Hyper Expert /Blog
About
Archives

HOW-TO: Create new first time logon domain user agreement with HTML and VBS only

Just recently, I was asked by my manager to develop some script/program or anything similar, that will basically display a user agreement for new domain users logging in for the first time to any machine on the domain. The idea is when the user logs in, before getting to the desktop, the agreement loads on full screen, the user obviously can not simply closes the agreement or minimizes it, after reading the agreement and either clicking on accept or decline, if the user accepts, then the script will note that the user has accepted the agreement and it will not display anymore for that user on any computer on the domain, then it will continue to the desktop. However, if decline is clicked, then the user will be logged off immediately and the agreement will load again next time said user will try to log in.

This is how the whole process works:

– New domain user logs in for the first time
– Agreement loads before getting to the desktop

– If user clicks “I accept”

– Scripts notes that the user clicked “I Accept” and continue to desktop
– Agreement will not load again on any of the domain PCs

– If user clicks “I decline”

– User will get logged off immediately
– No data is recorded for said user
– Agreement will load again next time the user will try to log in.

Now for the fun part

To make things easy, I created a very simple HTML page (saved as .hta) it has the statement and two buttons, I accept and I decline.

AUP.hta

<html>

<head>
<HTA:APPLICATION
   APPLICATIONNAME="LOGIN"
   VERSION="1.0.0.0"
   BORDER="none"
   INNERBORDER="no"
   CAPTION="no"
   SYSMENU="no"
   MAXIMIZEBUTTON="no"
   MINIMIZEBUTTON="no"
   ICON="NO"
   SCROLL="no"
   SCROLLFLAT="yes"
   SINGLEINSTANCE="yes"
   WINDOWSTATE="maximize"
   SHOWINTASKBAR="no"
   CONTEXTMENU="no"
   SELECTION="no"/>

<script language="VBScript">
   Sub logon
      Set objShell = CreateObject("Wscript.Shell")
      objShell.Run "\\server_name\sysvol\domain\scripts\AUP\AUP.vbs"
      window.close
   End Sub

   Sub logoff
      Set objShell = CreateObject("Wscript.Shell")
      objShell.Run "shutdown /l"
   End Sub
</script>

<script language="JavaScript"> 
function document.onkeydown() {  
   var alt=window.event.altKey; 
   if (event.keyCode==116 || event.keyCode==27 || alt && event.keyCode==115) { 
   event.keyCode=0; 
   event.cancelBubble=true; 
   return false; 
   } 
} 
</script>
</head>

<body>
   <div class="statement_title">Statement Title</div>
   <hr>

   <div class="statement">
      Lorem ipsum dolor sit amet, consectetur adipiscing elit...
   </div>

   <hr>

   <div>
      <a href onClick="logoff" class="button">I Decline</a>
   </div>
   <div>
      <a href onClick="logon" class="button">I Accept</a>
   </div>
</body>

</html>

When you click on I accept, you can see it calls the VBS script AUP.vbs which basically all it does is create a txt file in a network drive with a filename same as the user’s username. Also, inside that text file, it has the user’s username, date and time, and the statement itself, then once done, the hta file closes and the logon process continues to the desktop

AUP.vbs

On Error Resume Next
Set objShell = CreateObject("WScript.Shell")
UserName = objShell.ExpandEnvironmentStrings("%USERNAME%")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile("\\server_name\share_Drive\AUP\" & UserName & ".txt", 2, True)

objFile.Write("**********************" & vbCrLf & vbCrLf)
objFile.Write(UserName & " signed the User Agreement on  " & Now & vbCrLf & vbCrLf)
objFile.Write("**********************" & vbCrLf & vbCrLf & vbCrLf)
objFile.Write("Lorem ipsum dolor sit amet, ..." & vbCrLf)

objFile.Write("interdum augue ut dictum. ..." & vbCrLf)
objFile.Write("vel purus." & vbCrLf)

objFile.Close

However, if the user clicks on “I decline” the hta file will just logs that user off without calling the AUP.vbs script and recording anything for that user.

This is basically it, now all we need is a logon script that checks if the user has been logged in before or not, it checks by looking for the text file in the network drive, if the text file exists, then it ignores all of the above, if it does not, then it will shut down explorer.exe, displays the AUP.hta file and waits for the user’s response before re-launching explorer.exe and continuing to the desktop.

Logon.vbs

On Error Resume Next
Set objShell = CreateObject("WScript.Shell")
Set fso = CreateObject("Scripting.FileSystemObject")
UserName = objShell.ExpandEnvironmentStrings("%USERNAME%")

If (fso.FileExists("\\server_name\Share_Drive\AUP\" & UserName & ".txt")) Then
WScript.Quit()

Else

dim strComputer
dim wmiNS
dim wmiQuery
dim objWMIService
dim colItems
dim objItem
Dim strOUT

strComputer = "."
wmiNS = "\root\cimv2"
wmiQuery = "Select processID from win32_process where name = 'explorer.exe'"

Set objWMIService = GetObject("winmgmts:\\" & strComputer & wmiNS)
Set colItems = objWMIService.ExecQuery(wmiQuery)

For Each objItem in colItems
    	objItem.terminate(1)
    subLaunch
Next

Sub subLaunch
Dim objShell
Dim strProg

strProg = "\\server_name\sysvol\domain\scripts\AUP\AUP.hta"
Const MaxWindow = 3
Const blnWait = True

Set objShell = CreateObject("wscript.shell")
objShell.Run strProg,maxWindow,blnWait

subcreateProcess

End Sub

Sub subcreateProcess
Dim obj 'uses get method to get win32_process so we can launch new explorer
Set obj = objWMIService.Get("win32_process")
obj.create("explorer.exe")
End sub

End If

WScript.Quit()

That is it! Very simple and effective way to display a one time user agreement without any third party software. Hope this will help anyone out there in the same situation, let me know what you think in the comments below.

Download source files

//

Hi, my name is Ali. I am a Systems Engineer. I live in the beautiful Evergreen state. I have a Bachelor degree of science in Information Technology with a handful of accompanying I.T. certificates. I also have a degree in Computer Networking. I am an Apple Certified Technician, Microsoft MCITP and a Linux expert.

22 Comments

  1. Stan92 · October 8, 2013

    Nice.. 🙂
    Have some questions..
    First of all, let’s say I have 20 computers connected to an AD. Do I have to install the script on all the workstations?
    Other question, I didn’t test the code, but question is, if I have already “Click” on “Accept”, the next time I log on, do I have to click again on “Accept” ?

    Thanks…

    Reply
    • Ali · October 8, 2013

      Thank you 😉

      – you do not have to load the script on all the workstations, but somewhere on a shared drive (sysvol) where it can be set as a logon script.

      – If you click on Accept, the agreement will not load anymore for you, but it will appear again for new users.

      Hope this answers your questions

      Reply
  2. Stan92 · October 8, 2013

    Ali,
    I thank you for your reply and yes I got my answers 😉

    Reply
  3. Stan92 · October 27, 2013

    Hi again,
    Could you please tell me what “wmiNS = “\root\cimv2” is for?
    Thanks

    Reply
  4. Tomas · November 4, 2013

    This is exactly what I was looking for, but there is one problem…I`m not very good with scripts so I could use some help. It says that AUP.hta calls for AUP.vbs, but all I can see in the AUP.hta script is

    25 objShell.Run “\\server_name\sysvol\domain\scripts\AUP\logon.vbs”

    Even if I change logon.vbs to AUP.vbs and set all share permissions and directories, it will appear at user logon it will logoff the user if he does not agree, and it will let the user in if he agrees.
    NOW the problem is it won`t write the text file file so the AUP screen appears on every logon.
    Please help me to understand what I`m doing wrong.
    Thanks

    Reply
    • Ali · November 4, 2013

      Tomas, you are right! I had a typo in line 25. AUP.hta should call AUP.vbs! fixed 😉

      The reason why the agreement shows up for you every time you log in, makes me think that the AUP.vbs script is not able to write the text file for you. If you manually navigate to the location where you specified it to write your txt file. Can you see newly created txt files by the script there?

      If yes! then check the Logon.vbs script line 6. This is the line that also checks if the txt file exists or not! If it can not check, or the txt file does not exist, then it will launch the agreement again!

      I would start with checking the AUP.vbs script (just double click on the script to launch it) and then navigate to where it is supposed to create the txt file and see if it did or not!

      Another thing you can try is, in AUP.vbs and Logon.vbs, remove line 1 “On Error Resume Next” then run the scripts, if you get error messages, try to see what the message is and what is it complaining about to narrow down your problem. Once you figure it out, you can add line 1 back in again!

      Let me know how it works out 😉

      Reply
  5. Tomas · November 4, 2013

    1. if I manually run AUP.vbs on my server it creates the text file. I have set folder permissions for domain users for read and write for the folder where the text files should be written.
    2.(I might be wrong here) the startup script GPO is under User Configuration and it points to network location starting with \\server name……path
    If I use logon.vbs script as a startup script nothing happens at user logon, if I use AUP.hta file, I get the user agreement and I can click Agree or Disagree (logon or logoff), but next time I login, it shows again.
    I`m not sure which startup script to actually use.
    here is my setup
    https://www.dropbox.com/s/xfztx4oos71vzpr/AUP%20Settings.zip
    I have changed the computer name to “computer-name”
    I thank you very much

    Reply
    • Ali · November 4, 2013

      Tomas, you have to use logon.vbs script at logon, you can not use AUP.vbs at logon, if you do, you will always get the agreement! the whole reason for logon,vbs is to check if the txt file exist or not so it can decide whether to show you the agreement or not.

      Make sure that when you use the logon.vbs script as a logon script that there are no txt files created. If there are txt files created by the script, then it is a normal behavior for logon.vbs to not show you anything because there is already a txt file for that specific user.

      Try to adjust your policy to use logon.vbs as the logon script and clear ALL txt files you have created and let me know.

      Reply
  6. Tomas · November 5, 2013

    It works great but with one little glitch.
    When a user logs in for the first time it shows the “User Agreement”…check
    If I click “Disagree” it logs the user off…check
    If I click “Agree” it writes the text file and logs the user in…check

    The glitch is that after clicking on “Agree” button it shows the “User Agreement” again and it also starts the windows explorer and it opens windows libraries folder too. I can start doing anything on the computer and ignore the agreement that is now stuck in the middle of the desktop, or to click agree again, to get rid of it.
    It won’t start the agreement again next time I login, so the only “problem” is the second user agreement popup on the first login.
    Any ideas
    this is my current setup
    https://www.dropbox.com/s/6wb05srw0kj8s5q/AUP-scripts.zip

    Reply
  7. Tomas · November 5, 2013

    ok
    in logon.vbs I took out line number 49
    obj.create(“explorer.exe”)
    and it does not open the windows libraries windows after clicking on “Agree”
    but the “User Agreement” still shows up twice

    Reply
  8. Tomas · November 6, 2013

    ok I had to put the line 49 back, it was giving problems, but the agreement still shows up twice and the second time i click the agree button it opens the libraries window.
    when I run the AUP.hta without the logon script it shows the agreement once and it writes the text file…something in the logon script I guess?

    Set objShell = CreateObject(“WScript.Shell”)
    Set fso = CreateObject(“Scripting.FileSystemObject”)
    UserName = objShell.ExpandEnvironmentStrings(“%USERNAME%”)

    If (fso.FileExists(“\\ISC-DC\AUP-users\” & UserName & “.txt”)) Then
    WScript.Quit()

    Else

    dim strComputer
    dim wmiNS
    dim wmiQuery
    dim objWMIService
    dim colItems
    dim objItem
    Dim strOUT

    strComputer = “.”
    wmiNS = “\root\cimv2”
    wmiQuery = “Select processID from win32_process where name = ‘explorer.exe'”

    Set objWMIService = GetObject(“winmgmts:\\” & strComputer & wmiNS)
    Set colItems = objWMIService.ExecQuery(wmiQuery)

    For Each objItem in colItems
    objItem.terminate(1)
    subLaunch
    Next

    Sub subLaunch
    Dim objShell
    Dim strProg

    strProg = “\\ISC-DC\AUP-scripts\AUP\AUP.HTA”
    Const MaxWindow = 3
    Const blnWait = True

    Set objShell = CreateObject(“wscript.shell”)
    objShell.Run strProg,maxWindow,blnWait

    subcreateProcess

    End Sub

    Sub subcreateProcess
    Dim obj ‘uses get method to get win32_process so we can launch new explorer
    Set obj = objWMIService.Get(“win32_process”)
    obj.create(“explorer.exe”)

    End sub

    End If

    WScript.Quit()

    Reply
  9. Tomas · November 6, 2013

    Everything works!!! I thank you very much for providing this amazing script and all your help. You rock!

    Reply
  10. Tomas · November 7, 2013

    Still fighting a little but it`s not your or mine fault. Windows 7 UAC is blocking the script from running. Did you have this problem? An if, how did you solve it.

    Reply
    • Ali · November 7, 2013

      There is a registry fix that you can implement or push out with a GPO to fix your issue. if you google UAC preventing user startup scripts, you will see many results and how to fix it!

      Reply
  11. Khurram Bakhsh · January 27, 2014

    Great Job!!! 🙂

    Thanks,
    Khurram.

    Reply
  12. Bill Chandler · September 8, 2015

    Hi,
    Firstly, wanna say that this script was extremely helpful to what I needed to do and I thank you for creating it.
    One thing I wanted to say is that it didn’t have much security against those that don’t like following rules (like students for example), it does have code that stops exit keys but there are still ways to get out of it, so I added in the following code to block them from doing anything silly:

    sub DisableTaskMgr
    Dim WshShell,System
    System=”HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”
    Set WshShell=CreateObject(“WScript.Shell”)
    Wshshell.RegWrite System, “REG_SZ”
    WshShell.RegWrite System &”\DisableTaskMgr”, 1, “REG_DWORD”
    end sub

    It just disables the user from opening the task manager. Which was still possible with the vanilla code.
    Thought it might be useful to anyone else that wants to stop users leaving the AUP without agreeing.

    Reply
    • Ali · September 14, 2015

      Thank you Bill! I have not tried this yet, but, will it completely disable the Task Manager even after the user successfully log on? Also, since this is a registry edit, I am assuming the computer will need to be restarted for the setting to work?

      Reply
  13. Kyra · May 11, 2016

    Hi Ali,

    Brilliant script. I had been using a powershell script all this time and doing numerous other bits but pretty unsightly (and messy!) to be honest! This is far simpler.

    I was just wondering how long it should take to load the HTA file upon logon? I am testing and currently, our users are getting the file load after the desktop has already loaded. Also, it is prompting to ask which program they wish to open the program with. I am doing this currently for Windows 10.

    Many thanks,

    Reply

Would you like to share your thoughts?