Limit logon based on windows patches

  • Thread starter Thread starter John Nash
  • Start date Start date
J

John Nash

Hi,

Is there a way to limit a user from logging onto a computer (in a domain)
that doesn’t meet a base minimum of patches installed? Example, if someone
didn’t have service pack 2 installed then no one could logon to the domain
until it is installed.

Thanks in advance!

John
 
If you are running a login script, and you are good at scripting in general,
you could look for certain registry keys or (programs on the hard drive)
which only exist on patched machines. If they don't exist, issue a message
to the user that the machine is not patched, and then logoff.

Vinson
 
I would suggest AutoIt

http://autoitscript.com

This has builtin variables representing Windows version and SP level.
(@OSVersion, @OSServicePack) For finer control you could enumerate the KB###
patch-folders under the Windows dir, or as suggested enumerate registry keys.

If the requirements aren't met, you issue a shutdown(0) command which logs
the user off.

Bear in-mind the need to do an IsAdmin() check first, or you will create a
catch-22 in which no-one can patch the computer! That, or allow a time delay
for patching.

Kixstart or VBScript are other alternatives, though these days I find AutoIt
more powerful and flexible.
 
Back
Top