AnsweredAssumed Answered

vrf Beware of 'On Cycle' Loops !

Question asked by VRFuser on Jun 3, 2008
> Is there a way to disable a user's
> ability to change the date/time on a PC?

Yes, but it can rapidly become another one of those fruitless battles between programmer & user.

Locking down a Windows PC begins by allowing only User accounts to operate the system. We all know there are issues with that approach. There are literally hundreds of things your software can't do while running under a User account. Kudos if your test system doesn't do any of them, but the list is *huge* and at some point you're probably going to want to (for instance), synchronize the time. Sorry, can't do it.

Notwithstanding the difficulties this poses for OnCycle, there are ways around these limitations. The most obvious is using the CreateProcessAsUser or CreateProcessWithLogon functions to launch VEE. Less obvious but just as effective is using AdjustTokenPrivileges to allow VEE, running under a User account, to execute a variety of privileged operations.

None of these functions are trivial to use though. Even if you do elect to use them, the Domain Controller (if one exists) or the Local Security Policy may disallow them. IT might not be extraordinarily helpful in this instance, as there is a tendency to err on the side of caution.

You can go a long way to preventing problems caused by either malicious operators or innocent mistakes by using the LSP & Group Policies. Create a group called TestOperators, populate it and read
In particular, skip down to the details about Windows Explorer, Task Scheduler and Start Menu & Taskbar. You can eliminate most of your user problems by simply disallowing a way to start Internet Explorer for instance, or removing New Task from the Task Manager File menu.

It will take some time to get the configuration you want and still allow your test to run effectively, but once you figure it out you can use these measures as a template for all your test systems and still allow VEE to do it's job.