This article explains how to provide Windows UI for individual specific account, it is local account and the account can use single application, and multiple applications respectively for individual accounts on a device. These conditions such as Windows kiosk mode device needs control Windows UI for individual accounts. The article [Local account creation] explains how to create accounts in these conditions.

>>Previous article sample code

namespace WPFLockdownSample
{
    public partial class App : Application
    {
        DataAccessLayer dataAccessLayer = new DataAccessLayer();
        void App_Startup(object sender, StartupEventArgs e)
        {
        	...
            if (dataAccessLayer.ReadLogs().Count == 0)
            {
                ...
                //CoreApplication.Exit();
            }
            else
            {
            	...
                //[Desktop UI control] explains how to check current user and how to navigate use logon script
                //if (UserName == "maintenanceOperator") navigate to MaintenanceWindow
                //if (UserName == "appOperator") Set this app as logon script and quiet this app. Automatic
                //run this application when this account sign in.
                //if (UserName == "appUser") Set this app as logon script and quiet this app. Automatic
                //run this application when this account sign in.
            }
            ...
        }
    }
}

・Check current user

This article explains how to check current user and then controls that specific user can’t use Windows explorer, and the user use Windows desktop which has not icons, therefor single application for the user launch when the user logon.

Checking current user feature is implemented at [DataAccessLayer] class of ‘AccountManager.cs’

using System.Security.Principal;
...
    public partial class DataAccessLayer
    {
        public string CurrentUserName
        {
            get { return WindowsIdentity.GetCurrent().Name; }
        }
        ...
    }

>>This article sample code

In this article, check user name and change target flow by user name, if you need to control correct flow by group name, you can use [GroupPrincipal] object of ‘System.DirectoryServices.AccountManagement’ name space such as [GroupPrincipal group = GroupPrincipal.FindByIdentity(context, groupname);] statement (see this article). if [group] object responds ‘null’, the user is not in the group.

In [App_Startup] method of [App] class, call [CurrentUserName] property of [DataAccessLayer] class to get current user name. Then check name and navigate correct flow.

namespace WPFLockdownSample
{
    public string UserName { get; private set; }
    public partial class App : Application
    {
        DataAccessLayer dataAccessLayer = new DataAccessLayer();
        void App_Startup(object sender, StartupEventArgs e)
        {
        	...
            if (dataAccessLayer.ReadLogs().Count == 0)
            {
                ...
                //CoreApplication.Exit();
            }
            else
            {
            	...
                UserName = dataAccessLayer.CurrentUserName;
                //if (UserName == "maintenanceOperator") navigate to MaintenanceWindow
                if (UserName == "appOperator") { ... }
                if (UserName == "appUser") { ... }
            }
            ...
        }
    }
}

In [App_Startup] method of [App] class, call [CurrentUserName] property of [DataAccessLayer] class to get current user name. Then check name and navigate correct flow.

・How to control single specific application which specific user can use

These account appUser and appOperator can use only user application, so run next two steps and launch user application, to restrict these account to use controled Windows UI.

1.Kill process of Windows explorer

2.Clean Windows desktop of the user

The code to kill process of the Windows explorer is below.

    public List RestrictForSpecificUser()
    {
        //logging "User[{0}] is logon : ", CurrentUserName
        if (CurrentUserName == "appOperator" || CurrentUserName == "appUser")
        {
	    //logging "Set logon script for user[{0}] : ", CurrentUserName
	    //logging "Clear desktop of user[{0}] : ", CurrentUserName
            Process[] processes = Process.GetProcesses();
            foreach (Process p in processes)
            {
                try
                {
                    if (p.ProcessName == "explore") p.Kill();
                }
                catch (Exception ex)
                {
                    log = new Log();
                    log.LogType = LogType.Information;
                    //"Fault killing process Windows explore : " + ex.Message
                    log.Message = string.Format("Fault killing process Windows explore : " + ex.Message);
                    log.OccurredTime = DateTime.Now;
                    log.OperatorName = GetType().Name;
                    result.Add(log);
                }
            }
        }
        return result;
    }

・Clean Windows desktop

Killing a process of the Windows explorer above, and cleaning Windows desktop is better into one step to restriction for specific account. The code how to clean Windows desktop is below.

using Microsoft.Win32;
...
    regkey = Registry.CurrentUser.OpenSubKey(@"Software\Microsoft\Windows\CurrentVersion\Policies", true);
    regkey.CreateSubKey("Explorer");
    regkey.Close();
    regkey = Registry.CurrentUser.OpenSubKey(@"Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", true);
    regkey.SetValue("NoDesktop", 1, RegistryValueKind.DWord);
    regkey.Close();
...

・Logon script for specific user

The last step is set logon script. The code below omitted logging code.

namespace WPFLockdownSample
{
    public partial class App : Application
    {
        DataAccessLayer dataAccessLayer = new DataAccessLayer();
        public string UserName { get; private set; }
        void App_Startup(object sender, StartupEventArgs e)
        {
            if (dataAccessLayer.ReadLogs().Count == 0)
            {
                //user account creation
                //CoreApplication.Exit();
            }
            else
            {
                UserName = dataAccessLayer.CurrentUserName;
                //if (UserName == "maintenanceOperator") navigate to MaintenanceWindow
                if (UserName == "appOperator") { dataAccessLayer.RestrictForSpecificUser(); }
                if (UserName == "appUser") { dataAccessLayer.RestrictForSpecificUser(); }
            }
        }
    }
}

Categories:

Tags:

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *