How to enable guest network logon (unattended)?

[Johnny Walker]

Hello all,

I have the problem that I must make a template for an unattended Windows XP installation that allows guests on the network to access a shared directory on a certain PC.

My unattended installation is run with a bootable (ms lan manager) diskette and loads/installs Windows XP from a network share in our company network (we have a volume license). The installation is fully automated and doesn't require any user intervention. It uses AutoIt V.3 to install lots of applications. I have no problems creating accounts and shares programmatically, and I can also enable the guest account programmatically.

My problem on this particular PC is two settings inside secpol.msc:

"Access this computer from the network" and

""Deny access to this computer from the network".

In the first option, I want "Guest" added to the list automatically, in the second option, I want "guest" removed from the list automatically.

Any idea how to do this programmatically? I can't modify the original INF files of Windows XP because the same template will be used for other computer types as well. I rather don't want to resort to "remote controlling" secpol.msc with AutoIt. I'd prefer to write the correct values into the registry directly or to use a command-line tool.

Any clues?

Arthur Hoornweg

[Johnny Walker]

Nobody have any clues about this?

[Sonic]

We must use security templates.

Original security template use SID of Guest account.

With string "Guest" it works too. I think there isn't an issue.

EnableSimpleSharing.inf

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[System Access]
EnableGuestAccount = 1
[Privilege Rights]
sedenynetworklogonright =
;Edit to your language ... There is French here
senetworklogonright = Administrateurs, Opérateurs de sauvegarde, Utilisateurs avec pouvoir, Utilisateurs, Invité
[Profile Description]
Description=Just Enable Simple Sharing

To apply this template silenlty I use that batch

Go.cmd

::Move database here (if not secedit display an error ...)
if exist %SystemRoot%\security\Database\secedit.sdb move /y %SystemRoot%\security\Database\secedit.sdb
::Update the database
secedit /configure /cfg EnableSimpleSharing.inf /db secedit.sdb
::Replace database
move /y secedit.sdb %SystemRoot%\security\Database\secedit.sdb
::Clean reg keys
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit" /v TemplateUsed /f >NUL 2>&1
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit" /v LastUsedDatabase /f >NUL 2>&1

edit: Okay, that works in VmWare.

edit2: No need to reboot too. It's on the fly.

[Johnny Walker]

Thank you very much, this might help me!

Just a few questions:

1 - Must the INF file be in unicode format?

2- Is it really possible to move and replace the security database while Windows is running?

[Johnny Walker]

I have modified your INF file to be language independant, and I'm currently

testing it (don't have results yet):

[unicode]

Unicode=yes

[Version]

signature="$CHICAGO$"

Revision=1

[system Access]

EnableGuestAccount = 0

[Privilege Rights]

sedenynetworklogonright =

senetworklogonright = *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-546, *S-1-5-32-547, *S-1-5-32-545

; English-only text would be:

; senetworklogonright = Administrators, Backup Operators, Guests, Power Users, Users

[Profile Description]

Description=Just Enable Simple Sharing

[Sonic]

Tested many times, security database can be moved, edited on the fly. (In fact, the file is in use, but you can rename and move the file (but you can't delete), Windows manage operations).

edit: I don't know about unicode format (pspad says mine as UTF-16 ...), but you must have

[Unicode]
Unicode=yes

.