This article explains how to provide Windows UI for individual specific account, it is local account and the account can use single application, and multiple applications respectively for individual accounts on a device. These conditions such as Windows kiosk mode device needs control Windows UI for individual accounts. The article [Local account creation] explains how to create accounts in these conditions.
>>Previous article sample code
namespace WPFLockdownSample
{
public partial class App : Application
{
DataAccessLayer dataAccessLayer = new DataAccessLayer();
void App_Startup(object sender, StartupEventArgs e)
{
...
if (dataAccessLayer.ReadLogs().Count == 0)
{
...
//CoreApplication.Exit();
}
else
{
...
//[Desktop UI control] explains how to check current user and how to navigate use logon script
//if (UserName == "maintenanceOperator") navigate to MaintenanceWindow
//if (UserName == "appOperator") Set this app as logon script and quiet this app. Automatic
//run this application when this account sign in.
//if (UserName == "appUser") Set this app as logon script and quiet this app. Automatic
//run this application when this account sign in.
}
...
}
}
}
・Check current user
This article explains how to check current user and then controls that specific user can’t use Windows explorer, and the user use Windows desktop which has not icons, therefor single application for the user launch when the user logon.
Checking current user feature is implemented at [DataAccessLayer] class of ‘AccountManager.cs’
using System.Security.Principal;
...
public partial class DataAccessLayer
{
public string CurrentUserName
{
get { return WindowsIdentity.GetCurrent().Name; }
}
...
}
In this article, check user name and change target flow by user name, if you need to control correct flow by group name, you can use [GroupPrincipal] object of ‘System.DirectoryServices.AccountManagement’ name space such as [GroupPrincipal group = GroupPrincipal.FindByIdentity(context, groupname);] statement (see this article). if [group] object responds ‘null’, the user is not in the group.
In [App_Startup] method of [App] class, call [CurrentUserName] property of [DataAccessLayer] class to get current user name. Then check name and navigate correct flow.
namespace WPFLockdownSample
{
public string UserName { get; private set; }
public partial class App : Application
{
DataAccessLayer dataAccessLayer = new DataAccessLayer();
void App_Startup(object sender, StartupEventArgs e)
{
...
if (dataAccessLayer.ReadLogs().Count == 0)
{
...
//CoreApplication.Exit();
}
else
{
...
UserName = dataAccessLayer.CurrentUserName;
//if (UserName == "maintenanceOperator") navigate to MaintenanceWindow
if (UserName == "appOperator") { ... }
if (UserName == "appUser") { ... }
}
...
}
}
}
In [App_Startup] method of [App] class, call [CurrentUserName] property of [DataAccessLayer] class to get current user name. Then check name and navigate correct flow.
・How to control single specific application which specific user can use
These account appUser and appOperator can use only user application, so run next two steps and launch user application, to restrict these account to use controled Windows UI.
1.Kill process of Windows explorer
2.Clean Windows desktop of the user
The code to kill process of the Windows explorer is below.
public List RestrictForSpecificUser()
{
//logging "User[{0}] is logon : ", CurrentUserName
if (CurrentUserName == "appOperator" || CurrentUserName == "appUser")
{
//logging "Set logon script for user[{0}] : ", CurrentUserName
//logging "Clear desktop of user[{0}] : ", CurrentUserName
Process[] processes = Process.GetProcesses();
foreach (Process p in processes)
{
try
{
if (p.ProcessName == "explore") p.Kill();
}
catch (Exception ex)
{
log = new Log();
log.LogType = LogType.Information;
//"Fault killing process Windows explore : " + ex.Message
log.Message = string.Format("Fault killing process Windows explore : " + ex.Message);
log.OccurredTime = DateTime.Now;
log.OperatorName = GetType().Name;
result.Add(log);
}
}
}
return result;
}
・Clean Windows desktop
Killing a process of the Windows explorer above, and cleaning Windows desktop is better into one step to restriction for specific account. The code how to clean Windows desktop is below.
using Microsoft.Win32;
...
regkey = Registry.CurrentUser.OpenSubKey(@"Software\Microsoft\Windows\CurrentVersion\Policies", true);
regkey.CreateSubKey("Explorer");
regkey.Close();
regkey = Registry.CurrentUser.OpenSubKey(@"Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", true);
regkey.SetValue("NoDesktop", 1, RegistryValueKind.DWord);
regkey.Close();
...
・Logon script for specific user
The last step is set logon script. The code below omitted logging code.
namespace WPFLockdownSample
{
public partial class App : Application
{
DataAccessLayer dataAccessLayer = new DataAccessLayer();
public string UserName { get; private set; }
void App_Startup(object sender, StartupEventArgs e)
{
if (dataAccessLayer.ReadLogs().Count == 0)
{
//user account creation
//CoreApplication.Exit();
}
else
{
UserName = dataAccessLayer.CurrentUserName;
//if (UserName == "maintenanceOperator") navigate to MaintenanceWindow
if (UserName == "appOperator") { dataAccessLayer.RestrictForSpecificUser(); }
if (UserName == "appUser") { dataAccessLayer.RestrictForSpecificUser(); }
}
}
}
}
No responses yet