Forum Discussion
Pete_29020
Nimbostratus
NimbostratusPolicy Checks --> Check Windows Registry
Hi All,
I'm using the "Check Windows Registry" policy check for the VPN Connection.
This key will determine if the laptop is a member of the domain I specify.
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"."DefaultDomainName"=""
What I want to be able to do is to have multiple registry keys that it checks against and if one returns negative then the user doesn't connect.
I want to use the additioanl registry key:
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"."DefaultUserName"="session.user.username"
So the logic is:
1. Check to make sure the PC they're using is on the company's domain
2. AND the username logged into Firepass is the same as the domain username logged into the PC - this helps to make sure certain drive mappings are happed correctly.
Each key works perfect on their own, but I'm not sure if I can use multiple keys in an "AND" logic situation.
OR if someone knows how to verify the PC they're using is a company machine then let me know. (I know these 2 checks will be unique to our company's internal domain.)
When I add the strings one after the other, it only seems to look at the first one and ignore the second.
Thanks!
-Pete
mal_57091Hi Pete,
There is no reason you can't use the Pre-Logon Sequence editor to put as many Registry Checks as you want into a sequence into the order you require. For example, insert a Registry Check action and if it's successfully do another Registry Check. The fallback option can be the logon denied page or something else. I'd recommend spending a bit of time messing about with the Pre-Logon Sequence editor as you can create some really cool sequences. Just be aware that Sub-Sequences are effectively like "GOTO" statements. That is, you go to the subsequence and complete execution from there (they don't return).
Hope this helps you out.
Cheers,
Mal
Pete_29020Thanks Mal,
Yes I saw the Pre-Logon sequence but we want to allow users to login from home from their home computers for everything else except for creating a VPN connection.
So I wanted the check to be done on the VPN option when its clicked. Unless in the Pre-Logon sequence I can say, if "registykey1=workcomputer" then do no show the VPN option?
I'll keep digging. Thanks for the idea.
-Pete- mal_57091Pete,
Too easy. Do you're normal registry check in the Prelogon Sequence. Note the checkid. Then go in Protected Configurations and create a 'Protected Configuration'. Basically specify that the checkid in the prelogon sequence must be true (or false depending on your requirement). Then, once you've created the Protected Configuration go to your Network Access resource and apply it to the resource. That way FirePass will either show or hide the favorite from the webtop depending on the result of the RegCheck. I believe that should give you what you need.
Good luck!
Cheers,
Mal - Pete_29020You nailed it Mal.
I now have 2 registry checks + a file check - if they are all satisfied then the Network Access icons are available - if not they are not in the list.
I created a custom Protected Configuration as you suggested and then used the checkid to validate.
Perfect-o!
Thanks for the push in the right direction.
-Pete :D - mal_57091Pete,
Rock and roll mate! Well done!
Cheers,
Mal