Posts Tagged ‘gpo’

Change Start Menu Power Button behaviour via Group Policy

October 18, 2010 Comments off

First of all I would like to apologise for the recent lack of updates. The last almost two weeks have been rather hectic but I hope such long breaks in updates are rare if not nonexistent in future. On to the matter at hand:

Do you have Windows Vista workstations on your  Server 2008 domain? If these are public access computers you probably have an all too familiar problem: That annoying power button that resides in the start menu. That annoying button’s default behaviour is to put the machine to sleep. Handy at home, but not so much at a public workstation when users think they shut down, but instead put the machine to sleep locked under their profile.

At home, you can just change your power settings using the Power Options applet in Control Panel. In a domain environment, try this:

Open the desired group policy and open Computer Configuration\Policies \Administrative Templates\System\Power Management\Button Settings.

Here you will find the following settings:

  • Select the Start Menu Power Button Action (Plugged In)
  • Select the Start Menu Power Button Action (On Battery)

Just enable these and set the action to “Shut down”. Personally I would have liked a “Log off” option as well but I guess we can’t have everything. :)

Please note that this setting is stated as supported on Windows Vista only, but on the bright side Windows 7’s default action is already “Shut down”. It might also be worth noting that this setting is separate and distinct from the setting for your system case’s power button – which is located in the same place if you want to modify that as well.


Set default logon domain via Group Policy

October 4, 2010 5 comments

How many of us have had a call that someone could not log on to their computer, only to find that they were trying to log on to the local machine instead of the domain? Worse yet, what if you have a forest with multiple domains?

Server 2008 and Windows Vista, Windows 7

If you are the lucky administrator of a Windows 2008 or 2008 R2 Active Directory with just Windows Vista and Windows 7 clients then your job is easy. There is a group policy found in Computer Configuration\Administrative Templates\System\Logon called “Assign a default domain for logon“. Enable this policy, enter your domain’s name and you are finished.

Server 2003 and Windows XP

However, what if you are one of the many who still run an older version of  Active Directory or happen to have tens, hundreds or thousands of those faithful Windows XP clients operating? You will need to create a script and set it in the machine startup scripts of your Group Policy Object (GPO).

Let us examine the following script courtesy of Microsoft’s Knowledge Base Article 555050:

Dim sDomName
Set oWshShell = CreateObject(“WScript.Shell”)
sDomName = “TEST-DOMAIN”
oWshShell.RegWrite “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName”, sDomName

Create this script in notepad and save it with a .vbs extension, for example DefaultDomainScript.vbs.

  • sDomName is just a variable that holds your domain’s NETBIOS name which in this case is TEST-DOMAIN. Change this to whatever your domain name actually is.
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName is a registry key of the client machine that we want to set. This key will be set to the value of sDomName.

Now you need to open the Group Policy Management Editor of one of your Domain Controllers and choose to edit or create a Group Policy Object that applies to the Organizational Unit (OU) containing those computers you want to affect. If for some reason you have not organized your domain into OUs or you want to affect every single PC on your domain, then edit the Default Domain Policy.

Expand Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown) and double click on Startup. Under the Scripts tab, click on “Add…” and then “Browse…”. You will be provided with a dialog box. Copy and paste the startup script you created into the dialog box and open it. You do not need to provide any parameters in the second text entry box.

That’s it! Your clients will use the script at their next restart. Microsoft’s article suggests running GPUPDATE on a domain controller as well, but I have personally found this step not really necessary as the changes tend to propagate quickly enough on their own.

Just how well does the script work? It works well, but there is one little flaw. If the user hits CTRL+ALT+DEL to  log on as soon as the machine completes booting, then the script will not have time to set the default domain. This should generally not present much of an issue unless the systems use sandboxing software such as SteadyState that undo session changes upon restart.

Nonetheless, this can help reduce at least some of those calls by users trying to log on to the wrong domain.

%d bloggers like this: