How to Add a Logon Banner using Group Policy

How to Add a Logon Banner using Group Policy

Configuring Logon Banners/ Legal Notices using Active Directory GPO

In an organization, logon banners are used to provide warnings to users who access systems for illegal purposes or in an unauthorized manner. They also contain information for authorized users regarding what is considered acceptable use of the system. The user agrees to the terms and conditions to successfully log in. Hence, these are also called interactive logon messages.

In order to be able to prosecute unauthorized users, organizations must configure legal notices or logon disclaimers at all access points. Typically, a logon banner is supposed to contain information regarding what is considered appropriate use of the system, the system is under supervision for detecting unauthorized and illegal activity and that privacy cannot be expected while using the system. These are most often used in organizations for legal reasons. When these warning messages are not used, organizations become legally vulnerable to unauthorized personnel who use the systems for illegal purposes.

These interactive logon messages can be configured using the methods given below.
  1. Adding logon banners using Group Policy
  2. Adding logon banners using PowerShell commands
Adding a Logon Banner using Group Policy
These interactive logon messages can be configured using Group Policy Objects (GPOs) in Active Directory. Specifically, the following group policies must be configured for setting logon banners.
  1. Interactive Logon: Message text for users attempting to logon
  2. Interactive Logon: Message title for users attempting to logon
To add an interactive logon message using Group Policy Objects (GPOs) in Active Directory, follow the steps given below. The pre-requisite for performing this is to login using an administrative account into the domain controller.

  1. Open the Group Policy Management Console (GPMC).
  2. On the left pane of the console tree, under the Domains option, right-click on the domain for which the group policy needs to be applied and click on the Create a GPO in this domain, and link it here option.
  3. Create a new group policy and name it appropriately (For example, Logon Banner). Click on OK.
  4. Right-click on the new group policy (Logon Banner) and click on Edit. This opens the GroupPolicy Management Editor.
  5. In the left pane of the Group Policy Management Editor, navigate to Computer Configuration> Policies > Windows Settings > Security Settings > Local Policies and select Security Options.
  6. On the right pane of the console, select the Interactive Logon: Message text for users attempting to logon policy. This is used to specify the text message to be displayed to the users at the time of logon.
  7. In the Security Policy Settings tab, check the Define this policy settings in the template checkbox. Enter the logon message to be displayed and click Apply and OK.
  8. Next, select the Interactive Logon: Message title for users attempting to login policy. This is used to specify the title that appears on the title bar of the Interactive logon window.
  9. In the Security Policy Settings tab, check the Define this policy settings in the template checkbox. Enter an appropriate title and click Apply and OK.
  10. After configuring the title and text of the interactive logon message, run the following command to apply the group policy.
gpupdate /force

For example, if the message title is “Warning” and the message text is “This computer should be used for authorized purposes only. Unauthorized use of this computer will lead to disciplinary action or prosecution”, whenever a user logs on to the system, this interactive message is displayed. The user can log in by clicking on the OK button.

Adding a Logon Banner using PowerShell commands

Logon banners can also be configured using PowerShell commands. The Set-ItemProperty cmdlet can be used to display the interactive message text and title. The Path, Name, and Value parameters can be set in order to configure the text and title. 
    • Related Articles

    • Different Group Policy Settings

      Group Policy includes policy settings that affect both Users and Computers. The settings under Computer Configuration control how the computer is configured. The settings under User configuration control the user’s log on session. Settings configured ...
    • Group Policy

      In a nutshell, a Group Policy is a collection of settings, which determine how a unit of users/computers should behave. The Two Types of Group Policies: Administrators can use Group Policies to enforce a set of configuration settings to both the ...
    • How to Change Account Lockout Policy using Group Policy Objects in Active Directory

      Changing the Active Directory Account Lockout Policy  Introduction to Active Directory Account Lockout Policy Account lockout policies are used by IT administrators to lock out an Active Directory account after multiple unsuccessful attempts. It is ...
    • Group Policy Results

      It is always a good practice to know what policy settings are being applied to a user or computer, since GPO imposes a lot of restrictions and customizations on the user and computer. So, if something is amiss, a review of the policy settings will ...
    • Managing Websites using Active Directory Group Policy Objects (GPO)

      How to Blacklist/ Whitelist and Bookmark select Websites on Browsers using GPO Organizations frequently need to block or restrict access to specific websites and applications for security and management reasons. Certain websites may not be safe and ...