logs-off, they are taken back to MyLogon instead of being invited to change local-user.
AdminShareCheck =1
;Removes the 'Adminstrative shares' - C$,D$
etc. which are seldom used but which under some circumstances are
a serious security
risk.
NoXPSharedFolders =1
;XP has 'shared folders' which actually refer to sharing between (part-time) users of the
same machine. To network users their presence is generally a cause of confusiion, so best remove them.
WarnOfPasswordExpiry =1
;By default, XP Pro and W2000 force the user to change the local
password every 42 days. A coding oversight means that the forced change
occurs even if the user has no permissions to set passwords, locking
the user out. This option gives earlier warning of a lurking 'password
timebomb' on the machine.
; Optional Changes, which depend on personal preference:
NoScreenSaverLock =1
;If screensaver-lock is used, it will be locked with the local profile password, not the network one.
Fine if the user understands this, but if not, best prevent it happening or they will lock themself out.
NoWindowsKey =1
;Prevent the Windows key shortcuts from
working. Some of these have unexpected results, and with inexperienced
users are best turned-off as they're easily 'caught' while typing.
Note: You can still press Win to see the Start Menu with this set.
NoCDAutoRun =1
;Probably the single most sworn-at XP feature. Put a CD into an XP
machine, and even if it's a CD-R you created yourself to hold your own
text-files, it still will cause infuriating pop-ups to appear. Setting
this to 1 will nail the popups.
;Kiosk Mode (Launch a single application only, in response to a special password)
; These settings are controlled by the Advanced GUI section, or can be set manually.
kioskkey =tyeuy5565jkhtr3
; The hash of the password you must type to enter Kiosk Mode.
kioskapp =notepad.exe
; The program to run. Use quotes "" if there are spaces in the pathname.
kioskcloseaction =Shutdown
What to do when that program closes (Shutdown/Logoff/Reload)
KioskScreenMode=Fullscreen
;A very few apps object to being run fullscreen, in which case change this to "Windowed"
;(added v2.1, and only available by manual .ini file editing.)
kiosknetmode =Standalone
; Do we logon to the server, or not? ("Connected" for logon to server)
kioskuser =
; The username to logon with, IF this is distinct from the kiosk keyword. Otehrwise blank.
;( 'kiosk' is
assumed as the username if the entry is blank. This user should exist
on the server, but should have only a limited set of priveleges,
basically the minimum needed to run the kiosk app. )
; ------ End of Global section -------------
; The following sections are network-specific. The first one is the network configured by the GUI (Which only permits config of a single network, for simplicity) In fact you can have as many networks as you like, so long as you hand-edit them.
[Site Network]
NetworkComment =
; Descriptive comment, appears in tooltip on GUI.
LogonServer = server
; Enter the server-name without any backslashes.
LogonDomain =
; Normally blank for single-server sites. Needed
on multi-server sites with trust relationships.
LogonShare = netlogon
; Above is the universally-standard value, and no real reason to change it.
LogonScript = logon.bat
;
See section on scripts for more information. With no specific path
stated, this one will be in the netlogon share. Tip: To run a script
from the MyLogon folder of the local machine instead of from the
server, prefix it with 'local:' - for example, 'local:logon.bat' will
run 'C:\Windows\MyLogon\logon.bat' after a successful logon.
; Add extra network sections if you wish to access more than one system. For example:
[Other Network]
LogonServer =servertwo
LogonDomain =
LogonShare =netlogon
LogonScript =logon.bat
; As mentioned, only the default network can be configured in the GUI, but all can be selected.
Pattern-Matching
A new feature of v2 is the ability to detect, and alert the user, when a username is entered which does not comply with network policies. The development of this add-on was based on the observation that a high proportion of techsupport-calls from new users stem from exactly this kind of mistake. At least this feature makes techsupport easier as the user is then able to report that the computer is rejecting the username. This often saves a merry chase-round testing cables, etc. and a half-dozen needless password-resets before the real cause of the problem is noticed!
Since a pattern-mismatch only informs that the username is probably wrong, but not how to correct the mistake, the impact of pattern-matching on security is small.
The pattern-matching rules can be either in [global] or in a specific network section. Those in a network section over-ride the global ones if that network is selected.
Example settings might be:
; A name cannot contain spaces
uminspaces = 0
umaxspaces = 0
; A name must contain either no dot, or one dot
umindots = 0
umaxdots = 1
; A name must not contain an @ sign
uminats = 0
umaxats = 0
; A name must not contain more than two underscores
uminunderscores = 0
umaxunderscores = 2
; We don't care how many hyphens a name has
uminhyphens = 0
umaxhyphens = 99
; Names must be lowercase
umincaps = 0
umaxcaps = 0
; Length must be a minimum of 6, max of 20 characters
uminlength = 6
umaxlength = 20
;Not all of these rules need apply to any given network. Either comment-out the unneeded ones, or set them to a min of zero and max of 99.
|
|
|
|
|
|
|