Domain group policy

Posted on 2012-08-29
Last Modified: 2012-08-29
Within Group Policy Management, I have my domain with an attached GPO (Default Domain Policy). The following setting within this policy has been edited.

Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/Security Options

Interactive Logon: Message text for users attempting to log on

I wanted to make a group of servers that didn't have this message pop up on log in, so I created an OU and a linked GPO that had that setting turned off.

The problem I'm experiencing is that the servers that are in that OU with the new linked GPO are still getting the message text before the ctrl alt delete option. I brought up the local security policy on one of the servers that are in the OU, and in the setting for this option, it reports to me the default domain policy, not the new policy that is supposedly assigned to the new OU.

Here are the steps I've already tried.
verified that the new policy was linked to the new OU within the domain tree structure to ensure last setting used
verified that override is not on for the default domain policy(called enforced in win2008 server)
ran gpupdate /force from the dc that I used group policy management on

Some information about my setup:
Mixture of win2k3 and win2k8 DCs
In the default domain policy under Interactive Logon, both message text and message title are enabled and filled in, also, in the new OU which I called "No Message Screen" both of these options are set to not configured
Question by:labops
    LVL 5

    Accepted Solution

    LVL 57

    Assisted Solution

    by:Mike Kline
    I'm looking at that setting on a 2008 R2 DC and it looks like it is either on  "Define this policy setting in the template"

    I can't set it to disabled.

    On your domain policy you can filter out the computers using group policy filtering but I'm guessing you have other settings defined in that GPO.

    You could take it out of the default domain GPO and create a new GPO at the domain level called "logon message".  Then filter out the computers

    You could either create a group for the boxes and deny read to that group.  If you want to test with one box just deny read to that box on the GPO.


    LVL 5

    Expert Comment

    GPO is heirarchly so if you have the policy attached at the domain level and have the OU as a subgroup of the structure that it is inheriting it from the parent.  You can disable inheritance to test and confirm.
    LVL 18

    Expert Comment

    I would recommmed as Mike Suggested additionaly

    1Remove that setting from Default Domain Policy
    2Configuere New policy with the Message text for users attempting to log on policy
    3 Apply this policy to individual OU except the OU where this Group of computer is located
    LVL 2

    Author Closing Comment

    Thank you, using both of your tips I took out the setting in the default domain policy, created a new policy for the message screen, then blocked inheritance to the sub group (since I can't actually disable the setting). I then just linked the default domain policy into the sub group.

    working great now!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    I came across this issue when setting up a two way forest level trust. so here's the scenario: A company wildcards acquired another company, bizworks ( both Fictitious). Wild cards: windows 2003 Domain & forest functional levels - Ad domain na…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now