Customized Gpo

  • 304 Views
  • Last Post 26 May 2016
yogeshcittu posted this 25 May 2016

Hi All, Is there any group policy that we can create so that when user's login into their machine they should be able view a pop up message. For example "Good morning etc...." This pop up message should appear only on Tuesday of every week. We already have interactive logon in place with MS license agreement set If group policy is not feasible option then please suggest other feasible ways. Regards,
Yogesh

Order By: Standard | Newest | Votes
g4ugm posted this 26 May 2016

As I said you need to run that in the context of an administrator, whereas login scripts normally as the logging in user… Dave 

show

jeremyts posted this 26 May 2016

Not true Dave.

 

You can block Task Manager on the fly, and then allow it again when the script exits.

 

Go to a command prompt and run this:

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /f /v DisableTaskMgr /t REG_DWORD /d 1

 

Can you run Task Manager?

 

Run this to remove the value:

reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /f

 

Or the script can look for the taskmgr.exe process and kill it if the user tries to launch it.

 

Running it as a native VBScript would be ugly unless using MSHTA.exe or IE to present as a form and as pointed out already, it’s simply too unreliable across

OS’s, versions of IE, and patch levels.

 

A nice form using PowerShell and .Net is what the Dr ordered.

 

It depends on the use case and business requirements as to how it runs on and off the network, but pushing it out via a GPP so that it’s on the local drive

and also using GPP to create a Scheduled Task that runs at user logon will get around that. This is one of the options Darren spoke of.

 

Cheers,

Jeremy

 

show

g4ugm posted this 26 May 2016

The problem with anything like that is that if it runs in the users context then you can ctl+alt+del it and by-pass the accept button.  There are tools that are legally binding, but they are expensive e.g. http://www.netconsent.com/ which actually disables task manager while it runs. Personally for this task I think I would use a logon script in a GPO in VBS and test for date/times in the script, but it’s a problem as if the script is stored remotely it may not run if no network is present. (Netconsent has this problem). Dave WadeG4UGM  

show

Parzival posted this 26 May 2016

Hi, 




We actually used a VBS script waaaaaay back that opened an internet explorer, and ran the loginscript completely within the HTTP frame.. it had banners, good morning etc.. and even included the site you were (AD based), printers etc etc.. 




if needed (and if it even still works due to increased security mechanisms).. i can send you an offline copy..




Roelf 












show

Mahdi posted this 26 May 2016

Indeed!



‎That is the reason I mostly hardcode my message in a jpg file and display that picture using hta.. 



Thanks for the link. That 'I accept terms..'‎ button really caught my eyes. :)








Sent from my BlackBerry 10 smartphone.















show

















I wouldn’t be recommending using HTA because the mshta.exe host is based on IE, including varying HTML and CSS standards, so tends to provide different

and inconsistent experiences across different Operating Systems and IE versions, patch levels, etc. I gave up maintaining mine because I the maintenance was far too high:



http://www.jhouseconsulting.com/2007/12/28/creating-a-message-of-the-day-banner-using-a-hta-4

 

.NET and PowerShell will provide a consistent experience and is the right way to go for this use case.

 

Cheers,

Jeremy

 





From: ActiveDir-owner@xxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxx]

On Behalf Of Mahdi Tehrani


Sent: Thursday, 26 May 2016 12:16 PM


To: Yogesh cittu


Subject: Re: [ActiveDir] Customized Gpo





 



No builtin GPO, but you can use an HTA script and run it as a MOTD. Here is the wiki I wrote:





 





http://social.technet.microsoft.com/wiki/contents/articles/33322.display-message-to-active-directory-users-using-html-language-and-hta-with-group-policy.aspx





 





If you want to only show this MOTD on specific days you need to write a powershell script which gets the gpo name of this MOTD, and

pipe it to enable link using grouppolicy module in powershell. 





For disabling, do the opposite thing‎ the day after.





 





Sent from my BlackBerry 10 smartphone.





















From:

Yogesh cittu





Sent:

Thursday, 26 May 2016 05:59





To:

ActiveDir@xxxxxxxxxxxxxxxx





Reply To:

ActiveDir@xxxxxxxxxxxxxxxx





Subject:

[ActiveDir] Customized Gpo







 



Hi All,

Is there any group policy that we can create so that when user's login into their machine they should be able view a pop up message. For example "Good morning etc...."

This pop up message should appear only on Tuesday of every week.

We already have interactive logon in place with MS license agreement set

If group policy is not feasible option then please suggest other feasible ways.



Regards,


Yogesh

jeremyts posted this 26 May 2016

I wouldn’t be recommending using HTA because the mshta.exe host is based on IE, including varying HTML and CSS standards, so tends to provide different and

inconsistent experiences across different Operating Systems and IE versions, patch levels, etc. I gave up maintaining mine because I the maintenance was far too high:



http://www.jhouseconsulting.com/2007/12/28/creating-a-message-of-the-day-banner-using-a-hta-4

 

.NET and PowerShell will provide a consistent experience and is the right way to go for this use case.

 

Cheers,

Jeremy

 

show

Mahdi posted this 26 May 2016

No builtin GPO, but you can use an HTA script and run it as a MOTD. Here is the wiki I wrote:








http://social.technet.microsoft.com/wiki/contents/articles/33322.display-message-to-active-directory-users-using-html-language-and-hta-with-group-policy.aspx








If you want to only show this MOTD on specific days you need to write a powershell script which gets the gpo name of this MOTD, and pipe it to enable link using grouppolicy module in powershell. 



For disabling, do the opposite thing‎ the day after.








Sent from my BlackBerry 10 smartphone.















show









Hi All,

Is there any group policy that we can create so that when user's login into their machine they should be able view a pop up message. For example "Good morning etc...."

This pop up message should appear only on Tuesday of every week.

We already have interactive logon in place with MS license agreement set

If group policy is not feasible option then please suggest other feasible ways.



Regards,


Yogesh

jeremyts posted this 25 May 2016

You really just need a “Message of the day” type script:



https://www.google.com.au/search?q=message+of+the+day+script&oq=message+of+the+day+script&aqs=chrome..69i57j0l4.9089j0j8&sourceid=chrome&essm=93&ie=UTF-8#q=message+of+the+day+script+windows

 

There’s even one here from yours truly, but don’t use mine as I wrote it 9 years ago, so it’s a bit old in the tooth.

 

I like this one because it’s written n PowerShell and I know that Alain based it on similar requirements to me:

https://wagthereal.com/2011/09/27/powershell-message-of-the-day/

 

So you can take this and add some intelligence in it so that it exits immediately unless it’s a certain day of the week, etc.

 

There are so many ways you can then deliver/execute the script via GPO as Darren explained.

 

Cheers,

Jeremy

 

show

darren posted this 25 May 2016

There’s nothing in GP that naturally does this, but you could use GP to deliver a script or a Scheduled Task that runs the popup at logon (e.g. via a logon script or a Scheduled

Task that triggers at user logon).

 

Darren

 

show

Close