Custom handling of domain user profile creation

Question

I want to hook into the domain user login system and handle my own local profile creation. I have two basic related questions:

1. How do I intercept the domain user authentication?
2. Can I handle the creation of user profiles myself?
   • Using roaming profiles is not an option
   • Using mandatory profiles is also not an option

Target Platforms- Windows 7 Enterprise, Professional, Home Premium (optional)

I don't mind using Active Directory, but I would prefer to use Linux (Samba 4?) software because my servers will all be running Linux. This is relatively unrelated because I just want some documentation, or even what to search for on Google.

• Can all domain users be logged into one local profile?
• In Windows, what is a "user profile"?

EDIT: I found this link on Microsoft's msdn webpage.

I also found this to be really helpful in getting started with customizing GINA.

Do I need any special software to create an authentication package? Can I access a web or network resource from this script to validate credentials?

Answer 1

What you could do in this case, is to create a windows service running with LocalSystem privileges and communicate with it with your credentials provider.

When a user enters his/her credentials to the ICredentialsProvider, the would contact the windows service and the service will handle the authentication.

Upon a successful authentication, the service should verify that such an account is locally present in the system otherwise create a new local account with NetUserAdd and log in with that account into the system.

Bear in mind that ICredentialsProvider does not have the privileges to create local account or use most of the Net* functions, that's why I'm suggesting to create a windows service with LocalSystem privs.

Answer 2

If you just want to make a small number of changes to profiles then you might consider using Active Setup.

Once you set this up on the machine it will run just after the user's profile loads, and you can then make user-specific changes to their files/settings etc.

Answer 3

This isn't a full-blown answer, but I think it is a significant addition to the solution.

In Windows NT based systems before Windows Vista, Microsoft used something called GINA (Graphical Interface and Authentication) to run a lot of the top-level authentication for user logins, but it also used something called WinLogin for the lower level stuff. With GINA, a programmer could create a customized UI and authentication back-end for WinLogin and WinLogin would call the methods necessary to handle login. But like everything else, with Vista, everything changed.

In Vista, Microsoft provided an interface called ICredentialProvider which allows the user to register a Credential Provider. Here is an article about why GINA was dropped which also gives a pretty nice intro to the new system.

Since this turned out to be more programming based than IT based, I'll go ahead and create a question on StackOverflow about the specifics on implementing this. It doesn't seem that any special software is necessary.

The second question still stands. I'll continue searching for an answer on whether I can handle my own profile creation. I think that it should be possible, but I'm not sure.

Answer 4

Most places I know that need to get information into new user profiles do so by modifying the Default User profile somehow. That profile gets imported into all new profiles, much like /etc/skel does on Unix systems. This is by necessity a stupid process, so launching custom scripts as part of the profile copy isn't really doable short of run-one-on-login scripts encoded into Default User.