Present and Capture Acknowledgement of Corporate Notices/Policies at Logon

Posted on 2011-04-28
Last Modified: 2013-12-06
We would like to use the Microsoft Network Domain login process to push corporate policies to users at the time of logon.  Is there a product, or is there a way to do this?

Ideally, the user would have to acknowledge acceptance of the policy to gain access to network services.  In addition, we would need to capture the user's ID, the date/time of acknowledgment, and the document being acknowledged, so that we can ensure that the employee base has received and accepted the policies.  So, it also would be great to be able to report on the level of acknowledgement, as compared to the AD group of full-time employees, etc.

This seems like it would be a great way for HR to communicate corporate notices, etc. so I'm a bit surprised I've not run into anything that would assist with this type of communication.
Question by:dbrigner
    LVL 13

    Expert Comment

    We have this set up.

    When you press ctrl alt del it has a pop up you must say yes to before continuing.

    It is done via domain security policy.

    Admin tools - > Domain Security Policy -> Local Policies -> Security Options ->Interactive Logon Messagre text for users at attempting to log in

    You can set whatever text you want for this pop up window.

    hope this helps.

    Author Comment

    Thanks, Jonah.

    I should have mentioned that our policies may be a bit more than login message text - it may extend to several pages.  Think legal document.  

    You didn't mention, but are you capturing the user, the document name being presented, and the date/time of acceptance?

    LVL 13

    Expert Comment

    Well, all of that is captured by default because the user must accept prior to logging in.

    So just the fact that they logged in shows that they accepted the terms of service.

    Author Comment

    But it may not just be terms of service.  This would be a vehicle to present multiple communications, and would change over time, such as when HR has something they need to ensure everyone has seen and accepted.  Policies may range from benefits information, to new company procedures, annual training notices, etc.  Once a user accepts the terms and that information is captured, the user would not be presented with that policy again.  

    This would only be used for those items that legally require us to maintain records of when each employee acknowledges a policy.  I would have thought that SOX, PCI-DSS, and any number of other standards would neccesiate the need for an automated system such as this, to prevent HR from having to physically go to each employee and gather a signature whenever they need to do so.  Tying this to the network login process just seemed to be a good way to ensure that each employee sees and accepts the communication.

    I understand your comment that the act of gaining network access would imply acceptance, but we would have to capture which document is being accepted during any given policy push, along with the user/date/time, which hopefully we could create reports against.

    So this goes way beyond a simple network terms of service statement.
    LVL 13

    Expert Comment

    Got it. That is much more in depth than I had first perceived.


    Author Comment

    Not at all - I appreciate the prompt response.
    LVL 65

    Accepted Solution

    dbringer, this is a quite a large task, as there is no build in way of providing such a "utility".  What we have done, however, is build a HTA, which consists of HTML content, that is launched by an entry similar to this added to workstation computers at "StartUp".

    Key: HKLM\Sofware\Microsoft\Windows\CurrentVersions\RunOnce
    Value Name: ShowCompanyPolicy
    Value Data: mshta.exe "\\\sysvol\\scripts\Policy.HTA

    This HTA is then custom written with HTML and VBScript code that can log the deny or acceptance, and ours will actually "log off" if they decline.

    This of course if not fool-proof.  There are ways around it, the easiest is starting Task Manager and running a "new task" of explorer.exe

    Perhaps give that a quick try, and see how that suits your needs.


    LVL 74

    Expert Comment

    by:Glen Knight
    This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    Suggested Solutions

    We were having a lot of "Heartbeat Alerts" in our SCOM environment, now "Heartbeat" in a SCOM environment for those of you who might not be familiar with SCOM is a packet of data sent from the agent to the management server on a regular basis, basic…
    The System Center Operations Manager 2012, known as SCOM, is a part of the Microsoft system center product that provides the user with infrastructure monitoring and application performance monitoring. SCOM monitors:   Windows or UNIX/LinuxNetwo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now