Have you ever been using the following settings?
These are designed to present a message to the user after he presses C-A-D. This message could be some legal stuff, some helpful hints or whatever you need.
But there's a drawback: If these settings are enabled, AutoAdminLogon will not work anymore. This would prevent automated software installations by scripts, running in the context of an admin user that logs on automatically.
How can we solve this?
It's easy - just do not use Security Options, but use Group Policy Preferences Registry to enable the legal notice stuff. Both settings are simple registry values (see LegalNoticeCaption and LegalNoticeText). Despite these Technet pages belong to the good ol' NT time, they are still valid for Windows 10.
So we can deploy the registry values with the following policy settings:
What's the advantage?
To temporarily disable the message, we can now leverage item level targeting. We might use a file or a registry value for that purpose. Since we want to enable AutoAdminLogon, we are already dealing with registry values. We enable the following settings on the Common tab:
Then we click Targeting... and enter the following filter:
What does this do?
If the registry value HKLM\MyCompany\LegalNoticeEnabled (REG_DWORD) is present and contains 1, the registry values for Legal Notice will be written. If this value is not present or does not contain 1, they will be removed.
And to be really sophisticated, we can even drop our own registry value and filter directly for AutoAdminLogon=1 :-) (Be aware that this is a REG_SZ and not a REG_DWORD, though...)
Voila - done we are :-)
No comments:
Post a Comment