Configuring Logon Banners/ Legal Notices using Active Directory GPO
In an organization, logon banners are used to provide warnings to users who access systems for illegal purposes or in an unauthorized manner. They also contain information for authorized users regarding what is considered acceptable use of the system. The user agrees to the terms and conditions to successfully log in. Hence, these are also called interactive logon messages.
In order to be able to prosecute unauthorized users, organizations must configure legal notices or logon disclaimers at all access points. Typically, a logon banner is supposed to contain information regarding what is considered appropriate use of the system, the system is under supervision for detecting unauthorized and illegal activity and that privacy cannot be expected while using the system. These are most often used in organizations for legal reasons. When these warning messages are not used, organizations become legally vulnerable to unauthorized personnel who use the systems for illegal purposes.
These interactive logon messages can be configured using the methods given below.
- Adding logon banners using Group Policy
- Adding logon banners using PowerShell commands
Adding a Logon Banner using Group Policy
These interactive logon messages can be configured using Group Policy Objects (GPOs) in Active Directory. Specifically, the following group policies must be configured for setting logon banners.
- Interactive Logon: Message text for users attempting to logon
- Interactive Logon: Message title for users attempting to logon
To add an interactive logon message using Group Policy Objects (GPOs) in Active Directory, follow the steps given below. The pre-requisite for performing this is to login using an administrative account into the domain controller.
- Open the Group Policy Management Console (GPMC).
- On the left pane of the console tree, under the Domains option, right-click on the domain for which the group policy needs to be applied and click on the Create a GPO in this domain, and link it here option.
- Create a new group policy and name it appropriately (For example, Logon Banner). Click on OK.
- Right-click on the new group policy (Logon Banner) and click on Edit. This opens the GroupPolicy Management Editor.
- In the left pane of the Group Policy Management Editor, navigate to Computer Configuration> Policies > Windows Settings > Security Settings > Local Policies and select Security Options.
- On the right pane of the console, select the Interactive Logon: Message text for users attempting to logon policy. This is used to specify the text message to be displayed to the users at the time of logon.
- In the Security Policy Settings tab, check the Define this policy settings in the template checkbox. Enter the logon message to be displayed and click Apply and OK.
- Next, select the Interactive Logon: Message title for users attempting to login policy. This is used to specify the title that appears on the title bar of the Interactive logon window.
- In the Security Policy Settings tab, check the Define this policy settings in the template checkbox. Enter an appropriate title and click Apply and OK.
- After configuring the title and text of the interactive logon message, run the following command to apply the group policy.
For example, if the message title is “Warning” and the message text is “This computer should be used for authorized purposes only. Unauthorized use of this computer will lead to disciplinary action or prosecution”, whenever a user logs on to the system, this interactive message is displayed. The user can log in by clicking on the OK button.
Adding a Logon Banner using PowerShell commands
Logon banners can also be configured using PowerShell commands. The Set-ItemProperty cmdlet can be used to display the interactive message text and title. The Path, Name, and Value parameters can be set in order to configure the text and title.