azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5b9bb949a2c36ff855c974f0185b1cd1a03ff710
claudetools/clients/cascades-tucson/scripts/caregiver-lockdown.ps1
Howard Enos bf491354e3 sync: auto-sync from HOWARD-HOME at 2026-06-05 17:35:42 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-05 17:35:42
2026-06-05 17:35:53 -07:00

62 lines
3.4 KiB
PowerShell
Raw Blame History

# CSC - Caregiver Device Lockdown - computer STARTUP script (runs as SYSTEM each boot, idempotent).
# Deployed by GPO 'CSC - Caregiver Device Lockdown' linked to OU=Caregiver Devices.
# Settings (Howard, 2026-06-05): lock at 3 min, auto sign-out at 15 min with 90s warning, never sleep.
$ErrorActionPreference = 'SilentlyContinue'
# 1) LOCK: machine inactivity limit = 180s (3 min). OS locks the workstation on idle.
$sysKey = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
if (-not (Test-Path $sysKey)) { New-Item -Path $sysKey -Force | Out-Null }
Set-ItemProperty -Path $sysKey -Name 'InactivityTimeoutSecs' -Type DWord -Value 180
# 2) POWER: display off 10 min; never sleep/hibernate (shared station must stay reachable, and a
# sleeping PC can't run the idle sign-out). Applies to AC and battery.
powercfg /change monitor-timeout-ac 10
powercfg /change monitor-timeout-dc 10
powercfg /change standby-timeout-ac 0
powercfg /change standby-timeout-dc 0
powercfg /change hibernate-timeout-ac 0
powercfg /change hibernate-timeout-dc 0
# 3) Drop the idle-monitor script that runs in each caregiver's session.
$dir = 'C:\ProgramData\Cascades'
if (-not (Test-Path $dir)) { New-Item -ItemType Directory -Path $dir -Force | Out-Null }
$monitor = @'
# Idle warning + auto sign-out. Runs in the logged-on user's session (scheduled task, at logon).
$ErrorActionPreference = "SilentlyContinue"
Add-Type @"
using System; using System.Runtime.InteropServices;
public class IdleTimer {
[StructLayout(LayoutKind.Sequential)] struct LASTINPUTINFO { public uint cbSize; public uint dwTime; }
[DllImport("user32.dll")] static extern bool GetLastInputInfo(ref LASTINPUTINFO plii);
public static uint Seconds() {
LASTINPUTINFO lii = new LASTINPUTINFO(); lii.cbSize = (uint)Marshal.SizeOf(lii);
GetLastInputInfo(ref lii);
return ((uint)Environment.TickCount - lii.dwTime) / 1000;
}
}
"@
$warnAt = 810 # 13.5 min -> show 90s warning
$logoffAt = 900 # 15 min -> sign out
$warned = $false
while ($true) {
$idle = [IdleTimer]::Seconds()
if ($idle -ge $logoffAt) { & shutdown.exe /l; break }
elseif ($idle -ge $warnAt -and -not $warned) {
$warned = $true
& msg.exe * /TIME:90 "You will be signed out in 90 seconds due to inactivity. Move the mouse or press a key to stay signed in."
}
if ($idle -lt $warnAt) { $warned = $false }
Start-Sleep -Seconds 10
}
'@
Set-Content -Path "$dir\idle-logoff.ps1" -Value $monitor -Encoding UTF8 -Force
# 4) Register the scheduled task: runs the monitor in each interactive user's session at logon.
$taskName = 'CSC Caregiver Idle Logoff'
$action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument '-NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\Cascades\idle-logoff.ps1"'
$trigger = New-ScheduledTaskTrigger -AtLogOn
$principal = New-ScheduledTaskPrincipal -GroupId 'S-1-5-32-545' -RunLevel Limited # BUILTIN\Users -> runs as whoever logs on, in their session
$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit ([TimeSpan]::Zero) -MultipleInstances IgnoreNew
Unregister-ScheduledTask -TaskName $taskName -Confirm:$false -ErrorAction SilentlyContinue
Register-ScheduledTask -TaskName $taskName -Action $action -Trigger $trigger -Principal $principal -Settings $settings -Description 'Idle warning + auto sign-out (15 min total, 90s warning) for shared caregiver devices.' | Out-Null
Reference in New Issue View Git Blame Copy Permalink