Applies To:
  • CitectSCADA

Summary:
Further to Knowledge Base articles Q1898 and Q2402, use of the Policy Editor and starting Citect as a shell can now be combined. 

Solution:
Poledit.exe and winnt.adm are available without the NT Resource Kit, and the Policy Editor facilities now allow a policy to be defined with a Custom Shell thus allowing different login IDs to start up with different shells.

The same warnings given in Q1898 apply about allowing access to other programs from Citect, however, as a last resort, a reset will allow login to a user which starts up in Windows and not Citect.

Procedure

  1. Copy poledit.exe from the \sp3\i386 directory to the \winnt directory.

  2. Copy winnt.adm from the \sp3\i386 directory to the \winnt\inf directory.

  3. Right mouse click on the \winnt\system32\repl\import\scripts directory and select the "Shared As" radio button. Change the share name to "Netlogon" (without the quotes). Select the Permissions button and change the access of "Everyone" from "Full Control" to "Read" and add the Administrators group with an access of "Full Control".

  4. From the User Manager, create a user that will be a member of the user group, i.e., operator.

  5. Run the Policy Editor. Select "Policy Template" from the "Options" menu and "Add" template c:\winnt\inf\winnt.adm.

  6. Create a new policy. From the Edit Menu add a new user and browse to select the user created in step 4 above (operator).

  7. Double click on the "Operator" icon to open up its properties.

  8. Open the "Windows NT Shell" branch and then the "Custom user interface" sub-branch to show "Custom shell".

  9. Check the "Custom shell" box and enter "c:\citect\bin\citect32.exe" as the Shell name under "Settings for Custom shell".

  10. Save the policy file as NTConfig.pol to the \winnt\system32\repl\import\scripts directory.

  11. If a new user was added, logout as administrator and login as the new user so that NT can create the profile directory for the new user. Re-login as an administrator to continue.

  12. To prevent the operator from accessing the Task Manager via Ctrl-Alt-Delete, run the policy editor and open the NTConfig.pol file.

  13. Double click on the "Operator" icon to open up its properties and the option to disable Task Manager is available under "Windows NT System".

  14. Re-login as operator and you will automatically start up in Citect Runtime. No Windows key combinations except Ctrl-Alt-Delete available, and Task Manager is disabled.

Bypassing the Windows NT logon screen

While logged in as administrator, run the Registry Editor regedt32.exe.

Automatic logon can be set it the registry at:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Setting the AutoAdminLogon key to 1 will automatically logon the user shown in key DefaultUserName, using the password shown in key DefaultPassword. (NB the AutoAdminLogon will automatically be reset to 0 if there is no user password.)

WARNING: Ordinary users do not normally have access to edit these keys. If auto-logon is set and the DefaultUserName changed to a normal user (e.g. "operator" in the shell example above) then no other login will be accessible.

To avoid this, while logged in as administrator, run regedt32.exe:

  1. Go to the ...\Winlogon keys as above.

  2. Highlight "Winlogon" and select "Permissions" from the "Security" menu.

  3. Double click on "Users" and check the "Set Value" box.

  4. Select "OK". "Users" should now be shown with "Special Access".

Test the security permissions change by re-logging in as an ordinary user, running regedt32.exe and setting the AutoAdminLogon key to 0. If no warning message is shown then the permission is granted.

 

Keywords:
 

Attachments