Group Policy Central

Since I posted my Best Practice: Using Group Policy to configure Desktop Wallpaper (“Background”) a few of you have asked for me to do a post showing how to configure the Windows 7 Logon UI Background wallpaper. So below I have outlined the steps (with tips) showing you how to deploy and enabled a Logon UI background wallpaper to your fleet of Windows 7 computers.

Unlike the normal Background option the Logon UI Background is only show when the computer is not logged on or when it is locked. While I know some of you might loath having to set a wallpaper for your users computers as like myself you like to have the freedom to change this setting. This may be a much nicer balance for your user and management as you can still have your corporate branding applied to your computers but still allow the users to have their own custom background image when they are logged on.

Tip #1: Before you you start I would check out the WithinWindows article that goes into more details on how this option is configured at WithInWindows: Windows 7 to officially support logon ui background customization .

Essential we have to do three things; 1. create a local the folder for the background image; 2. copy the background image to the local folder and; 3. enable the registry key to show the background image.

Step 1. Edit a Group Policy Object that is applied to the machines that you want to make this change on. Then use the Folders Extension to create the path “%WindowsDir%\System32\oobe\info\backgrounds”.

Explanation: This is done to create the folders that we will place the Login background image as this is normally not created OOB.

Note: That even thought the “Info” folder is not explicitly created the fact that it is part of the path it will also implicitly be created.

Step 2. In the same Group Policy Object use the File Extension to copy a background image (e.g. backgroundDefault.jpg) to the path that was created above.

Note: In this example the source was “\\demodc01\Wallpaper\backgroundDefault.jpg” and the destination was “%WindowsDir%\System32\oobe\info\backgrounds\backgroundDefault.jpg”

Tip #2: As this policy is being run under the contest of the local System account you will need to make sure the location on the network where the file is being copied from has read access for the Domain Computers group.

Now we need to enable the “OEMBackground” registry key so that windows will use the wallpaper file we just copied over the to the computer (see details below).

OEMBackground

Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background
Value: OEMBackground (REG_DWORD32)
Data: 0 (Standard Wallpaper only, Default)
Data: 1 (Custom Logon UI wallpaper enabled if possible)

Step 3: Again, in the same GPO we need to enable the Logon UI Wallpaper and create a new Registry Extension item.

Step 4 (Optional): Configured the Description.

Tip #3: This is not required but is always a good idea so that someone else looking at this policy can figured out what the policy does.

Tip #4: As this registry key already exists then I would NOT recommend using the

Done. Now when the user logs off or shutdown the computer they will have the new background image (see below).

What I really like about this method as opposed to doing it via a logon script is that the affect is immediate and if the user finds and changes the background image it will be reset back at the next policy refresh. This also means you can push out a new background image on a regular basis as all you have to do it update the source background image on the network and it will automatically propagate from there…

Tip #5: If the background image is not working then make sure the file is less that 250kb in size as this is a built in restriction presumably to prevent slow down in loading very large image files. To resize the image I use Paint .Net which is a free image editing app that allows you to configure the compression ratio on JPG files.

Tip #6: Remember that if you use only the “backgroundDefault.jpg” file then it will stretch and skew the photo to fit the resolution of the screen. See the WithInWindows article for the other files names that are used for specific screen resolutions/ratios.

This week setting of the week allows you to prefer a custom logon background image in Windows 7. This setting is called “Always use custom logon background” and can be found under Computer Configuration > Policies > Administrative Templates > System > Logon.

Microsoft brought back the option to easily customise the logon background in Windows 7 as this was previously possible in Windows XP but it was removed with Windows Vista which left people with some pretty messy workarounds.

Once you have enabled this option all you have to do to create the “%windir%\system32\oobe\info\backgrounds” folder and populate it with a backgroundDefault.jpg image and your computer will then use that as the background image when logging on and off.

Note: Some sites will direct you to configured the OEMBackground or UseOEMBackground in the HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background however this setting will negate the need to set this key.

For more info on how to configure a custom background check out Windows 7 to officially support logon UI background customization

This weeks setting is one that has just been mentioned in the AD Blogs Friday mail sack and until today was a setting/feature of Windows Vista/7 that I didn’t know existed. This setting display information about previous logons during a user logon and is very similar to the last logon screen I see when logging onto an online banking web site. This setting can be found under Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Logon Options and must be applied to workstations AND domain controllers for it to work. The only down side for this setting is that you need to be in 2008 native mode to work so this might exclude some organisations for now.

WARNING: Be sure that you apply this setting to your domain controllers first otherwise they will not be able to logon.

Below is the message a users will see when after the logon successfully when the previous logon was also successful.

In this example we see the message when someone logon successfully where the 5 previous logon events had failed. Obviously this logon count number (see highlighted below) would raise a really big red flag for a users especially if you are sure that you were not the one to logon incorrectly.

For more information check out:

http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx

http://technet.microsoft.com/en-us/library/dd446680(WS.10).aspx

This weeks Group Policy setting should be used in environments where you still use a logon script. While I implore you stop using logon scripts (see http://www.ihatelogonscripts.com ) they are still out there for a majority of customers and as such still need to be properly managed. This setting is called “Maximum wait time for Group Policy scripts” but it can also be referred to as a “dead man’s switch” which will kill any logons script from running if it ever locks up <sarcasm> which of course NEVER happens </sarcasm> . This setting can be  found under Computer Configuration > Policies > Administrative Templates > System >Scripts.

The default value for this option is 600 seconds (10 minutes) but I recommend that you do configured this to something more reasonable between 60 seconds (1 minute) to 180 seconds (3 minutes) depending on your environment.

For more information on this option check out http://technet.microsoft.com/en-us/library/cc780635(WS.10).aspx

Logon Scripts!!! I hear you yelling at me about why I am doing a tutorial about logon scripts when Group Policy Preferences is supposed to allow me to stop using my logon scripts. Well in a utopian world there would be no logon scripts to maintain however there are still some situations that you might have to execute a program at logon. One example I recently saw on the Group Policy Forums was a person who wanted a way to delay the launching of the browser so as to not add additional delay to the users logon to what was already a slow computer. Somewhat similar to the Delay Start option for services that was introduced in Windows 7.

Prerequisites: This is a Windows Vista+ configuration as Windows XP has a more limited scheduling engine. If you really want to do this via Windows XP (sucks to be you) you could run the script with some delay/timeout third party tool in it and just have it run from the users “Startup” start menu folder…

Step 1. In a Group Policy Object (GPO) that you have targeted at all the users (or most of them) that you want the delayed start program/action to run on go to “Users Configuration” > “Preferences” > “Scheduled Task” then go “Action” > “New” > “Scheduled Task (Windows Vista and later)”. Then type the display name of the script in the “Name” field (see image 1) and click on the “Triggers” tab.

Note: In this example we are just going to be running a command prompt so the Name is “CMD.exe”.

Image 1: Scheduled Task Properties

Step 2. On the Triggers tab click the “New” button”. Change the “Begin the task” drop down option to “At log on” and then tick “Delay task for:” and configure the delay from the pop down menu (see image 2). Then click “OK”

Note: Unfortunately this option does not seem to be user configurable so for the use of a logon script “30 seconds” and “1 minute” are the only practical options.

Image 2: New Trigger

Step 3. You should now have the trigger configured for your event that looks like the image below (see image 3). Now click on the “Actions” tab.

Image 3: Configured Trigger

Step 3. In the “Actions” tab click on the “New” button and then configure the action you want to take. Again in this example we are just going to be running a command prompt so configure the “Action” to “Start a program” (see image 4).

Note: You can also use this option to send and e-mail or even display a pop-up message to the users. Very handy if you used to use the “net send” program in Windows XP before Service Pack 2 as it was disabled due to security issues.

Image 4: New Action

Step 4. Configure the “Program/Script” to run to “C:\Windows\system32\cmd.exe” then click “OK” (see image 5).

Image 5: New Action

Step 5. Click “OK” (see image 6)

Image 6: Actions Tab

Now you are done. The task is scheduled and it will be pushed out to all your users at the new Group Policy refresh. (see image 7).

Note: If you don’t want this to apply to all your user accounts you can also use Group Policy Preferences targeting options to refine the targeting.

Image 7: Scheduled Tasks

Below is the view of the scheduled task as configured on the computer (see image 8,9 & 10).

Note: The settings tab are greyed out because it is being controlled by Group Policy.

Image 8: Scheduled Tasks General Tab

Image 9: Scheduled Tasks Triggers Tab

Image 10: Scheduled Tasks Actions Tab