2

I have a GPO that is directly under the domain in the tree in group policy manager. Meaning it applies to all OUs in the domain. (This wasn't my doing)

The "Interactive logon: Message text for users attempting to log on" policy contains a security message in this GPO.

I want to be able to turn this message off for one or two servers, so that I can auto-log them in (the message interferes with this)

Is there a way I can override this policy for specific computers without reorganising the entire domain OU tree?

Most policies have an 'enabled' or 'disabled' option making it possible to override an 'enabled' with a more specific 'disabled' applied directly to an OU, but in this case that doesn't seem to be a possibility.

MrVimes
  • 773
  • 2
  • 14
  • 29

1 Answers1

4

Create an link a GPO that applies only to these specific servers (either by linking at an OU where only these servers are located, or by linking above them and filtering the application of the GPO using an Access Control List) that defines these settings as blank strings. That will cause the registry entries these settings configure to be specified as blank strings, which will prevent the notice from being displayed.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • Forgive my lack of knowledge but how would I use the ACL to stop the more global GPO from being applied? – MrVimes Oct 29 '14 at 11:09
  • I'm not suggesting you use an ACL to stop the "more global" GPO from being applied. I'm suggesting that you create a new "more specific" GPO that applies to only the servers you care about that sets the values for the legal notice caption to blank strings. You may need to use an ACL to scope that "more specific" GPO to only those servers. If those servers are alone in an OU you can just link the new GPO to that OU and the default permissions will be sufficient. The "more global" GPO will still apply but the settings will be "overridden" by your "more specific" GPO. – Evan Anderson Oct 29 '14 at 11:12
  • I see. Thanks. I considered setting the policy as a blank string, but it seemed like that would only have the effect of making it 'unset'. But I will give it a try. – MrVimes Oct 29 '14 at 11:14
  • I see now that it does let me leave it blank, and the 'Not defined' setting disappears. I have done what you suggest and it works. Thankyou. – MrVimes Oct 29 '14 at 11:24
  • Glad I could help. – Evan Anderson Oct 29 '14 at 11:26