Configure Legal Notices On Domain Computers Using Group Policy

In this post we will use group policy to configure the legal notices on the domain computers. It is possible to configure Windows Server to display a message to users when they log on.

When you configure legal notice, the legal notice message appears when the user hits CTRL+ALT+DEL. While I was working as system admin, I got the task to configure a logon banner. This was for Windows Server 2008 R2 and I am sure the steps covered in this post should work with next versions of server releases.

Most of all you can configure legal notices on domain computers in two ways :-

  • You can write a fancy script and execute it at the every logon
  • Configure legal notice using a group policy.

In my opinion the second method is very easy. You can use the message display functionality to personalize the logon process, provide news or information, and for other similar purposes. The message appears after the user presses CTRL+ALT+DEL and disappears after the user clicks OK.

Configure Legal Notices On Domain Computers Using Group Policy

To configure Legal Notices On Domain Computers Using Group Policy

  • Login to the domain controller with an administrator account.
  • Click Start > Administrative Tools > Group Policy Management.
  • Under Domains, right click your domain and click Create a GPO in this domain, and link it here.

Group policy management editor

Create a policy and name it as Logon_Banner. Click OK.

Create a new group policy

Right click this new policy Logon_Banner and click Edit. You should see Group Policy Management Editor.

In the next step expand Computer Configuration > Policies > Windows Settings >Security Settings > Local Policies. Now click Security Options.

Group policuy editor

On the right pane look for the policy Interactive Logon : Message text for users attempting to log on. This security setting specifies a text message that is displayed to users when they log on. You can paste the Logon text that is to be displayed to the users before they log in. Click Apply and OK.

How To Configure Legal Notices On Domain Computers Using Group Policy Snap 4

On the right pane look for the policy Interactive Logon : Message title for users attempting to log on. This security setting allows the title to appear in the title bar of the window that contains the Interactive logon.

Type the title text and click Apply and OK.

How To Configure Legal Notices On Domain Computers Using Group Policy Snap 5

On the client computer open the command prompt and run the command gpupdate.

How To Configure Legal Notices On Domain Computers Using Group Policy Snap 6

Log off from the client computer. Hold CTRL+ALT and press DEL. You should now see the logon banner. Click OK to login to the computer.

How To Configure Legal Notices On Domain Computers Using Group Policy Snap 7

Leave a Reply

Your email address will not be published. Required fields are marked *

58 Comments

  1. We found a “bug” in this GP setting: “Interactive Logon : Message text for users attempting to log on”.
    Our legal notice is large with 1871 characters. When I paste the text in GPEdit, in the resulting logon message, about 1/3 of the way through, commas get converted to carriage returns, and apparently some commas got moved to incorrect locations. This wreaks havoc with the meaning of the legal verbiage, and just looks awfully formatted.

    Workaround / fix (for this and probably most formatting struggles):
    I searched the registry to find where GP writes the “Message Text”, and found this value:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext
    My fix is to not use the “interactive Logon” GP setting at all, but instead write your legal notice right here using GP Computer Configuration \ Preferences \ Windows Settings \ Registry

  2. I cant see Local Policy > Secuirty Options on Server 2019 ?

  3. Avatar photo Arik shrestha says:

    Can we change that “OK” button to “I Agree”.

  4. Avatar photo Marina Cypert says:

    I agree with you

  5. Prajwal,
    I have a environment where there is Child OU and it has about 80 computers. All the GPO (there are about 15) are linked to this OU and blocked inheritance from the domain.
    One of GPOs setting has interactive login message and text configuration named workstation settings. this includes other security settings as well.
    Now I would like to skip 50 computers that they do not want to load Legal-disclaimer as they have auto logins. Apparently the Interactive login setting is configured along with other settings in Security options. In other words, Interactive login is loading to the computers along with other security options.
    Now I want to exclude those 50 computers not to load the interactive login (Legal disclaimer).
    Is there a way we can take an exception for the 50 computers.

    1. You could theoretically do the following
      Add the 30 computers you want to receive the interactive login to a security group (eg SG-interactive login)

      Go to the GPO and change under the scope settings change the security filtering to reflect the following
      * Remove authenticated users
      * Add security group with the 30 computers (we want this GP to apply to those computers)

      I would defiantly recommend testing this not in a production environment first with a few pcs as I’m not entirely sure of the effects of removing Authenticated Users, My understanding is that this should give you the desired outcome however.

  6. Avatar photo ain mawardah says:

    can’t we insert an attachment? i mean there is something our superior ask us to post but he want it in an attachment form.

  7. Avatar photo Nikhil Vetal says:

    if a the message text for user attempting to logon has changed somehow on workstations, but without affecting policy, how can audit an event anytime time message is changed and this audit record should be viewed on central server computer. All i have done is configuration till legalnotice. stcuk with auditing part

  8. Can I have multiple logon banner messages within a single login attempt on the domain

  9. Avatar photo Robb Perez says:

    Scenario:
    One of the company departments would like to implement a legal notice, but would like to change the content periodically, We can use PowerShell to change the “legalnoticetext” with a Get-Content command to pull from a pre-defined text file. The department would update that text file as needed and a scheduled task would update the message periodically. How, though, would I get the PowerShell script to update the domain GPO containing the message?

  10. In Interactive logon Group Policy Management is is it possible to prevent users from clicking OK b4 they click OK lets 3 mins

  11. We have a very mixed environment. 85% of the users logon using a thin-client running Windows 7 embedded connecting to a terminal server running Windows 2012 R2. All of the production servers run Windows 2012 R2 and all Fat Clients are Windows 7 PRO SP1 or Windows 10 Pro.
    Does your process work on WIndows 7 Pro SP1, Windows 10 Pro, Windows Server 2012 R2?

    Excellent article by the way.

  12. Avatar photo mohammedfariz.k says:

    Can u pls tell me how to add a line space to seperate a paragraph.

  13. Prajwal Desai very good article and thank you for sharing I would like to know if there is a way to make it so that users get the legal notification with the acceptable computer use policy the first time when they login, when logoncount is 0. Second, if there is a way to audit which users have clicked on the OK. It is obvious that if the logoncount is still 0, the user has not clicked OK and proceed to login but it is good to provide a list that proves who did click on the OK button. This is important from a security compliance perspective.

  14. Avatar photo Vishal B. says:

    I am facing one below mentioned issue, Pls suggest
    Under Win 2012 R2 , I want to change the legal notice color from blue to red or i am ok if i set the legal notice message after windows login front screen.
    Pls suggest if there is any option under GPO or any other way ?

    Pls suggest?

  15. I am facing one below mentioned issue, Pls suggest

    Under Win 2012 R2 , I want to change the legal notice color from blue to red or i am ok if i set the legal notice message after windows login front screen.

    Pls suggest?

  16. many thanks for the right up, found very usefull
    one question though, is it possible to add a tick box on the screen as well.

    many thanks

  17. Avatar photo nitin makwana says:

    Love you Prajwal.

  18. Avatar photo Aamir Karim says:

    Very nice and very easy way it is defined. Thank you sir.

  19. hey great article. how to do create carriage returns?

    1. Avatar photo David Sankovsky says:

      Afraid not…
      Apparently most Companies in Israel don’t bother implementing this feature…
      I assume this has to do with the servers Locale, but I don’t want to change the locale on a production system.

  20. Avatar photo David Sankovsky says:

    Is there a way to force the message to be R2L instead of L2R?
    my message is in Hebrew and it looks weird when it’s L2R

  21. what about if i want to enable those GPO only on domain users not on the server it self?

    1. Avatar photo David Sankovsky says:

      I can only assume you mean user’s computers, while not implementing it on servers in the Domain.
      This can be achieved by creating a group where you include only the computers, and then changing the scope of the policy.
      Keep in mind though, the group won’t be auto updating, so You’ll have to add new computers manually.

  22. There is simple and easy way to do the same trick using registry editor.

    1. Avatar photo Aamir Karim says:

      And what is that trick and where we will implement the said trick, on server or on client nodes ?

  23. Avatar photo nepaconservative says:

    Tanx for the walkthrough!

  24. Avatar photo K V Naresh Kumar says:

    hai how to Send a quick popup message to all domain computers/users?

  25. Avatar photo MohamedBilal Pyarejan says:

    pretty clear step keep it up.. prajwal..!

  26. Avatar photo Shrikrushna BHutekar says:

    thank you Sir, this information is very helpful for me. thank you so much.

  27. Avatar photo Mohun Chelsea says:

    AS a new in IT networking in system administration field,and a having passion for windowd server system administration,recently while searching certain topics , i find u r blog,,later stage i am finding its too useful for new winds systm admns..i really appreciate ur way of doccumentations.its too easy to understand.inf future also luking for great articles.KEEP IT UP.THANKS A LOT

  28. Very useful, will definitely try it

  29. Thank you for sharing this info. I really appreciate your
    efforts and I will be waiting for your next write ups
    thanks once again.

  30. I did a poor job explaining myself 🙂 I want to put up a agreement before logon screen.
    The only difference with the screenshot above is I want to put a checkbox there. The user will have to check it to click OK. It will say something like “I Agree to this conditions” check!
    Can I use this feature with editing it ? or there is no way to edit anything apart form the message and title ? If so can it be done with a custom script ? I’m totally clueless here. 🙂

    1. Now that’s little tricky.. You need to make use of script for sure..Did you search the same in google and found anything useful ?

    2. Perhaps you could add a bit at the beginning saying something like “by pressing OK and continuing the logon process, you are agreeing to the following terms”

      1. Avatar photo Aamir Karim says:

        TSMLRE, I think EOWYN36 is trying to give access to only those users who check the box for “I agree to this conditions”.
        The OK button will be disabled until the user check the box. If he/she check that box then only OK button will be enabled.

        1. Avatar photo Peter Vicari says:

          Is there a way to do just that?

  31. Is there a way to modify the logon notice ? I’m trying to find a way to add a checkbox on that screen, when checked the ok button will be clickable.

    1. yes, you have to modify the GP Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options –> Interactive Logon : Message text for users attempting to log on

  32. Hi, your site have just save me. thanks for much.

  33. can we set image or animation instead of text????

  34. Avatar photo prasad phase says:

    Dear Its support on windows 2008 r2 ??

  35. Avatar photo Samiuddin Mohammed says:

    Excellent Blogs, Keep up the Good Work!

    Thanks – Samiuddin

  36. I tried this, and after getting unpleasant results found this: “You can use a maximum of four lines of 512 characters each for a total of 2,048 characters in this policy, please check whether you exceed this limit.” How did you get yours to display so many characters? Thanks. -B

    1. What’s the disclaimer text that you are entering ? I didn’t face any issues while i configured legal notice…

    2. I found that a semi colon was one cause of failure to display the full text of what we wanted. In another case a double space was the issue and in a 3rd round, we found that a single word written in all caps was a cause. Once corrected our 730 character message displayed correctly.