Re: Registry settings management for 16 computers through Group Po

Dear Darren,

Thank you for your reply. Actually, I already have read the "Using
Administrative Template Files With Registry Based Group Policy" During
Aug.11th and 12th. I wrote this question to see if there is any way other
than creating ADM template because I get confused how locating these 3 keys
under one of these two locations would force them:
[HKLM\Software\Policies] The preferred location
OR
[HKLM\Software\Microsoft\Windows\CurrentVersion\Policies]

While they should be located under:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

How to locate these 3 values under policies key part and link them to there
original key location? I did not see any part of this document discussing
this issue!!

I was about to try creating the ADM template file with the original location
of winlogon key, not the Policies key location, but I have read that this
would not be a real policy, and something like that it is not preferred. Am I
right??

1)
Regarding the lock functionality, I already thought of screen saver and
tried it, but the issue here is that it could not be less than one minute. By
using the script for locking the workstation, I have prepared the following
WMI script, but when I posted the question I was hoping to get other way to
do that.

------------------------------------------------------------------------------------
On Error Resume Next

Set objShell = CreateObject("Wscript.Shell")
objShell.Run "%windir%\System32\rundll32.exe user32.dll,LockWorkStation"
------------------------------------------------------------------------------------

2)
Regarding the password visibility in the registry, do you suggest other way
to get this default logon user without using autoadminlogon since we have
this downside?

3)
Regarding the password changing issue, I was meaning that I am not that
user. He could change the password any time. Should I inform hem that his
password should be provided to me (Group Policy Administrator) and not to
change it? And if he is to change it, then he should inform me of it?

Waiting for your comments.


"Darren Mar-Elia" wrote:

> Tariq-
> To do this you need to create a custom ADM file for your 3 registry entries.
> Information on doing this can be found at
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/management/gp/admtgp.mspx.
> To answer your questions below,
>
> 1. I don't know of a way to instantly lock the computer after the user logs
> on. There are a couple of things you could try. For example, you use GP to
> set the screensaver to a small interval (1 min) and then enable it to be
> password protected. Alternatively you could try creating a logon script
> within GP that runs the following command, which emulates pressing
> CTRL-ALT-DEL-LockWorkstation
>
> RUNDLL32.exe user32.dll, LockWorkStation
>
> 2. Unfortunately, you cannot obfuscate the password in the registry, which
> is probably the biggest downside to using autoadminlogon
>
> 3. Once you have the custom ADM for these 3 reg entries loaded into a GPO,
> you can continue to modify the password value using that GPO.
>
> --
> Darren Mar-Elia
> MS-MVP-Windows Server--Group Policy
> Check out http://www.gpoguy.com -- The Windows Group Policy Information Hub:
> FAQs, Whitepapers and Utilities for all things Group Policy-related
> Just Released! The new Windows Group Policy Guide from Microsoft Press!!!
> Check it out at http://www.microsoft.com/mspress/books/8763.asp
>
>
> "Tariq Ziad" <TariqZiad@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:308BA1DA-54E4-4EA6-8B53-19DC99DC2A93@xxxxxxxxxxxxxxxx
> > Dear all,
> >
> > I have 16 PC that need a default logon of sertain account to them. I have
> > searched for the solution and found out that need to configure three
> > registry
> > keys as follows:
> >
> >
> > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
> > "AutoAdminLogon"="1"
> > "DefaultUserName"="username"
> > "DefaultPassword"="password"
> >
> >
> > The point now is that:
> > 1) I need to distripute these registry settings to 16 PCs using group
> > policy. Also, I need these PCs to be automatically locked once the PC is
> > turned on, and the default user has logged on automatically (same as LOCK
> > COMPUTER option when pressing ALT+CTRL+DEL)
> > 2) Is there a way to make the password unreadable in the registry?
> > 3) Suppose this default user paasword was changed, is there a way to
> > change
> > it automatically for these 16 PCs Or I mean is there a way to change it
> > automatically in the group policy that we will use to set the default user
> > and default password (because I am not that default user, and he might
> > change
> > the password)
> >
> > Your reply would be appriciated
>
>
>
.

Relevant Pages

  • Re: Admin / Domain Admin rights problem
    ... As far as Group Policy - registry you will not see that in Local ... >> Key and SubKey - Type of Access: ... >> Detailed Access Flags: ...
    (microsoft.public.win2000.security)
  • Re: Create ADM Template?
    ... Check out http://www.gpoguy.com -- The Windows Group Policy Information Hub: ... > Even after I remove the ADM template, ... > tried your suggestion about the "/" in front of the keyname because I ... >>> To change this default behavior, use Registry Editor to ...
    (microsoft.public.windows.group_policy)
  • Re: Applying zone settings on Pop-up Blocker
    ... I checked the registry and the settings is there! ... > Troubleshooting Group Policy in Microsoft? ...
    (microsoft.public.windows.group_policy)
  • Re: Apply registry setting.
    ... registry setting to the editor in Group Policy and allow you to manage it. ... GPOE and then managed on the GPO itself. ... diagnostic value called 'Replication Events' that can be turned on the ...
    (microsoft.public.win2000.group_policy)
  • Re: Location of local policies
    ... The registry is one location. ... The Group Policy template folder contains subfolders, including, but not ...
    (microsoft.public.windowsxp.security_admin)