0

I am creating a time management software in C#. How can I ensure that when somebody has not entered time records the previous day, access to the system is restricted when he/she logs on to windows?

Ex. Block Internet or block the pc

akeel
  • 155
  • 1
  • 15

2 Answers2

3

There are multiple ways you could cause reduced functionality, with varying levels of complexity and functionality.

The Proxy

The easiest "clean" solution, in my opinion, would be to write a service which runs on the local computer, and functions as an HTTP proxy. Local browsers get configured to use the proxy, and at your behest, you return a static page saying that the user should enter punches to continue.

The user may be able to bypass the proxy by reconfiguring proxy settings, or using a browser other than system default. Both of these problems can be overcome by most IT departments through Group Policy.

Related: Open Source Proxy Library for .Net

Complexity: moderate     Risk: moderate     Eww factor: low     Efficacy: moderate

Solitary confinement

In much the same way as a screensaver, you can create a secondary desktop and show your own window on the isolated desktop. Once you have collected the information you require, switch back to the default desktop, and destroy the one you created.

Related: Desktop Switching - CodeProject, Defrag Tools - Desktops

Complexity: moderate     Risk: low     Eww factor: low     Efficacy: high

No, no, cannot have

If we are going for ease of implementation, perhaps the simplest thing to do would be to simply send WM_CLOSE to any new process we don't like which opens. You can use the WindowOpenedEvent to examine new windows, then call Process.CloseMainWindow if you find it to be a process which you don't like.

The user, meanwhile, can get around by just reading really quick, or by preventing window messages from pumping via opening a modal dialog or otherwise. If the application you don't like asks the user if they want to close, this approach is somewhat neutered.

Complexity: low     Risk: moderate     Eww factor: high     Efficacy: low

Replacement Shell

If you specify an alternate value for the REG_SZ named Shell located at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, you can cause your program to run in lieu of explorer. You can then check whether the user has been naughty or nice, and then conditionally start explorer.

The user can still bypass your application by starting explorer himself using Task Manager or otherwise.

Complexity: low     Risk: high     Eww factor: moderate     Efficacy: moderate

SRP or AppLocker

Group policy provides two methods for restricting what software gets run on a PC: Software Restriction Policies and AppLocker. Both have their merits and are both very different in what they seek to control. You could programmatically create policies for either using the HKCU\Software\Policies key by examining the admx files, or by using established APIs.

Group policy is only effective after a refresh occurs, which is typically at logon, so after the state is cleared, you would have to log off.

Related: How to modify local group policy setting programatically

Complexity: moderate     Risk: high     Eww factor: high     Efficacy: high

The Log-in UI

You could use a custom login UI to prevent the user from ever even logging in if their hours are not submitted. This seems a bit heavy handed, but hey, that's your prerogative. GINA got replaced in Vista with a new architecture, but there is an excellent sample available on MSDN. You would be working in unmanaged code for this one.

If the user can login via another means (biometric or smartcard, for example), they may not see your dialog.

Complexity: high     Risk: low     Eww factor: low     Efficacy: high

Active Directory

If you are working in a domain, you could also just disable the user's account via ADSI or LDAP. However, doing so may not be reversible in a reasonable time schedule, and in many installations be highly unadvisable due to integrations with other systems (door access controllers come to mind... no timecard = no access to building).

Furthermore, due to propagation delays in larger domains, any change may take minutes or hours until the user is affected.

Complexity: low     Risk: high     Eww factor: high     Efficacy: low

Community
  • 1
  • 1
Mitch
  • 21,223
  • 6
  • 63
  • 86
0

If you are on a domain using Active Directory you could lock their account which would keep them from being able to log into the computer.

vesuvious
  • 2,753
  • 4
  • 26
  • 39
  • Sorry i didn't understand your answer and i am working on a local network – akeel Feb 27 '14 at 06:12
  • 1
    Organizations tend to group Windows computers in a "Domain" and accounts/computers/groups in the domain are managed by an application called "Active Directory". You can set policies in this application to restrict user access. If it is your home then you probably don't have this setup but this setup is considered normal for a company so if you are building code to sell to companies you should go this route. – vesuvious Feb 27 '14 at 06:17
  • that helps. ill see what i can do with the Active Directory. thank you – akeel Feb 27 '14 at 06:34