有没有一种方法可以通过USB Pendrive启用/禁用Windows 7用户帐户? [英] Is there a way to enable/disable a Windows 7 User Account with a USB Pendrive?

问题描述

好的，这是我的问题. (很抱歉问题的长度，但是我想提供足够的信息，所以我不会得到"noobie"的答案！)

我正在写一些系统管理软件来管理我公司租用的Win7系统.所有计算机均通过信息亭"样式的应用程序启动器屏幕锁定，该屏幕在标准帐户中以降低的特权运行.

出于显而易见的原因，我们不希望客户获得具有管理员权限的帐户！

过去，当机器需要软件更新或少量维护时，通常是在车间内轮换机器，但是，由于我们现在要租用50台机器，这已经成为一个头疼的大问题，因此，需要可以由我们的员工在现场访问的系统管理应用程序.

系统管理软件(顺便说一下，我在VB.Net中进行编码，但可能与该问题无关，除非我需要实现代码来执行此操作，否则VB.Net代码将是更可取的，因为我(从C#或C ++开始就没有任何线索！)，就其本质而言，它要求在具有完全管理员权限的环境中运行.我尝试在标准帐户中为其设置管理员权限，但不幸的是，由于该软件需要在注册表的受保护区域中获取和设置系统设置和策略，因此该方法没有起作用.我不想在Windows登录屏幕上留下可见的Admin帐户，而使用Alt/Ctrl/Del获取隐藏帐户的老技巧是a)有点太知名了，b)并不在Win7中始终可靠地运行.

我的想法是将某种形式的安全密钥放到笔式驱动器上，然后将其分发给授权人员.如果通过将其中一个驱动器插入USB端口启动计算机，则该计算机将自动登录到``隐藏的''管理员帐户，然后管理软件将在其中显示其自己的登录屏幕，其中包括每个工作人员''的登录名和密码确定他们对管理软件的访问级别. (有些员工只需要访问备份和更新功能，而更多的员工则需要完整的系统访问权限.我什至为公司所有者建立了特殊的访问级别，该公司的所有者完全是计算机知识，但喜欢他可以解决问题"！)

问题:

1)是否可以隐藏Windows管理员帐户，使其只能通过USB密钥访问?

2)如何? ;-)

OK, here''s my problem. (Sorry about the length of the question, but I want to give sufficient information so I don''t get "noobie" answers!)

I''m writing some system management software to administer Win7 systems which my company has out on rental. The machines are all locked down with a "kiosk" style application launcher screen, which runs under reduced privileges in a Standard account.

For obvious reasons, we don''t want the clients to ever get near an account with Administrator priveledges!

In the past, when machines have needed software updates or minor maintenance, it has been a case of rotating them through the workshop, but, as we''re now approaching 50 machines out on rental, that has become a major headache, hence the need for a system management application which can be accessed on-site by our staff.

The system management software (which I''m coding in VB.Net, by the way, but is probably not pertinent to the question, except that if I need to implement code to do this VB.Net code would be preferable, as I don''t have a clue in C# or C++!), by its very nature, requires to run in an environment with full Admin rights. I tried setting Admin permissions for it in a Standard Account, but unfortunately that hasn''t worked, due to the software''s requirement to get and set system settings and policies in protected areas of the registry. I don''t want to leave a visible Admin account on the Windows Logon screen, and the old trick of using Alt/Ctrl/Del to get at hidden accounts is a) a bit too well-known and b) doesn''t always work reliably in Win7.

My idea is to put some form of security key onto pendrives which I can issue to authorised staff. If the machine is booted with one of these drives plugged into a USB port, then the machine will automatically log in to a "hidden" administrator account, where the admin software will then present its own login screen, with each member of staff''s login and password determining their level of access to the management software. (Some staff only need access to the backup and update features, whilst more senior ones need full system access. I''ve even built in a special access level for the company owner, who is completely computer-illiterate, but likes to feel he can "fix stuff"!)

Question:

1) Is it possible to hide a windows admin account so it can only be accessed with a USB key?

2) How? ;-)

Thanks.

推荐答案

1 + 2A)每个未授予交互式登录的帐户都将从登录屏幕中隐藏.
1 + 2B)您还可以使用注册表设置: User .NET中的模拟 [ ^ ].
在这里，您可以找到一个如何自动提升流程的示例: http://support.microsoft.com/kb/981778 [< ^ ].您还将在Google上找到一些示例，了解如何启动托管的代码提升进程.

0+)，我将创建一个在这些PC上运行的服务(如WUA).插入Pendrive时，它将搜索一个特殊的，已签名的档案.如果签名与安装的证书匹配，则会将其解压缩到一个特殊的文件夹中，基于单独签名的图元文件检查每个可执行哈希，然后根据需要启动它们.作为服务，它可以作为系统运行，并且具有在后台进行更新的所有必要特权，而无需技术人员进行任何交互.

+您还可以与 WUA/WUS [ http://support.microsoft.com/kb/816109 [< ^ ].这样，帐户本身将存在，具有默认的SID，但如果您愿意，可以使用随机名称.因此，试图猜出Admministrator密码的黑客也必须猜出它的名字.

1+2A) Every account that is not granted the interactive logon will be hidden from logon screen.
1+2B) There is a registry setting you can also use: http://www.mydigitallife.info/how-to-create-hidden-user-account-hide-user-account-from-welcome-screen-in-windows/[^]

0) You can use any user account to start an administrative process. You need only to change the thread impersonation, and probably also elevating the process.
This is a C# sample about impersonation, but will be not hard to transcribe it to VB.NET: User Impersonation in .NET[^].
Here you can find a sample how to self-elevate a process: http://support.microsoft.com/kb/981778[^]. You will also find several samples on google how to start elevated process wrom managed code.

0+) I would create a service (like WUA), that runs on those PC-s. When a pendrive is inserted, it would search for a special, signed archive. If the signature is matching the installed certificate, it would unpack it in a special folder, check for every executable hash based on a separately signed metafile, and start them as needed. As service it can run as system, and would have all necessary privileges to make updates in background, without the need to any interaction from the technician.

+You can also interact with WUA/WUS[^] if needed.

++You even can install SCCM client and use the Microsof''s standard system management tools on client side without SCCM server. It is a little bit complicated, but not impossible.

[Update]
One addition: you can even change built-in administrator account name: http://support.microsoft.com/kb/816109[^]. This way the account itself will exist, with the default SID, but with a random name if you wish. Thus a hacker trying to guess Admministrator password will have to guess it''s name also.

我要感谢所有为此付出时间和思想的人，尤其是ledtech3，由于尝试在MSDN上整理API调用，现在他的头发可能比开始时要少.

我现在已经解决了.它不是我最初想要的，但是在许多方面它比我最初的解决方案做得更好.

我使用了 http://code.msdn.microsoft.com/windowsdesktop/VBWin7TriggerStartService-dcd0e7cf建立一项服务，如果该服务在USB总线上检测到格式正确的笔式驱动器，则在引导时将用户帐户提升到管理员组，如果笔驱动器具有以下功能，则在下次引导时将其重新锁定"计算机已被删除.

然后，我将所有管理按钮和管理按钮直接放置在安全亭"桌面上，并注入代码，如果检测到用户不在Administrators组中，则会隐藏并禁用它们.我还在研究一个巧妙的小技巧，以相同的方式打开和关闭家长控制"，我将在另一个线程中发布一些代码.

我不想使用我自己解决了这个问题"按钮，因为我没有！没有大家和MSDN网站的投入，我将没有机会.也许Code Project的人们应该考虑在此处添加一个新按钮，例如在Code Project用户的帮助下解决问题" ...?

如果有人希望获得有关我的操作方式的更多详细信息，或者该解决方案的代码片段，请随时询问，我会很乐意通过电子邮件将它们发送给您.不幸的是，我无法在此处发布整个代码，因为它是一个涉及安全性的大型商业项目的一部分.

再次感谢！

Ian

I''d like to thank everyone who gave their time and thought to this, especially ledtech3, who probably now has less hair than when we started, thanks to trying to sort out the API calls on MSDN!

I have now worked out a solution. It wasn''t the one I''d originally intended, but in many ways it does the job better than my original solution.

I used the sample code from http://code.msdn.microsoft.com/windowsdesktop/VBWin7TriggerStartService-dcd0e7cf to build a service which raises the user account to the Administrators group on boot-up if it detects a correctly formatted pen-drive on the USB bus, and "re-locks" the machine on next boot-up if the pendrive has been removed.

I then placed all the admin and management buttons directly onto the "secure kiosk" desktop, and injected code which hides and disables them if it detects that the user is not in the Administrators Group. I''m also working on a neat little trick to switch the "Parental Controls" on and off in the same way, and I''m going to publish some of the code for that in another thread.

I don''t want to use the "I''ve solved this myself" button, because I didn''t! Without the input from all of you, and from the MSDN website, I''d have had no chance. Maybe the Code Project people should think about putting a new button on here, something like "Problem solved with help from Code Project users"... ?

If anyone wants any further details on how I did it, or any code-snippets of the solution, please feel free to ask, and I''ll happily e-mail them to you. Unfortunately, I can''t post the entire code here, as it is part of a bigger commercial project with security implications.

Thanks once again!

Ian

是通常显示的屏幕，仅仅是锁定的桌面，还是像在销售点系统上看到的屏幕?
当我想到Kiosk时，我想到的是商场中那些独立的设备，那里有一个特殊的屏幕可以显示人们并与人们互动.

您可以设置一个Logon脚本，但是我从来不需要使用这些脚本.
另外，您可能每次都必须重新引导系统才能工作.

我的程序的工作方式是，就像上面提到的那样，它只是将值写入注册表中.这个
http://www .mydigitallife.info/how-to-to-create-hidden-user-account-hide-hide-user-account-from-welcome-screen-in-windows/ [ 如果您想要我的应用程序的源代码，可以给我发电子邮件pcsxcetra@consolidated.net
这项工作仍在进行中，但确实可以完成您需要做的事情.

Is the screen that is normally shown, just a locked down desktop or it it a screen like you would see on a point of sale system ?
When i think Kiosk i''m thinking of those free standing devices in a mall somewhere where there is a special screen that shows and interacts with people.

you could set up a Logon script but I have never had a need to work with those.
Also you may have to reboot the system every time for it to work.

The way my program works is it just writes the values to the registry as the article mentioned above shows.This one
http://www.mydigitallife.info/how-to-create-hidden-user-account-hide-user-account-from-welcome-screen-in-windows/[^]
Once the Computers are prepaired for the New account and you want to "Un Hide" them, then just Change the registry setting for that account. It has been a while since I worked with it,I''m thinking the system has to be rebooted for the setting to take affect.
If you would like the source code for my App you can Email me at pcsxcetra@consolidated.net
It is still a work in progress but does do what you need done.

这篇关于有没有一种方法可以通过USB Pendrive启用/禁用Windows 7用户帐户?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！