Thursday, December 06, 2007

Windows Vista SP1 Release Candidate is out there!

From the Vista Team blog:
Today we're making available the release candidate (RC) of Windows Vista SP1 via Microsoft Connect, and tomorrow subscribers to TechNet and MDSN will have access to those RC bits too. In addition, the RC will be available to the public next week via Microsoft's Download Center.

Check out the Vista Team blog here!

 

Go get it!

/Jakob

Windows Server 2008 RC1 in Public Beta!

Today Microsoft made available for download the Release Candidate 1 (RC1) version of Windows Server 2008!

This build includes Group Policy Preferences - you HAVE TO try it out!

Download you evaluation copy here!

 

/Jakob

Wednesday, December 05, 2007

Group Policy Changes in WS2008 article - part 3

Hi,

Just want to let you know that my latest article about "Group Policy related changes in Windows Server 2008" is released on www.windowsecurity.com.

This 3rd article in the series deals with the new and shiny Group Policy Preferences - read more here...

 

I hope you like it!!!

/Jakob

Saturday, December 01, 2007

Formatting "Message text for users attempting to log on"

If you have ever tried defining the Security Options policy setting called: "Interactive logon: Message text for users attempting to log on", you may have had some difficulties formatting the message the way you wanted it. This blog is about "how to" workaround a minor bug in the GPEDIT tool...

 

The issue:

First things first - the Group Policy setting is located here:

"Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\"

The value is a Multi-String registry value that allows you to make multiple lines in the message. The message pops up right after a users hits Ctrl+Alt+Del as a general warning to the user before actually logging on. But, unfortunately the formatting isn't as perfect as it could be.

What happens is, that carriage returns are lost after formatting this "pre-logon message" with GPEDIT, imagine you would want a message like this (see Figure 3):

--->

I don't know why this should be so hard? Jump next line please...

Let's do a comma, and continue the line...
Line number 4 is ready, but let's jump line 5 & 6 now...


Line 7 finishes up this story!

<---

Such a message would end up as (see Figure 5):

--->

I don't know why this should be so hard? Jump next line please...
Let's do a comma, and continue the line...
Line number 4 is ready, but let's jump line 5 & 6 now...
Line 7 finishes up this story!

<---

So, basically the problem is: line feeds/carriage returns/empty lines disappear completely!

You can actually see this within the GPEDIT GUI, but only if you hit "Apply" before "OK" - if you just hit "OK" after typing in your message you cannot see that it's actually changed by GPEDIT (so you think the formatting is working as it should). I tested this behavior with GPEDIT on Windows XP SP2 (local policy), Windows Server 2003 SP1 (domain policy), Windows Vista SP Pre-RC (local policy) and Windows Server 2008 RC1 (domain policy).

Figure 1 - I typed in my message with the format I wanted:
InterF1

Figure 2 - I clicked Apply, and the formatting was changed:
InterF2

If I had just click OK I wouldn't have noticed the change - anyway it's a bit annoying, right?

 

Solution/Workaround:

The solution I came up with is to modify the policy file directly/manually using Notepad. The file is located here:

"\\DOMAIN.local\SYSVOL\DOMAIN.local\Policies\{GPO-GUID}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf"

Within that file we have the relevant registry value, called "LegalNoticeText":

MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,I don't know why this should be so hard? Jump next line please...," ",Let's do a comma"," and continue the line...,Line number 4 is ready"," but let's jump line 5 & 6 now...," "," ",Line 7 finishes up this story!

Notice the " " (<quote><space><quote>) sequences, which are the same as empty lines.

This is the relevant line from a working GptTempl.inf file (the correct syntax written manually), and it actually works great:

Figure 3 - Pre-logon message on a Windows Server 2003 SP1 Domain Controller: 
InteractiveLogonMsg

Figure 4 - The above inserted GptTmpl.inf line also works for Windows XP SP2 in the same domain:
InteractiveLogonMsgXP

So, this proves that the INI file can actually be correctly formatted so clients (tested w/WS2003 SP1 and XP SP2 in a domain) can show the message perfectly. Please notice that the behavior is similar with local policies, but my testing has been focused on domain environments so far.

If you try to modify the working policy setting using GPEDIT again - after changing just a tiny bit (or just hitting OK to an existing setting) within the GPO the formatting/syntax is ruined again unfortunately (when GPO is saved by GPEDIT)! Look here what came out of it when I tested it:

MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,I don't know why this should be so hard? Jump next line please...,Let's do a comma"," and continue the line...,Line number 4 is ready"," but let's jump line 5 & 6 now...,Line 7 finishes up this story!

Notice the " " (<quote><space><quote>) sequences are gone! This gives a wrong result (no empty lines) when clients get the pre-logon message.

Figure 5 - The formatting is lost (or wrong) when GPEDIT does the job:
InterF5

 

Please notice, if you're testing this you will have to define an additional policy setting for it to work, namely the "Interactive logon: Message title for users attempting to log on" setting.

Figure 6 - The title must be set for pre-logon message to appear
InterF6

 

Conclusion

So, my conclusion is that (existing version of) GPEDIT doesn't modify the GptTmpl.inf file properly (or the registry for local policies for that matter) - for this particular value at least... My best guess is that it doesn't handle the quotes (") correctly, but I can't be 100% sure. A bug report has been made for Microsoft - so hopefully it will be fixed before the final release of Windows Server 2008 and the Remote Server Administration Tools (RSAT).

However, as mentioned you can make it work with a workaround like this: Just perform the GptTmpl.inf (below SYSVOL) editing manually, make a backup of the file when it's perfect - and never touch that GPO with GPEDIT again... Until Microsoft releases an updated version of GPEDIT anyway.

 

Related KB articles out there:
KB 330618
KB 238149
Technet article

 

.