What is the GINA hook, BUGina.dll?

A GINA hook is a program that will hook into the normal logon window (msgina.dll) and replace the default behavior with custom code written by a third party. We have taken advantage of this ability to provide a custom logon window that will provide many useful tools for a lab environment. The GINA hook will work in deployments of both Win2K and XP. The custom changes we have made include:

Roaming Profile Enforcement

This allows the administrator to set a roaming profile path that is forced on any account that logs on to that machine. The profile path can be specified via Group Policy and also has the ability to use %username% in the profilepath. When creating the roaming profile, you should make sure that the security for the registry hive, folders and file share will be accessible to your target audience. For example, if your lab is going to used by everyone on campus you would allow BU_users access to the profile; if it will be used only by students in Chemistry classes you might allow access only to BU_cas_ch.

Administrator Override

The GINA hook has the ability to enumerate group membership of a specified group name. If the account logging on to the machine is part of this group it will use a custom profile path specified by the administrator instead of using the defualt profile E.g., a “-adm” account might want to use a roaming profile path of \\server\share\%username% instead of the default \\server\share\mandatory.man profile. Through the GINA hook group policy settings you can specify a defualt profile and then a list of groups and associated profiles for that group. This allows an administrator the greatest flexibility of providing multiple roaming profiles based on the type of user that is logging on to the machine.
Note: The account must be explicitly part of the specified group, nested groups are not supported in this version of the GINA hook implementation.

Default Authentication to the bu.edu UNIX Kerberos Realm

By default, the GINA hook will transform the Ctrl-Alt-Del window to display only a username and password dialog box. When the GINA hook runs in this mode, the only option is to log on to the bu.edu UNIX Kerberos realm — the domain dropdown list is hidden from view. Two options exist to override this behavior. If you want the logon window always to display the domain dropdown list, you can set the “Show domain dropdown list” option in the Group Policy “ginahook Custom Settings”. If, on a specific occasion, you need to log on to another domain, you can click in the password text box, type in your password, then hit Shift-Backspace. This will display the domain drop down list. The next time the Ctrl-Alt-Del screen is displayed it will revert back to its usual behavior, hiding the dropdown list.

[return to top]

How do I install the BU GINA hook?

Installation of the GINA hook requires three steps: (1) installation of bugina.dll on each workstation, (2) customizing the GINA hook settings via group policy, and (3) activation of the GINA hook. The group policy contains settings for how the GINA hook should operate in your environment (e.g., ProfilePath, AdminGroup, debugmode, etc.).

The custom interface will not become active until you enable the GINA hook by completing step 3. Once you have activated the GINAhook you should see a version number in the lower right hand corner of the logon screen (e.g. 2.1.5). If you don’t see any version number then something has been misconfigured on the workstation. You can prepare your workstations to use the GINA hook by completing the first two steps, delaying the third step until you are ready to activate the GINA hook.

  1. Install BuGina.dll onto each client
  2. Go to the share “\\adc1\ginahook\current\” and run the program BUGina.exe. This simply copies bugina.dll onto the workstation’s local disk. The GINA hook will NOT become active until you complete step 3.
  3. Customize and activate the GINA hook.  In this step you create a new Group Policy on the OU where you want the GINA hook to become active. This group policy will contain information on how the GINA hook should operate in your environment.
  4. Create a new group policy on your OU and call it “TLA-Ginahook Settings”, where “TLA” is the name of your OU.
  5. Open the new group policy and navigate to Computer Configuration->Administrative Templates. Right click the Templates folder and select Add New Templates.
  6. gina 2b

  7. Browse to “\\adc1\ginahook\current\” and select the adm template called ginavXXX.adm (e.g. ginav215.adm). This will link in the most recent GINA hook settings to this group policy. You must do this each time you create a new policy into which you want to incorporate the GINA hook settings.
  8. Once template has been added to the policy, browse to Computer Configuration -> Admin Templates -> System -> GinaHook. Here you can specify how the GinaHook operates. To read more about these settings view the Explain tab in the GPO window.
  9. gina 2d

  10. After you have completed the preceding steps, you can activate the GINA hook by using two different methods.
    1. Method 1: You can manually add a registry value of type REG_SZ called GinaDLL to the registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon. The value should be set to BUGina.dll. On a reboot the GINA Hook will become active. Anytime you want to deactivate the GINA Hook you can erase the GinaDLL value and reboot the machine to deactive the hook.
    2. Method 2: This involves using group policy. This method will acheive the same goal as the first but does it though group policy instead of having to manually add the registry entry to each machine. First you will have to load the new template into your group policy called ginaActivate.adm.
  11. Open the new group policy and navigate to Computer Configuration->Administrative Templates. Right click the Templates folder and select Add New Templates.
  12. gina 3a

  13. Browse to “\\adc1\ginahook\v2.0\” and select ginaActivate.adm. This will link in the necessary settings into this group policy. Navigate to Computer Configuration->Admin Templates->System->Logon”
  14. You should see a new policy Ginahook Activation. If you do not see them, you will need to set up the Group Policy window to display custom templates. To do this, follow the instructions below. The setting is found in different locations, depending on the OS you are using to run the admin tools.
    1. On Windows 2000: Make sure the “Show Policies Only” option on the view menu does NOT have a check mark next to it:
      gina 3b
    2. On Windows XP: Select “Filtering” from the View Menu and un-check “Only show group policy settings that can be fully managed”:
  15. gina 3b xp

  16. To activate the GINA hook, select the “Ginahook Activation (bugina.dll) policy and enable the dll. This will hook the bugina.dll into the interface on the next reboot of the workstation. To read more about what this does, view the Explain tab.

gina 3c

Note: If you activate the GINA hook, the file bugina.dll MUST be located in the system32 directory on the workstations to which this policy applies. If it is NOT installed, your workstations will not allow you to log on, and instead will display an error message about being unable to load bugina.dll. If this happens, remotely connect to the registry and delete the value GinaDLL from the registry key HKLM\Software\Microsoft\WindowsNT\Winlogon\ . Once the value has been erased, make sure you deactivate the Ginahook from the Group Policy and then reboot your workstation to revert back to normal behavior.

[return to top]