Re: iNTERACTIVE LOGON welcome screen - make it go away
- From: "Blackhole" <blackhole26removeme@xxxxxxxxxxx>
- Date: Sat, 3 Jun 2006 23:26:41 -0500
I created a custom ADM file for these two settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\LegalNoticeCaption
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\LegalNoticeText
and imported it into the GPO under the Computer Administritative templates.
Sure enough, when I opened it the cutom policy up and looked at it, it was
already enabled and the offending messages were filled in. I cleared the
fields , left them enabled, and will leave it that way for a week or two and
then disable them for a week or two. After that I will see if I can remove
the custom template and have it stick.
Thanks steven. Now If I can only find out why the encrypted password
doesn't work in my SIF files.
"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ZM2dnSwCEOTj5OLZRVn-jg@xxxxxxxxxxxxxx
Yes is some cases the registry will be tattooed and I believe that custom
.adm will for sure. As I understand it once you are configuring GP
settings outside of the buit in administrative templates you run the risk
of tatting the registry much like old NT system policies will. I believe
it may be worth your while to try and enabled those two settings in
security policy but leaving them blank rather then undefined. FYI there is
also a dedicated Microsoft Group Policy newsgroup where some users with
really great expertise in Group Policy often reply to posts including
authors of Group Policy books. --- Steve
"Bruce Musgrove" <bruce.musgrovenospaem@xxxxxxxxxxxxxxxxxx> wrote in
message news:O4h1BbLhGHA.1324@xxxxxxxxxxxxxxxxxxxxxxx
So in effect Windows 2k and 2k3 server can tattoo the registry, even
though it is not supposed to ... :)
I had already checked the GptTmpl.inf and they were clean. I bumped the
rev numbers and did a gpupdate just as a possibility, with no result.
As I said before I looked at sysvol path\domain
name\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\registry.pol using
Regview.exe and it DOES define \ contain the message, albeit a older
version than existed before I undefined them in group policy.
I remember this older message, and I seem to remember having used this
particular version of the message back when we first went from NT server
to 2k server, and I wonder if I did a custom ADM file with it in
it......... I'll have to try a new custom adm file to try and overwrite
what is in the registry.pol file . It's the only way I can think of that
it stuck in the registry.pol file instead of the newer message version
I just recently undefined.
Another lesson. Steven, Thank you for your patience and pointers to help
me track this down.
"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:mpadnb8XQ4bIIeHZnZ2dneKdnZydnZ2d@xxxxxxxxxxxxxx
Maybe the information from Microsoft in the link below may be of help in
it explains how some security option settings can persist in some cases
if they are changed to undefined which amounts to meaning "no change". I
know this happens when domain password complexity is enabled and then is
set to undefined.
http://technet2.microsoft.com/WindowsServer/en/Library/025f5d25-3a3a-4b6a-8d65-d8643722b5421033.mspx?mfr=true
What may help is to define those settings to be enabled but blank for
the default domain policy. The policy in question is computer
configuration so the mismatch for user configuration should not matter.
Another possible resolution would be to drill into the sysvol folder
[sysvol path\domain
name\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows
NT\SecEdit]
for that GPO to the GptTmpl.inf file to see if the registry entries
exist for those two settings, delete those lines after backing up
GptTmpl.inf file first, and then going to the gpt.ini file [sysvol
path\domain name\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}] for
that GPO and bumping up the version number, saving the file, and then
doing a gpupdate on that domain controller which ideally would be the
PDC smo. --- Steve
"Bruce Musgrove" <bruce.musgrovenospaem@xxxxxxxxxxxxxxxxxx> wrote in
message news:eLcTb2ChGHA.2188@xxxxxxxxxxxxxxxxxxxxxxx
I used regview.exe to look at the registry.pol file in
\\<dcname>\sysvol\<domain
name>\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine and it has
these messages enabled and the text
KeyName: Software\Microsoft\Windows\CurrentVersion\Policies\System
ValueName: LegalNoticeCaption
ValueType: REG_SZ
Value: Welcome to the Dept of
KeyName: Software\Microsoft\Windows\CurrentVersion\Policies\System
ValueName: LegalNoticeText
ValueType: REG_SZ
Value: Do not attempt to log on unless you are an authorized user. Use
of this equipment implies agreement to all applicable computer and
security policies. This includes, but is not limited to, blah blah blah
Yet if I edit the Default Domain controllers, these settings are not
enabled!!!!!!!
"Bruce Musgrove" <bruce.musgrovenospaem@xxxxxxxxxxxxxxxxxx> wrote in
message news:uoAR9sChGHA.4284@xxxxxxxxxxxxxxxxxxxxxxx
GPOTOOL shows a version mismatch on NEW GROUP POLICY OBJECT on the
user side. DS =0 and sysvol = 10
Userenv debugging shows that it appears to be related to the Default
Doamin Policy REGISTRY.POL file......
USERENV(78c.9d0) 15:44:00:190 ResetPolicies: Entering.
USERENV(78c.9d0) 15:44:00:190 ParseRegistryFile: Entering with
<C:\Documents and Settings\All Users\ntuser.pol>.
<non releveant entries deleted>USERENV(78c.9d0) 15:44:00:190
DeleteRegistryValue: Deleted
Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption
USERENV(78c.9d0) 15:44:00:190 DeleteRegistryValue: Deleted
Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText
<non releveant entries deleted>
USERENV(78c.9d0) 15:44:00:268 ParseRegistryFile: Entering with
<\\<domain name>\sysvol\<domain
name>\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\registry.pol>.
<non releveant entries deleted>
USERENV(78c.9d0) 15:44:00:283 SetRegistryValue: LegalNoticeCaption =>
Welcome to the Dept of [OK]
USERENV(78c.9d0) 15:44:00:283 SetRegistryValue: LegalNoticeText => Do
not attempt to log on unless you are an authorized user. Use of this
equipment implies agreement to all applicable computer and security
policies. This includes, but is not limited to blah blah blah [OK]
"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:pqKdnRpp0-uCH-HZRVn-pA@xxxxxxxxxxxxxx
Interesting. Usually rsop.msc on the client computer or using the mmc
snapin for rsop on a Windows 2003 domain controller in
logging/planning
mode will expose any current Group Policies. If possible try joining
an XP
Pro computer to the domain that was not created from the image to see
what
happens. Though a bit tedious you also could try userenv debug
logging on
an XP Pro computer that displays the behavior and run the command
gpupdate
/force after enabling the debugging of userenv. Then by parsing the
userenv.log you may be able to find out what is happening. Another
possible explanation is that the client computer has not successfully
refreshed it's Group Policy in a while or you have conflicting
versions of
the same GPO on different domain controllers. Running gpresult on a
client
computer will show the last time that computer configuration was
applied
and from what domain controller. The tool Gpotool will check for
problems
with Group Policy replication. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833 ---
userenv debug logging
http://support.microsoft.com/default.aspx?kbid=835302
"Bruce Musgrove" <bruce.musgrovenospaem@xxxxxxxxxxxxxxxxxx> wrote in
message news:%23A%23dNoAhGHA.3296@xxxxxxxxxxxxxxxxxxxxxxx
I suspect you are right and this may be an old policy that I removed
incorrectly back when I first started experimenting. HOWEVER....
(isn't
there always a "but"?)
I noticed this policy being applied even on brand new machines that
were
setup from a Windows XPSP2 CD based RIS image...The Image was
created
from a XPSP2 CD, and I do join the domain in the SIF file.......That
would seem to imply the policy is hiding somewhere, but I can not
find it
"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:_cmdnU08vMhfcOrZRVn-ug@xxxxxxxxxxxxxx
What you could try doing is to configure the setting for the
computers
via a domain level Group Policy that applies to those computers and
then
enable those settings and leave them blank. Then at next reboot or
after
the next Group Policy computer configuration refresh hopefully the
user
will no longer see a message. You can find the GUID number that you
see
in the registry that corresponds to a Group Policy by checking the
properties of your GPOs or running something like the RK tool
Gpotool
that will display GUID and display name of your GPOs. If nothing
matched
up then those are most likely old deleted GPOs. For Group Policy
settings other than administrative templates any settings that you
want
changed should be done and allowed to propagate before a Group
Policy is
deleted or unlinked. --- Steve
"Bruce Musgrove" <bruce.musgrovenospaem@xxxxxxxxxxxxxxxxxx> wrote
in
message news:%23iY2efUgGHA.1856@xxxxxxxxxxxxxxxxxxxxxxx
Did that, and according to RSOP.MSC the setting is not applied.
Computer setting is "not applied" and source GPO is blank.........
Tried it on several machines with the same result.
"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:a8ednSkAd4TE-OvZRVn-tg@xxxxxxxxxxxxxx
If the computer is a member of an Active Directory domain then
another
GPO could be enforcing the setting. Run rsop.msc on the computer
to
see if it shows that it is being applied by Group Policy and from
which --- Steve
"Bruce Musgrove" <bruce.musgrovenospaem@xxxxxxxxxxxxxxxxxx> wrote
in
message news:u7ObdODgGHA.764@xxxxxxxxxxxxxxxxxxxxxxx
I recently cleared the group policy Legal notice caption and
legal
notice text welcome screens in Group policy >Computer
configuration
Windows settings > Security settings > security options >logon : Message title..." and Message text
"Interactive
The Group policy screen disappeared, but now I have a new legal
ntice
text screen showing up on boot . I serarched the registry and
found
them at
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group
Policy Objects\<domain
name>{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}Machine\Software\Microsoft\Windows\CurrentVersion\Policies\System]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group
Policy Objects\<domain
name>{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}Machine\Software\Microsoft\Windows\CurrentVersion\Policies\System]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group
Policy
Objects\neurology.swmed.org{6B93F732-AE72-4748-A422-2164D975D42D}Machine\Software\Microsoft\Windows\CurrentVersion\Policies\System]
XXXX-xxxxxx... is different in each of the above . These look
like
old policies, but I can't find them in GPO. even the old polices
that
have been disabled. How can I find where they comne from and
get
rid of them ?
.
- References:
- Re: iNTERACTIVE LOGON welcome screen - make it go away
- From: Steven L Umbach
- Re: iNTERACTIVE LOGON welcome screen - make it go away
- Prev by Date: Re: Harddrive issues
- Next by Date: Re: WHERE do blocked files go???
- Previous by thread: Re: iNTERACTIVE LOGON welcome screen - make it go away
- Next by thread: Re: Windows XP Welcome Screen and NT Server 4.0 Security
- Index(es):
Relevant Pages
|
