Using VBScript to refresh group policy, restart, and log in.

C

Centrist

I am writing a script that needs to apply the domain's group policy,
restart, and automatically log the administrator back in without
needing any user interaction. The problem is that I cannot get rid of
the legal message. This is the popup that appears after you press CTL-
ALT-DEL on a Win2k or WinXP machine which has a message set in the
group policy. In my case, the message is set in a domain GPO.

My first solution was to delete the legalnoticetext and
legalnoticecaption registry values in HKLM. This is a very common
example on the internet. However, (like many of these examples) this
doesn't work because the group policy will just be applied again when
the computer is restarting.

My second solution was to make use of the NoMachinePolicy DWORD value
located in:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
\GPExtensions
\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}

When NoMachinePolicy is set to 1, it prevents the security policy from
being applied. I had the script set the value to 1 just before
rebooting, and then change the value back after logging in. This
solution also has problems, and I can't use it. In Windows XP, it
appears to reverse the changes made by the gpupdate /force command. I
am executing gpupdate /force, setting the auto logon registry entries,
setting NoMachinePolicy to 1, clearing the legal message text and
caption, and then restarting. But here's the problem: when the group
policy is applied, the administrator account is renamed to something
else. However, after I restart the account's name goes back to
administrator. My auto login fails because I have the wrong account
name for DefaultUserName. And I have verified that after the gpupdate
command is run, the account name does change just before the gpupdate
finishes. I have no idea why this is happening.

The second reason I don't like using this is because I cannot leave
NoMachinePolicy set to 1 the whole time the script is working. The
script installs several packages after restarting which need to be
able to apply group policy. And if I do not have it set the whole
time, the computer will not be able to automatically boot up and login
if one of the package installations forces a restart.

So I'm looking for a working solution that will let me bypass the
legal message for an automated logon. This is the only problem
stopping me from being able to use this script, and I would really
appreciate some help here.

Disclaimer: Previously posted this on
microsoft.public.scripting.vbscript, but got no replies. If there is a
better group to use, please let me know!
 
M

Mark F.

Centrist said:
Centrist said ...,

Disclaimer: Previously posted this on
microsoft.public.scripting.vbscript, but got no replies. If there is a
better group to use, please let me know!
Click to expand...

Well, posting to the wrong newsgroup is not going to get you an answer
either. I suggest you be patient and/or post to another scripting newsgroup.
I Googled the following and there were more listed.

http://www.tek-tips.com/threadminder.cfm?pid=329
http://scripts.filehungry.com/product/visual_basic/online_communities/vbscript_forum
http://www.tizag.com/forums/forumdisplay.php?f=13
http://www.developer.be/forums/index.cfm/fuseaction/dsp_threads/forumid/20.htm
http://p2p.wrox.com/forum.asp?FORUM_ID=70

Mark
 
C

Centrist

How is this a scripting issue? I only posted in the vbscript group
first because there were several similar posts there already. However,
my problem is clearly with Group Policy in WinXP and not with
vbscript. I could be using C# or Regedit to edit the registry - it
doesn't make any difference. I suggest you take the time to actually
read my post before replying. I Googled the following and there were
more listed.

http://www.marin.cc.ca.us/~don/Study/7read.html
http://www.literacy.uconn.edu/compre.htm
http://www.scholastic.com/familymatters/read/gr3_5/qc_readingcomp.htm
 
M

Mark F.

Centrist said:
How is this a scripting issue? I only posted in the vbscript group
first because there were several similar posts there already. However,
my problem is clearly with Group Policy in WinXP and not with
vbscript. I could be using C# or Regedit to edit the registry - it
doesn't make any difference. I suggest you take the time to actually
read my post before replying. I Googled the following and there were
more listed.

http://www.marin.cc.ca.us/~don/Study/7read.html
http://www.literacy.uconn.edu/compre.htm
http://www.scholastic.com/familymatters/read/gr3_5/qc_readingcomp.htm
Click to expand...

I did read your entire posting. You need to understand that people can make
mistakes, and because you are having trouble with a hack is no reason to get
testy. Newsgroups are full of people who try to help (for free). We are
human. Impatience and a smart ass remarks will not to help you. I'm betting
that's why you didn't get a re on the scripting ng. ;)
 
C

Centrist

Mark, I respond in kind. Read your replies again and you'll see what I
mean.

And no, that was not a hack. Using settings available in the registry
the way they were designed to be used is not hacking. However, I have
solved this problem, and the solution is a hack. I changed the ACL to
the system key to deny the System account the Set Value permission.
This prevents a GP refresh from recreating the legal notice values
after I delete them. I would much prefer doing this some other way,
but to my knowledge, this is the only way to do it.

If you are interested in seeing the code, please find my post in the
vbscript group.
 
K

kshanerhodes

I am writing a script that needs to apply the domain's group policy,
restart, and automatically log the administrator back in without
needing any user interaction. The problem is that I cannot get rid of
the legal message. This is the popup that appears after you press CTL-
ALT-DEL on a Win2k or WinXP machine which has a message set in the
group policy. In my case, the message is set in a domain GPO.

My first solution was to delete the legalnoticetext and
legalnoticecaption registry values in HKLM. This is a very common
example on the internet. However, (like many of these examples) this
doesn't work because the group policy will just be applied again when
the computer is restarting.

My second solution was to make use of the NoMachinePolicy DWORD value
located in:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
\GPExtensions
\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}

When NoMachinePolicy is set to 1, it prevents the security policy from
being applied. I had the script set the value to 1 just before
rebooting, and then change the value back after logging in. This
solution also has problems, and I can't use it. In Windows XP, it
appears to reverse the changes made by the gpupdate /force command. I
am executing gpupdate /force, setting the auto logon registry entries,
setting NoMachinePolicy to 1, clearing the legal message text and
caption, and then restarting. But here's the problem: when the group
policy is applied, the administrator account is renamed to something
else. However, after I restart the account's name goes back to
administrator. My auto login fails because I have the wrong account
name for DefaultUserName. And I have verified that after the gpupdate
command is run, the account name does change just before the gpupdate
finishes. I have no idea why this is happening.

The second reason I don't like using this is because I cannot leave
NoMachinePolicy set to 1 the whole time the script is working. The
script installs several packages after restarting which need to be
able to apply group policy. And if I do not have it set the whole
time, the computer will not be able to automatically boot up and login
if one of the package installations forces a restart.

So I'm looking for a working solution that will let me bypass the
legal message for an automated logon. This is the only problem
stopping me from being able to use this script, and I would really
appreciate some help here.

Disclaimer: Previously posted this on
microsoft.public.scripting.vbscript, but got no replies. If there is a
better group to use, please let me know!
Click to expand...

Any solution yet? I have the same problem.

Best,
Kevin
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

domain computers to have same wallpaper - Group Policy 6
Group policy only applied after restart 3
Domain group Policy not applying to workstation 1
Group Policy Drwaback 2
Group Policy refresh question 4
Group Policy Extensions Processing 3
Power Scheme Group Policy 1
Domain group policy 3

Top