Domain group policy
Within Group Policy Management, I have my domain with an attached GPO (Default Domain Policy). The following setting within this policy has been edited.
Computer Configuration/Policies/Win
Interactive Logon: Message text for users attempting to log on
I wanted to make a group of servers that didn't have this message pop up on log in, so I created an OU and a linked GPO that had that setting turned off.
The problem I'm experiencing is that the servers that are in that OU with the new linked GPO are still getting the message text before the ctrl alt delete option. I brought up the local security policy on one of the servers that are in the OU, and in the setting for this option, it reports to me the default domain policy, not the new policy that is supposedly assigned to the new OU.
Here are the steps I've already tried.
Some information about my setup:
Computer Configuration/Policies/Win
Interactive Logon: Message text for users attempting to log on
I wanted to make a group of servers that didn't have this message pop up on log in, so I created an OU and a linked GPO that had that setting turned off.
The problem I'm experiencing is that the servers that are in that OU with the new linked GPO are still getting the message text before the ctrl alt delete option. I brought up the local security policy on one of the servers that are in the OU, and in the setting for this option, it reports to me the default domain policy, not the new policy that is supposedly assigned to the new OU.
Here are the steps I've already tried.
verified that the new policy was linked to the new OU within the domain tree structure to ensure last setting used
verified that override is not on for the default domain policy(called enforced in win2008 server)
ran gpupdate /force from the dc that I used group policy management on
Some information about my setup:
Mixture of win2k3 and win2k8 DCs
In the default domain policy under Interactive Logon, both message text and message title are enabled and filled in, also, in the new OU which I called "No Message Screen" both of these options are set to not configured
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
GPO is heirarchly so if you have the policy attached at the domain level and have the OU as a subgroup of the structure that it is inheriting it from the parent. You can disable inheritance to test and confirm.
I would recommmed as Mike Suggested additionaly
1Remove that setting from Default Domain Policy
2Configuere New policy with the Message text for users attempting to log on policy
3 Apply this policy to individual OU except the OU where this Group of computer is located
1Remove that setting from Default Domain Policy
2Configuere New policy with the Message text for users attempting to log on policy
3 Apply this policy to individual OU except the OU where this Group of computer is located
ASKER
Thank you, using both of your tips I took out the setting in the default domain policy, created a new policy for the message screen, then blocked inheritance to the sub group (since I can't actually disable the setting). I then just linked the default domain policy into the sub group.
working great now!
working great now!