Help to write script which will deny user login to windows computer when specific condition is not fulfilled

Question

Hi,

We are trying to implement security for user login. We have an self developed application which pairs bluetooth device to user computer. Now we want to write a script which will deny user login when this application returns false. user login should succeed when this application returns true. This should be implemented for user login after reboot and also for user login after unlock of user computer.

Could anyone guide me how to implement this feature. Writing user logon script can help me to implement such user login security? Or any other method to implement this feature?

Regards,
Tushar

Answer 1

I am not sure about your specific requirements but you may try Disable-LocalUser and when the user is disable, they won't be able to login and you may use another script called Enable-LocalUser which will let user login when you enable the account. Consider you are using local account. Have a look at:
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/disable-localuser
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/enable-localuser

Answer 2

It's possible.

When the bluetooth device connects, an event gets logged. Based on that event, you could trigger a scheduled task that does whatever is needed to enable logon.
When that BT device disconnects, an event gets logged and that would trigger a task that disables what is needed to logon.

I give you three examples for what the task could do:
1 when using virtual Smartcards as logon method: enable/disable the virtual smartcard reader (tested, works)
2 when using real smartcards: disable he smartcard credential provider altogether (untested)
3 when using passwords: use ntrights.exe to add/remove local logon permission (tested)