Getting 98 to require a login password

[noabody]

As a point of interest I've always been curious about whether it's possible to get Windows 98 to require a login password. Sure it asks for one as part of "Windows logon" or "Microsoft Family logon" but that's easily bypassed with a blank password or by hitting escape. "Client for Microsoft Networks", when used in a domain, would probably work. I wanted to get it working on a standalone computer. This is what I figured out when messing with multi-user and computer policies in 98 SE.

First go to the control panel and run the "Users" icon. Set up a username, password and which items to personalize. After the process is complete the computer is rebooted and now "Microsoft Family logon" pops up a dialog asking us to login; as usual hitting the Escape key gets us right into the default account. To proceed we need to use the Windows 98 policy editor to fake windows into thinking a login is "required". Microsoft's instructions at http://support.microsoft.com/kb/q147381/ are the best you'll find and quoted here with my additions in curly brackets:

--Begin--

Windows 98

The Tools\Reskit\Netadmin\Poledit folder on the Windows 98 CD-ROM.

Use the Add/Remove Programs tool in Control Panel to install System Policy Editor. {Click the Windows Setup tab, then the Have Disk button and Browse to the directory noted above. Select either grouppol.inf or poledit.inf and OK twice. Check to install both Group Policies and the System Policy Editor.}

To configure a standalone Windows-based computer to use system policies, follow these steps:

1. Click the Start button, and then click Run.

2. In the Open box, type poledit, and then click OK.

3. In System Policy Editor, click Open Registry on the File menu.

4. Double-click the Local Computer icon, then the {Windows 98} Network icon, and then double-click the Update icon.

5. Click the Remote Update check box, and then click Manual in the Update Mode box. In the Path box, type the path and file name for your system policy file. You can place this file in any folder on the hard disk. {To require a login password double-click the Logon icon. Click the Require Validation from network for Windows Access check box.} Click OK.

6. On the File menu, click Save. On the File menu, click New File.

7. {Create a new user with the same username you selected earlier.} Select the system policy settings you want to use {for that user}.

8. On the File menu, click Save As. Save the file with the name and path you used in step 5.

NOTE: If you try to save a file with an extension other than .pol, you receive the error message "An error occurred writing the registry. The file cannot be saved." Therefore, if you specified a file name with an extension other than .pol in step 5, save the file with a .pol extension in step 8, quit System Policy Editor, and then rename the file to match the file name you specified in step 5. Restart Windows.

9. Quit System Policy Editor, and then restart Windows.

--End--

When making the file in step 7, I repeated steps 4 and 5 for the "Default Computer" icon.

This was tested on two computers in a workgroup running 98 SE and the Unofficial Service Pack 2.0.2. Since the security policy is "manually downloaded" from the local computer it seems that the password is also locally authenticated. Of course this could all be easily bypassed from a dos-prompt by importing a registry file with the right information.

With 98 in a multi-user environment you could set up users like Admin, Power, and User, assign them different security policies, and use them as a templates to copy to any new user. I tried using group policies but it doesn't seem possible to associate a user to a group without a domain controller/server.

For what it's worth.

[bristols]

Thanks a lot for sharing your experiences.

Also FWIW, this page documents another approach to requiring passwords to start Windows 98:

Making Windows 98 better: More Security Tips and Tools

(see the "Controlling Users" section.)

[noabody]

Excellent! The registry file that requires a logon password is below:

--Begin--

REGEDIT4

[HKEY_LOCAL_MACHINE\Network\Logon]

"MustBeValidated"=hex:01,00,00,00

--End--

You can see that the information is stored in HKLM - Network - Logon which means it's purpose is to enforce Network security. Turning the option "Require Validation from network for Windows Access" on and off in the policy editor creates or deletes the above registry key, respectively.

So the policy editor was Microsoft's GUI to effect this change without directly editing the registry. Great information! It almost goes without saying but both the above registry file and the policy editor method work in Windows Millenium as well.