Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 711
  • Last Modified:

Domain group policy

Within Group Policy Management, I have my domain with an attached GPO (Default Domain Policy). The following setting within this policy has been edited.

Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/Security Options

Interactive Logon: Message text for users attempting to log on

I wanted to make a group of servers that didn't have this message pop up on log in, so I created an OU and a linked GPO that had that setting turned off.

The problem I'm experiencing is that the servers that are in that OU with the new linked GPO are still getting the message text before the ctrl alt delete option. I brought up the local security policy on one of the servers that are in the OU, and in the setting for this option, it reports to me the default domain policy, not the new policy that is supposedly assigned to the new OU.

Here are the steps I've already tried.
verified that the new policy was linked to the new OU within the domain tree structure to ensure last setting used
verified that override is not on for the default domain policy(called enforced in win2008 server)
ran gpupdate /force from the dc that I used group policy management on

Some information about my setup:
Mixture of win2k3 and win2k8 DCs
In the default domain policy under Interactive Logon, both message text and message title are enabled and filled in, also, in the new OU which I called "No Message Screen" both of these options are set to not configured
0
labops
Asked:
labops
2 Solutions
 
Mike KlineCommented:
I'm looking at that setting on a 2008 R2 DC and it looks like it is either on  "Define this policy setting in the template"

I can't set it to disabled.

On your domain policy you can filter out the computers using group policy filtering but I'm guessing you have other settings defined in that GPO.

You could take it out of the default domain GPO and create a new GPO at the domain level called "logon message".  Then filter out the computers

http://adisfun.blogspot.com/2009/04/security-filtering-and-group-policy.html

You could either create a group for the boxes and deny read to that group.  If you want to test with one box just deny read to that box on the GPO.

Thanks

Mike
0
 
m3mph1s1Commented:
GPO is heirarchly so if you have the policy attached at the domain level and have the OU as a subgroup of the structure that it is inheriting it from the parent.  You can disable inheritance to test and confirm.
0
 
Sarang TinguriaSr EngineerCommented:
I would recommmed as Mike Suggested additionaly

1Remove that setting from Default Domain Policy
2Configuere New policy with the Message text for users attempting to log on policy
3 Apply this policy to individual OU except the OU where this Group of computer is located
0
 
labopsAuthor Commented:
Thank you, using both of your tips I took out the setting in the default domain policy, created a new policy for the message screen, then blocked inheritance to the sub group (since I can't actually disable the setting). I then just linked the default domain policy into the sub group.

working great now!
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now