MyLogon: The Configuration File


The MyLogon.ini file allows for a much greater range of adjustment of  MyLogon's behaviour than does the GUI configurator. 

Most settings in this file are used directly, and take immediate effect.  There are a few settings which pertain to registry-keys,  and these are not loaded automatically unless the AutoUpdateRegistry flag is set. (see below) 
  The MyLogon.ini file is located in the {Windows}\MyLogon folder. Direct editing of the settings should be performed with a text-editor.  Notepad is fine.  Please be aware, though, that Microsoft Word is NOT a text-editor, it is a wordprocessor. Use of a wordprocessor is likely to trash the file.

All Boolean values must be either one or zero, T/F or Y/N are not accepted.

Here we'll run through the main options in MyLogon.ini:

The [Global] section contains all of the general settings for the program itself. Any section other than [Global] is assumed to be an entry for a specific network. In principle the main settings are normally found in [Global] however all settings are applicable to all sections, and any settings placed in a network section will override those in the [Global] section.

Lines beginning with ; are comments. Other lines are settings.

[Global]

; User Items
; These settings are dynamic, changing whenever Save in the MyLogon GUI is pressed.

Username=fred
; Self-explanatory

LogonNetwork=Site Network
; Refers to thename of the network-section at end of file.

vpn=Direct Connection
; "Direct Connection" or blank means don't dial anything before logging-on. Otherwise, MyLogon will attempt to make a VPN (remote access) connection to the server using the specified connectoid (Which must exist in the Networks Control Panel of the computer)  before attempting a logon.

InterfaceStyle=FullFeatured ; (Standard | Minimalist)
; Show all the widgets on the logon screen. Or some. Or only the password dialog. This option is user-selectable from the MyLogon menu.

; User-Interface Items:
ShowProgress = 1
; A progress dialog is shown while the logon is taking place, pausing briefly to display the results of each stage. Setting ShowProgress to zero will in fact still show the dialog, but without the pauses, allowing the logon process to run much faster.

Debug = 0
; Provide tooltips, with more detailed information at each stage of the logon. Note that this option slows the process considerably, so should only be set on if there is a need for it.

PurgeConnections = 1
; Clear any existing connections before commencing (Recommended:1) -WinXP 'remembers' previous drive-mappings even when not appropriate, and these can interfere with the establishment of connections to the selected network. This option makes sure any historical shares from previous sessions are removed.

ShareCleanup = 1
; Remove any defunct drive-letters from user's desktop after logon completes (ones for which the user has no access-rights)

AutoUpdateRegistry=0
; Set this to 1, and any changes to the shell-integration or registry settings will be auto-updated the next time MyLogon runs. (The user will be asked for confirmation first) This is very handy for rollouts, as it allows a modified .ini file to be "self-installed" by simply copying it to the computer(s). The AutoUpdateRegistry value self-resets to zero on success, preventing unwanted repeats.

; Remote-access settings:
; If you need to dial-in for remote-access with nonstandard credentials, enter them here.
; Otherwise your normal user/pass will be used for VPN as well as logon.
vpnUsername=
vpnPassword=

; Windows Startup-Integration:
SecureMode = 1
;Determines whether MyLogon should demand a password at Windows startup.
SelfRepair = 1
;Check for, and repair, registry-damage to MyLogon done by some anti-spyware programs.
(If MyLogon won't run at startup, run it manually and it should offer to repair the damage)

; Passwords
AcceptLastUsed = 1
; Allow the last network-password to be used for standalone access. Note that this does have a small security-issue as the password-hash must be stored locally if you select this option. It is no less secure than some Microsoft arrangements, however.
AllowNullPassword = 0
; Zero-length passwords allowed.. or not. Your call. I wouldn't ;-)
StandaloneOverrides=0
; Setting to 1 emulates Version 1 behaviour, where typing a standalone password always results in a local logon regardless of which button is pressed.  0(zero) sets Version 2 behaviour,  attempt a logon, then offer to enter standalone mode only if the logon  fails.
Standalone =45943874398789347984
AdminOverride=3476414767433230121139251477
;These are hashes of the local-access passwords. The Standalone one is configurable via the GUI. You need the administrator's hash-generator tool to create new ones outside of the GUI.

; Registry Items for Shell Integration Mode
; These are the items in the "Advanced > Security" GUI dialog.

; Advised Changes
RestrictTaskMan =1
;Don't allow user to run Task Manager until after logon. (because it allows the starting of programs)
HideUserCPL =1
; Stop itchy fingers from changing the profile settings in Control Panel.
NoWelcomeScreen =1
; If user logs-off, they are taken back to MyLogon instead of being invited to change local-user.
AdminShareCheck =1
;Removes the 'Adminstrative shares' - C$,D$ etc.  which are seldom used but which under some circumstances are a serious security risk.
NoXPSharedFolders =1
;XP has 'shared folders' which actually refer to sharing between (part-time) users of the same machine. To network users their presence is generally a cause of confusiion, so best remove them.
WarnOfPasswordExpiry =1
;By default, XP Pro and W2000 force the user to change the local password every 42 days. A coding oversight means that the forced change occurs even if the user has no permissions to set passwords, locking the user out. This option gives earlier warning of a lurking 'password timebomb' on the machine.

 

; Optional Changes, which depend on personal preference:
NoScreenSaverLock =1
;If screensaver-lock is used, it will be locked with the local profile password, not the network one. Fine if the user understands this, but if not, best prevent it happening or they will lock themself out.
NoWindowsKey =1
;Prevent the Windows key shortcuts from working. Some of these have unexpected results, and with inexperienced users are best turned-off as they're easily 'caught' while typing. Note: You can still press Win to see the Start Menu with this set.
NoCDAutoRun =1
;Probably the single most sworn-at XP feature. Put a CD into an XP machine, and even if it's a CD-R you created yourself to hold your own text-files, it still will cause infuriating pop-ups to appear. Setting this to 1 will nail the popups.


;Kiosk Mode (Launch a single application only, in response to a special password)
; These settings are controlled by the Advanced GUI section, or can be set manually.

kioskkey =tyeuy5565jkhtr3
; The hash of the password you must type to enter Kiosk Mode.

kioskapp =notepad.exe
; The program to run. Use quotes "" if there are spaces in the pathname.

kioskcloseaction =Shutdown
What to do when that program closes  (Shutdown/Logoff/Reload)

KioskScreenMode=Fullscreen
;A very few apps object to being run fullscreen,  in which case change this to "Windowed"
;(added v2.1, and only available by manual .ini file editing.)

kiosknetmode =Standalone
; Do we logon to the server, or not?  ("Connected" for logon to server)

kioskuser =
; The username to logon with, IF this is distinct from the kiosk keyword. Otehrwise blank.

;( 'kiosk' is assumed as the username if the entry is blank. This user should exist on the server, but should have only a limited set of priveleges, basically the minimum needed to run the kiosk app. )

 
; ------ End of Global section -------------

; The following sections are network-specific. The first one is the network configured by the GUI (Which only permits config of a single network, for simplicity) In fact you can have as many networks as you like, so long as you hand-edit them.

[Site Network]
NetworkComment =
; Descriptive comment, appears in tooltip on GUI.
LogonServer = server
; Enter the server-name without any backslashes.
LogonDomain =
; Normally blank for single-server sites. Needed on multi-server sites with trust relationships.
LogonShare = netlogon
; Above is the universally-standard value, and no real reason to change it.
LogonScript = logon.bat
; See section on scripts for more information. With no specific path stated, this one will be in the netlogon share. Tip: To run a script from the MyLogon folder of the local machine instead of from the server, prefix it with 'local:' - for example, 'local:logon.bat' will run 'C:\Windows\MyLogon\logon.bat' after a successful logon.

; Add extra network sections if you wish to access more than one system. For example:

 
[Other Network]
LogonServer =servertwo
LogonDomain =
LogonShare =netlogon
LogonScript =logon.bat

; As mentioned, only the default network can be configured in the GUI, but all can be selected.



 Pattern-Matching


A new feature of v2 is the ability to detect, and alert  the user, when  a username is entered which does not comply with network policies.  The development of this add-on was based on the observation that a high proportion of techsupport-calls  from new users stem from exactly this kind of mistake. At least this feature makes techsupport easier as the user is then able to report that the computer is rejecting the username. This often saves a merry chase-round testing cables, etc. and a half-dozen needless password-resets before the real cause of the problem is noticed!

Since a pattern-mismatch only informs that the username is probably wrong, but not how to correct the mistake,  the impact of pattern-matching on security is small.

The pattern-matching rules can be either in [global] or in a specific network section.  Those in a network section over-ride the global ones if that network is selected.

Example settings might be:

; A name cannot contain spaces    
uminspaces = 0     
umaxspaces = 0

; A name must contain either no dot, or one dot
umindots = 0       
umaxdots = 1     

; A name must not contain an @ sign
uminats = 0        
umaxats = 0

; A name must not contain more than two underscores       
uminunderscores = 0 
umaxunderscores = 2

; We don't care how many hyphens a name has        
uminhyphens = 0    
umaxhyphens = 99

; Names must be lowercase  
umincaps = 0       
umaxcaps = 0     

; Length must be a minimum of 6, max of 20 characters
uminlength = 6    
umaxlength = 20   

;Not  all of these rules need apply to any given network.  Either comment-out  the unneeded ones, or set them  to a min of zero and max of 99.