SID-500

Home » Security » PowerShell: Creating Login Banners (Logon Screen)

PowerShell: Creating Login Banners (Logon Screen)

One of the first things you learn in cisco lessons is how to create login banners. A banner is a message shown to a user who is using the device. In this article I am going to configure login banners for Windows Server and Client Systems by using Windows PowerShell.

Introduction

Login Banners can be configured in two ways: Graphical Interface and Command-Line. In graphical user interface the configuration can be found in gpedit.msc, Computer Configuration – Windows Settings – Security Options.

Unbenannt.JPG

If you want to configure login banners with group policies, open gpmc.msc and configure these two settings. Then link the GPO to an OU/Site/Domain. In this article we configure Login Banners without GPOs.

Configuring Interactive Login Messages with PowerShell (localhost)

We have to configure the message title and the message text. If we leave one of them unconfigured, Login Messages will not be displayed.

Run the following One-Liner to set the title of the message (Welcome!)

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "legalnoticecaption" -Value "Welcome!"

Unbenannt.JPG

Next, configure the message text. (*** Authorized Access Only ***)

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "legalnoticetext" -Value "*** Authorized Access Only ***"

Unbenannt.JPG

Log off and log on. And here it is:

Unbenannt.JPG

Configuring Interactive Login Messages with PowerShell (Remote Computers)

To configure logon banners on all server systems, we must first retreive a list of the server computer names. To catch and save all computer names (Active Directory) in a file run

(Get-ADComputer -Filter 'operatingsystem -like "*server*"').Name | Out-File C:\Temp\Servers.txt

Unbenannt.PNG

Next, modify the registry settings for welcome messages of each server by executing

Get-Content C:\Temp\Servers.txt | ForEach-Object {Invoke-Command -ComputerName $_ {Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "legalnoticecaption" -Value "Welcome!";  Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "legalnoticetext" -Value "*** Authorized Access Only ***"}}

Unbenannt.JPG

Another option is using Group Policies.

See also

More about bulk operations see my articles

PowerShell: Enable Remote Desktop on multiple Servers remotely (Bulk)

PowerShell: Changing Active Directory user logon names (Bulk)

 


2 Comments

  1. rolandehle says:

    Das wäre eigentlich eine schöne Aufgabe für Try und Catch um das Kommando nur auf den Rechnern auszuführen, die auch erreichbar sind 😀

    Liked by 1 person

    • pewa2303 says:

      Hallo Roland, Danke für den Tipp: Ja, das wäre durchaus auch auf diesen Weg eine gute Idee. Ich dache eigentlich an Windows Server, welche immer erreichbar sind und an eine saubere Datenbank 😉

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

WHOIS

My name is Patrick Grünauer (pewa2303). I am from Austria. On sid-500 I write about Windows, Cisco and IT-Security in English and German. Have fun while reading!

Patrick Gruenauer
Follow SID-500 on WordPress.com