[prev in list] [next in list] [prev in thread] [next in thread]
List: pgina-general
Subject: Re: [pGina-general] Disabling Windows 7 built-in credential
From: Nate Yocom <nate () pgina ! org>
Date: 2011-06-30 23:55:21
Message-ID: BANLkTinZyB7MxWGRUJCQpomY6kb_PDtS1A () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
or use something like process monitor on the config ui to see what it does
exactly:
http://technet.microsoft.com/en-us/sysinternals/bb896645
On Thu, Jun 30, 2011 at 12:31 PM, Ivan Mustac <mustac@columbia.edu> wrote:
> Hi Matt,****
>
> ** **
>
> Changing the disableDefaultCP value is not enough to do it. When checking
> the box to "disable the built-in Credential Provider…", not only does the
> disableDefaultCP change to 1, but there is another registry change as well,
> which you need to include in your scripts:****
>
> ** **
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential
> Providers****
>
> ** **
>
> One of the subkeys needs to be set with a "disabled-" preceding the GUID.
> You can find out which one by checking the box in pGina config, log out and
> back in again then check this key.****
>
> ** **
>
> Ivan Mustac****
>
> Systems Engineer****
>
> Columbia University IT****
>
> ** **
>
> *From:* Matt Layher [mailto:mdlayher@gmail.com]
> *Sent:* Thursday, June 30, 2011 2:35 PM
> *To:* pgina-general@lists.sourceforge.net
> *Subject:* [pGina-general] Disabling Windows 7 built-in credential
> provider via command-line****
>
> ** **
>
> Hello everyone, my name is Matt, and I am working for a company which is
> currently using pGina 2.1.0 to deploy Windows 7 in an enterprise
> environment. Our image currently utilizes scripting which enables automatic
> naming and domain join via Ghost Console and various batch/powershell
> scripts, but this is only possible if the "Disable built-in Credential
> Provider" option is unchecked in pGina. After imaging, we would like to
> re-check this box automatically in order to disable the ability for users to
> click the "Switch Users" button, and to avoid confusion.
>
> The problem with this is that it appears that the option can only be
> modified by using ConfigApp.exe, as stated in the pGina documentation:****
>
> REG_DWORD ****
>
> disableDefaultCP ****
>
> Yes ****
>
> Disable the default credential provider (must be changed through config
> app) ****
>
>
> Is there any particular reason that this action cannot be scripted to run
> automatically, and without a technician having to touch each computer to
> enable this option? I have attempted to set the key to "1" (true) using a
> batch script, but as the documentation implies, this is simply not possible.
>
> If there are any workarounds available to fix this problem, information as
> to how to implement them would be much appreciated. Thank you very much for
> your time.
>
> Sincerely,
> Matt Layher****
>
>
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> pGina-General mailing list
> pGina-General@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/pgina-general
>
>
[Attachment #5 (text/html)]
or use something like process monitor on the config ui to see what it does \
exactly:<br><br><a href="http://technet.microsoft.com/en-us/sysinternals/bb896645">http://technet.microsoft.com/en-us/sysinternals/bb896645</a><br>
<br><div class="gmail_quote">On Thu, Jun 30, 2011 at 12:31 PM, Ivan Mustac <span \
dir="ltr"><<a href="mailto:mustac@columbia.edu">mustac@columbia.edu</a>></span> \
wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px \
#ccc solid;padding-left:1ex;"> <div bgcolor="white" link="blue" vlink="purple" \
lang="EN-US"><div><p class="MsoNormal"><span \
style="font-size:11.0pt;color:#1F497D">Hi Matt,<u></u><u></u></span></p><p \
class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"><u></u> \
<u></u></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;color:#1F497D">Changing the disableDefaultCP value is not \
enough to do it. When checking the box to "disable the built-in Credential \
Provider…", not only does the disableDefaultCP change to 1, but there is another \
registry change as well, which you need to include in your \
scripts:<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;color:#1F497D"><u></u> <u></u></span></p><p \
class="MsoNormal"><span \
style="font-size:11.0pt;color:#1F497D">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential \
Providers<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;color:#1F497D"><u></u> <u></u></span></p><p \
class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">One of the subkeys \
needs to be set with a "disabled-" preceding the GUID. You can find out which one by \
checking the box in pGina config, log out and back in again then check this \
key.<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;color:#1F497D"><u></u> <u></u></span></p><p \
class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">Ivan \
Mustac<u></u><u></u></span></p><p class="MsoNormal"><span \
style="font-size:11.0pt;color:#1F497D">Systems Engineer<u></u><u></u></span></p> <p \
class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">Columbia University \
IT<u></u><u></u></span></p><p class="MsoNormal"><span \
style="font-size:11.0pt;color:#1F497D"><u></u> <u></u></span></p><div><div \
style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in"> <p \
class="MsoNormal"><b><span \
style="font-size:10.0pt;color:windowtext">From:</span></b><span \
style="font-size:10.0pt;color:windowtext"> Matt Layher [mailto:<a \
href="mailto:mdlayher@gmail.com" target="_blank">mdlayher@gmail.com</a>] <br> \
<b>Sent:</b> Thursday, June 30, 2011 2:35 PM<br><b>To:</b> <a \
href="mailto:pgina-general@lists.sourceforge.net" \
target="_blank">pgina-general@lists.sourceforge.net</a><br><b>Subject:</b> \
[pGina-general] Disabling Windows 7 built-in credential provider via \
command-line<u></u><u></u></span></p> </div></div><div><div></div><div class="h5"><p \
class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal" \
style="margin-bottom:12.0pt">Hello everyone, my name is Matt, and I am working for a \
company which is currently using pGina 2.1.0 to deploy Windows 7 in an enterprise \
environment. Our image currently utilizes scripting which enables automatic naming \
and domain join via Ghost Console and various batch/powershell scripts, but this is \
only possible if the "Disable built-in Credential Provider" option is \
unchecked in pGina. After imaging, we would like to re-check this box automatically \
in order to disable the ability for users to click the "Switch Users" \
button, and to avoid confusion.<br> <br>The problem with this is that it appears that \
the option can only be modified by using ConfigApp.exe, as stated in the pGina \
documentation:<u></u><u></u></p><table border="0" cellpadding="0"><tbody><tr><td \
style="padding:.75pt .75pt .75pt .75pt"> <p class="MsoNormal">REG_DWORD \
<u></u><u></u></p></td><td style="padding:.75pt .75pt .75pt .75pt"><p \
class="MsoNormal">disableDefaultCP <u></u><u></u></p></td><td style="padding:.75pt \
.75pt .75pt .75pt"><p class="MsoNormal"> Yes <u></u><u></u></p></td><td \
style="padding:.75pt .75pt .75pt .75pt"><p class="MsoNormal">Disable the default \
credential provider (must be changed through config app) \
<u></u><u></u></p></td></tr></tbody></table><p class="MsoNormal"> <br>Is there any \
particular reason that this action cannot be scripted to run automatically, and \
without a technician having to touch each computer to enable this option? I have \
attempted to set the key to "1" (true) using a batch script, but as the \
documentation implies, this is simply not possible.<br> <br>If there are any \
workarounds available to fix this problem, information as to how to implement them \
would be much appreciated. Thank you very much for your \
time.<br><br>Sincerely,<br>Matt Layher<u></u><u></u></p></div> \
</div></div></div><br>------------------------------------------------------------------------------<br>
All of the data generated in your IT infrastructure is seriously valuable.<br>
Why? It contains a definitive record of application performance, security<br>
threats, fraudulent activity, and more. Splunk takes this data and makes<br>
sense of it. IT sense. And common sense.<br>
<a href="http://p.sf.net/sfu/splunk-d2d-c2" \
target="_blank">http://p.sf.net/sfu/splunk-d2d-c2</a><br>_______________________________________________<br>
pGina-General mailing list<br>
<a href="mailto:pGina-General@lists.sourceforge.net">pGina-General@lists.sourceforge.net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/pgina-general" \
target="_blank">https://lists.sourceforge.net/lists/listinfo/pgina-general</a><br> \
<br></blockquote></div><br>
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
pGina-General mailing list
pGina-General@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/pgina-general
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic