Incorporating Connection Manager with Logon Security

Applies To: Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 Foundation, Windows Server 2008 R2, Windows Server 2012, Windows Vista

A user with a Connection Manager profile installed can choose to log on to Windows using the profile. This type of log on establishes the connection to a remote network first, and then logs on using domain credentials to the remote network.

A user can log on using a VPN or dial-up connection only if the computer is a member of a domain. Only profiles that are installed for use by all users can be used to log on to Windows.

To log on to Windows by using a Connection Manager profile

  • Windows 7, Windows Server 2008 R2,Windows Vista, or Windows Server 2008

    1. On the main logon screen, click Network Logon in the lower right-hand corner of the screen. If the Network Logon button is not visible, click Other User.

    2. If more than one profile is installed, select the profile that you want to use to connect.

    3. Enter the user name (in domain\username form) and password that you want to use to log on to Windows, and then press ENTER.

    4. The connection profile properties page appears. If any information is required for the connection to succeed, such as selecting the VPN server or phone number to dial, you can enter it here.

    5. When all of the settings are complete, click Connect to connect to the remote network and complete the log on process.

  • Windows XP, Windows Server 2003, or Windows 2000

    1. In the Log On to Windows dialog box, click Options.

    2. Type your user name, password, and domain credentials. These should be for a user account on the remote network.

    3. Still in the Log On to Windows dialog box, select Log on using dial-up connection check box, and then click OK.

    4. If more than one profile is installed, select the profile that you want to use, and then click Connect.

    5. The profile logon page appears. If any information is required for the connection to succeed, such as selecting the VPN server or phone number to dial, click Properties and enter the required information. Click Connect to connect to the remote network and complete the log on process.

Administrative issues when using connection profiles to log on

If you intend to build and distribute a connection profile that will be regularly used to log on, consider the following:

  • By default, Connection Manager uses the credentials the user types at the Windows logon screen. If you want Connection Manager to ignore those credentials, add the key UseWinLogonCredentials=0 to the [Connection Manager] section of the .cms file for your connection profile.

  • Users who use remote network logon gain access to Windows through an account designed for this method of logging on. Any customized settings for Connection Manager are applied to this network logon account, rather than to the account of the user who logged on. The user can customize the network logon account in the same ways as any other account (for example, save settings for VPN servers or phone numbers). However, permissions granted to specific users, such as access to Help, are not granted to users logging on to Windows, even after the connection completes.

For security reasons, the following functionality is not available when a user logs on to Windows using a remote network connection:

  • If the .cms file for the profile contains the ResetPassword key, any value for that key is ignored.

  • Custom buttons do not appear or function.

  • The View Log button is disabled.

  • The Advanced tab does not appear in the properties dialog box for the connection profile.

  • Keys in the .cmp file that provide user credentials for first-time use (such as UserName) are not available. Internet connection credential keys such as InternetUserName are available.

  • Animation does not display. If you are building a profile that uses animation, you should include a default bitmap to display in this circumstance.

  • Custom actions do not run unless those actions have been enabled by editing the registry. Even after custom actions have been enabled, the custom action will not automatically work with registered shell extensions. You must indicate the program to use with the file, as well as the path to the file.

  • Connection Manager Help (including context-sensitive help) is disabled during the connection process.

  • If a system component is missing when the user attempts to log on using a dial-up connection, the connection attempt fails. The user will not be able to install the system component until he or she logs on.

Enabling custom actions that run when a user logs on by using a remote network connection

For a custom action to run during the logon process, you must enable that action by specifying a value for the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Connection Manager\Profile Name\WinLogon Actions

Warning

Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

The format for the value of the registry key is:

Field Description

Name

The name of the executable file that will run.

Type

REG_DWORD

Data

An integer value that indicates the location of the executable per the following table.

Supported values for the Data field are:

Value Location of executable

0x00000000(0)

%windir%\system32

0x00000001(1)

Profile directory

The following example enables automatic phone book downloads at connection time. If you set the value of:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Connection Manager\Profile Name\WinLogon Actions

as:

cmdl32.exe   REG_DWORD   0x00000000(0)

then you must also include:

[Xnstall.AddReg.AllUsers] "HKLM", "%AppAct%\%ServiceName%\WinLogon Actions","cmdl32.exe",0x00010001,0

in the .inf file of the profile.

Important

Modifying .inf files can cause significant installation problems. Thoroughly test all connection profiles containing custom .inf entries for version, file, or other conflicts. Be sure that the file location is specified correctly.

Security Note
If a custom action runs when users log on to Windows, the custom action runs with system permissions. You should ensure that any custom actions that you enable do not pose unintended security risks.

Security Note
Users who install profiles for individual use can modify .cms and .cmp files of the profiles they install. Only members of the Administrators or System Operators groups can modify .cms and .cmp files of profiles installed for All Users. All members of the Administrators group on a local computer can modify the .cms and .cmp files of any connection profile that is installed on that computer.

Additional references