none
GPO propagation issue - current OU, Enforced No, Link Enabled Yes

    Question

  • I created a GPO in a current OU named "banner", Enforced is set to "No" Link Established is set to "Yes" by default, Security Filtering contains the Authenticated Users group (by default), and three IT users I added to test a banner display prior to logon via two registry settings LegalNoticeCaption and LegalNoticeText. I assumed this GPO banner would be pushed to the three IT users I added to the Security Filtering but a few other random AD users received the banner, as expected when one of the IT users logons onto a server via RDP or a PC the banner is displayed. For testing I removed the text from each reg key except for a "." in each. I did a gpupdate /force on the server and PC that displayed the banner previously and on the next logoff/logon the periods were displayed. I then blanked out the reg keys and ran a gpupdate /force on both machines, after the next logoff/logon the banner was gone. This testing was successful using my logon credential, but my two IT domain admin level associates did not receive the updated GPO within a 90 minute window - I did not do the gpupdate /force on their PC. 

    So my question is why did a couple of random users receive my initial GPO and why did my IT associates not receive my updated GPO - blanked out? 

    I am somewhat new to AD and GPO's - am I missing a step in the process or a best practice? At worse I am concerned that my user population has not logged off and logged on and when they do over a weekend they will start receiving my initial banner (which is probably sitting in their registry at the moment) the current GPO (banner) in AD for those two reg keys is blank - I am hoping through propagation their local reg keys will be blanked out since all users are members of the "authenticated users" group. Is this correct or will multiple logoffs/logons occur before the reg keys are blanked out - the first one to receive the full text banner, the second to blank out the banner. I appreciate your advice.

    Thanks, 

    Milty 


    • Edited by milten Monday, November 14, 2016 7:47 PM
    Monday, November 14, 2016 7:47 PM

Answers

  • Hi Milty,
    As others said, we would suggest you check the following aspects:
    1. Check which node the GPO settings are set up under: computer configuration or user configuration.
    2. As LegalNoticeCaption and LegalNoticeText registry are under HKEY_LOCAL_MACHINE, you should configure the GPO settings under computer configuration.
    3. Generally, I would suggest to put the request computers/users in an OU, and then link the GPO to this OU, instead of using security filtering.
    4. After linking GPO, please reboot computer to take effect it and then run gpresult /h command to check if the GPO is applied successfully.
    If the GPO is not applied, you could follow the article as below to troubleshoot:
    10 Common Problems Causing Group Policy To Not Apply
    http://social.technet.microsoft.com/wiki/contents/articles/22457.10-common-problems-causing-group-policy-to-not-apply.aspx
    Also, here is an article ofGroup Policy for Beginners, you could refer to more details about GPO:
    Group Policy for Beginners https://technet.microsoft.com/en-us/library/hh147307%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by milten Wednesday, November 16, 2016 2:53 PM
    Tuesday, November 15, 2016 5:28 AM
    Moderator
  • Hi
     
    Am 15.11.2016 um 18:05 schrieb milten:
    > under HKLM Computer configuration - preferences - Windows settings I
    > edited/updated two registry key settings
     
    It´s would be easier, to use the existend policies.
    Configuration\Windows Settings \Security Settings\Local
    Policies\Security Options
    Interactive logon: Message title for users attempting to log on
    Interactive logon: Message text for users attempting to log on
     
    > My goal is now to create a legal notice banner via a GPO but I also
    > need to include a company logo.
     
    You can not implement a logo. It´s only text supported.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    • Marked as answer by milten Wednesday, November 16, 2016 2:53 PM
    Tuesday, November 15, 2016 6:24 PM
  • Thanks for the info on utilizing the Security Settings for my banner legal notice but is there also a method utilizing a GPO to display a company logo as well as a legal notice banner. 

    ...Milty 

    No, as Mark mentioned earlier, there is no builtin/inbox GPO method to display a logo as part of the legalnotice settings.

    Have you considered alternative methods, such as the logon screen wallpaper or some 3rd party custom UI?


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    • Marked as answer by milten Wednesday, November 16, 2016 2:53 PM
    Wednesday, November 16, 2016 7:50 AM
  • Am 16.11.2016 um 15:07 schrieb milten:
    > I don't want it to propagate out via the "authenticated users" group.
     
    ... use a different one. It´s allowed to do so.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    • Marked as answer by milten Wednesday, November 16, 2016 8:39 PM
    Wednesday, November 16, 2016 6:50 PM
  • Hi,
     
    Am 15.11.2016 um 21:22 schrieb milten:
    > [...] but is there also a method utilizing a GPO to display a company
    > logo as well as a legal notice banner.
     
    No. Even not, if laying on the flour and drum with your arms.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    • Marked as answer by milten Wednesday, November 16, 2016 8:39 PM
    Wednesday, November 16, 2016 6:50 PM
  • Another question on GPO's and OU. I created a test OU and a GPO. I want it contained to the OU's computer objects and/or user objects. I don't want it to propagate out via the "authenticated users" group. Is my only method to block inheritance at the OU or must I block all other OU's from receiving the GPO? 

    This is where the matter of 'scope' needs your further consideration.
    Where should you link that GPO? Link it to the domain root (highest point) and inheritance will cause it to flow downwards throughout the entire directory.
    Link the GPO to a Site, but only if it makes logical sense to scope that way.
    Link it to an OU, and if there are child OUs under that, inheritance will flow downwards from that link-point.

    You can link a single GPO to many OUs or Sites or a combination of those.

    Or, you can use Security Filtering, where you create an AD group, and adjust the Security Filtering on the GPO so that it has "Apply GPO" for that AD security group.

    Make sure that you don't remove Authenticated Users, but make sure that you adjust the security so that Authenticated Users has "Read GPO" and not "Apply GPO".

    Avoid blocking inheritance and avoid enforce inheritance - these settings can introduce deep complexity when troubleshooting, for an inexperienced AD admin.

    Structure your AD design of sites and OUs, based on thinking about how you will need to design your GP layouts.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    • Marked as answer by milten Wednesday, November 16, 2016 8:39 PM
    Wednesday, November 16, 2016 8:10 PM

All replies

  • Hi,
     
    Am 14.11.2016 um 20:47 schrieb milten:
    > [...] three IT users I added [...] registry settings
    > LegalNoticeCaption and LegalNoticeText.
     
    You are trying to apply HKLM settings to HKCU, that does not work.
    Wrong target. If it happens "sometimes" then some computer objects are
    "accidently" in scope of management aswell.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Monday, November 14, 2016 8:14 PM
  • based on your description, your understanding seems to be mostly correct (although perhaps a little incomplete)..

    the two settings you've mentioned (legalnoticecaption and legalnoticetext) are both 'Computer Configuration' settings, which means they will deploy into HKLM. This means that they are not user-based at all, they are computer-based, so, if you linked this GPO to a scope containing only user objects, it would not apply at all.

    if you linked this GPO to a scope which includes both user objects and also computer objects, the user objects ignore these settings but the computer objects would honour the settings.

    So, did you link the GPO to the domain or a site or an OU? And, what computer objects are therefore scoped by the link?

    Also, note that some registry-based settings might deploy to the computer registry but Windows may not invoke/apply/honour the settings until a reboot has occurred. This is dependant upon the Windows component/feature itself, so a GP background-refresh or gpupdate /force, may not have effect until a restart (it totally depends upon the component/feature in question) an example of this is WU/WSUS/WUAgent settings, which are only read by the wuauserv at wuauserv startup time and are never re-read until wuauserv is restarted, even though the registry will show the desired settings, the wuauserv has not (yet) read those registry settings.

    I am not sure (can't recall) if the legalnoticestuff behaves similarly..

    But first you should check the link/scope, and you can use the gpresult tool on some sample computers to confirm.


    Don [doesn't work for MSFT, and they're probably glad about that ;]


    • Edited by DonPick Tuesday, November 15, 2016 8:29 PM fix typo
    Monday, November 14, 2016 8:48 PM
  • Hi Milty,
    As others said, we would suggest you check the following aspects:
    1. Check which node the GPO settings are set up under: computer configuration or user configuration.
    2. As LegalNoticeCaption and LegalNoticeText registry are under HKEY_LOCAL_MACHINE, you should configure the GPO settings under computer configuration.
    3. Generally, I would suggest to put the request computers/users in an OU, and then link the GPO to this OU, instead of using security filtering.
    4. After linking GPO, please reboot computer to take effect it and then run gpresult /h command to check if the GPO is applied successfully.
    If the GPO is not applied, you could follow the article as below to troubleshoot:
    10 Common Problems Causing Group Policy To Not Apply
    http://social.technet.microsoft.com/wiki/contents/articles/22457.10-common-problems-causing-group-policy-to-not-apply.aspx
    Also, here is an article ofGroup Policy for Beginners, you could refer to more details about GPO:
    Group Policy for Beginners https://technet.microsoft.com/en-us/library/hh147307%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by milten Wednesday, November 16, 2016 2:53 PM
    Tuesday, November 15, 2016 5:28 AM
    Moderator
  • I was working in HKCU not HKLM. I read the Group policy for beginners white paper and created an OU named Computers Banner - I put a computer object in the OU. I created a GPO named Banner and under HKLM Computer configuration - preferences - Windows settings I edited/updated two registry key settings legalnoticecaption and legalnoticetext both with a value of "x" I ran gpupdate /force on my test computer , logged out , logged in ran the gpresult /H to an .html file and see the settings for caption and text as successful and upon a reboot or a Ctrl-Alt-Del combo I am  presented with the "x's" 

    My goal is now to create a legal notice banner via a GPO but I also need to include a company logo. What best practice/method is recommended to accomplish this. 

    I appreciate the advice. 

    Thanks...Milty

    <o:p></o:p>

    Tuesday, November 15, 2016 5:05 PM
  • Hi
     
    Am 15.11.2016 um 18:05 schrieb milten:
    > under HKLM Computer configuration - preferences - Windows settings I
    > edited/updated two registry key settings
     
    It´s would be easier, to use the existend policies.
    Configuration\Windows Settings \Security Settings\Local
    Policies\Security Options
    Interactive logon: Message title for users attempting to log on
    Interactive logon: Message text for users attempting to log on
     
    > My goal is now to create a legal notice banner via a GPO but I also
    > need to include a company logo.
     
    You can not implement a logo. It´s only text supported.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    • Marked as answer by milten Wednesday, November 16, 2016 2:53 PM
    Tuesday, November 15, 2016 6:24 PM
  • Thanks for the info on utilizing the Security Settings for my banner legal notice but is there also a method utilizing a GPO to display a company logo as well as a legal notice banner. 

    ...Milty 

    Tuesday, November 15, 2016 8:22 PM
  • Thanks for the info on utilizing the Security Settings for my banner legal notice but is there also a method utilizing a GPO to display a company logo as well as a legal notice banner. 

    ...Milty 

    No, as Mark mentioned earlier, there is no builtin/inbox GPO method to display a logo as part of the legalnotice settings.

    Have you considered alternative methods, such as the logon screen wallpaper or some 3rd party custom UI?


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    • Marked as answer by milten Wednesday, November 16, 2016 2:53 PM
    Wednesday, November 16, 2016 7:50 AM
  • I have been researching  the logon screen wallpaper and 3rd party UI's. The logon wallpaper, unless I lock down "personalization" can be changed by the end user by altering the desktop wallpaper. I'm looking into blocking personalization.  

    Another question on GPO's and OU. I created a test OU and a GPO. I want it contained to the OU's computer objects and/or user objects. I don't want it to propagate out via the "authenticated users" group. Is my only method to block inheritance at the OU or must I block all other OU's from receiving the GPO? 

    Thanks, 

    Milty 

    Wednesday, November 16, 2016 2:07 PM
  • Am 16.11.2016 um 15:07 schrieb milten:
    > I don't want it to propagate out via the "authenticated users" group.
     
    ... use a different one. It´s allowed to do so.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    • Marked as answer by milten Wednesday, November 16, 2016 8:39 PM
    Wednesday, November 16, 2016 6:50 PM
  • Hi,
     
    Am 15.11.2016 um 21:22 schrieb milten:
    > [...] but is there also a method utilizing a GPO to display a company
    > logo as well as a legal notice banner.
     
    No. Even not, if laying on the flour and drum with your arms.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    • Marked as answer by milten Wednesday, November 16, 2016 8:39 PM
    Wednesday, November 16, 2016 6:50 PM
  • Another question on GPO's and OU. I created a test OU and a GPO. I want it contained to the OU's computer objects and/or user objects. I don't want it to propagate out via the "authenticated users" group. Is my only method to block inheritance at the OU or must I block all other OU's from receiving the GPO? 

    This is where the matter of 'scope' needs your further consideration.
    Where should you link that GPO? Link it to the domain root (highest point) and inheritance will cause it to flow downwards throughout the entire directory.
    Link the GPO to a Site, but only if it makes logical sense to scope that way.
    Link it to an OU, and if there are child OUs under that, inheritance will flow downwards from that link-point.

    You can link a single GPO to many OUs or Sites or a combination of those.

    Or, you can use Security Filtering, where you create an AD group, and adjust the Security Filtering on the GPO so that it has "Apply GPO" for that AD security group.

    Make sure that you don't remove Authenticated Users, but make sure that you adjust the security so that Authenticated Users has "Read GPO" and not "Apply GPO".

    Avoid blocking inheritance and avoid enforce inheritance - these settings can introduce deep complexity when troubleshooting, for an inexperienced AD admin.

    Structure your AD design of sites and OUs, based on thinking about how you will need to design your GP layouts.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    • Marked as answer by milten Wednesday, November 16, 2016 8:39 PM
    Wednesday, November 16, 2016 8:10 PM
  • Appreciate the knowledge sharing. I'm going to setup a lab network and do AD GPO testing utilizing the info in this thread. 

    Thanks....Milty 

    Wednesday, November 16, 2016 8:39 PM
  • Hi Milty,
    Great, if you have any questions, please feel free to post in the TechNet forum. And we appreciate you for marking the answers.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, November 17, 2016 1:45 AM
    Moderator