Logon Banner Problem

We are running Windows Server 2003 DC's and wanted to add a windows logon
banner. I added the info. in "Interactive logon: Message text for users
attempting to log on" and "Interactive logon: Message title for users
attempting to log on".

Here are the problems we are having:

1. It seems to cut off part of the msg. Is there a way to increses the
limit of text that can go into the logon banner?
2. Some Windows 2000 Workstation (sp4) users don't see the logon banner at
all.

Thanks for any help.


Clayton

"Clayton Sutton" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> We are running Windows Server 2003 DC's and wanted to add a windows logon
> banner. I added the info. in "Interactive logon: Message text for users
> attempting to log on" and "Interactive logon: Message title for users
> attempting to log on".
>
> Here are the problems we are having:
>
> 1. It seems to cut off part of the msg. Is there a way to increses the
> limit of text that can go into the logon banner?

I doubt it -- the dialog box is likely fixed.

> 2. Some Windows 2000 Workstation (sp4) users don't see the logon banner
at
> all.

They are probably not authenticating, or else
are in a location (e.g., an OU) unaffected by the
GPO due to blocking, permissions, etc.

But failure to authenticate is most likely.

Usually that is a DNS problem:


So check DNS for AD:

1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

....or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /serverC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]


--
Herb Martin


>
> Thanks for any help.
>
>
> Clayton
>
>

Herb Martin wrote:
> "Clayton Sutton" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> We are running Windows Server 2003 DC's and wanted to add a windows
>> logon banner. I added the info. in "Interactive logon: Message text
>> for users attempting to log on" and "Interactive logon: Message
>> title for users attempting to log on".
>>
>> Here are the problems we are having:
>>
>> 1. It seems to cut off part of the msg. Is there a way to increses
>> the limit of text that can go into the logon banner?
>
> I doubt it -- the dialog box is likely fixed.

Yep. And there is really no reason for a novel-length login banner - make it
simple. "Access is for authorized users only. Clicking OK indicates that you
agree to abide by Company X's written Computer Use Policy".

Done & dusted. Nobody is going to read a three paragraph login banner.
>
>> 2. Some Windows 2000 Workstation (sp4) users don't see the logon
>> banner at all.
>
> They are probably not authenticating, or else
> are in a location (e.g., an OU) unaffected by the
> GPO due to blocking, permissions, etc.
>
> But failure to authenticate is most likely.
>
> Usually that is a DNS problem:
>
>
> So check DNS for AD:
>
> 1) Dynamic for the zone supporting AD
> 2) All internal DNS clients NIC\IP properties must specify SOLELY
> that internal, dynamic DNS server (set.)
> 3) DCs and even DNS servers are DNS clients too -- see #2
> 4) If you have more than one Domain, every DNS server must
> be able to resolve ALL domains (either directly or
> indirectly)
>
> netdiag /fix
>
> ...or maybe:
>
> dcdiag /fix
>
> (Win2003 can do this from Support tools):
> nltest /dsregdns /serverC-ServerNameGoesHere
> http://support.microsoft.com/kb/q260371/
>
> Ensure that DNS zones/domains are fully replicated to all DNS
> servers for that (internal) zone/domain.
>
> Also useful may be running DCDiag on each DC, sending the
> output to a text file, and searching for FAIL, ERROR, WARN.
>
> Single Label domain zone names are a problem Google:
> [ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]
>
>
>
>>
>> Thanks for any help.
>>
>>
>> Clayton

Also, if I recall correctly, use of a newline in the message
has different display behavior on old compared to new OS
versions. Even a short message can be clipped.

--
Roger
"Lanwench [MVP - Exchange]"
<(E-Mail Removed) ahoo.com> wrote in message
news:eY$(E-Mail Removed)...
> Herb Martin wrote:
> > "Clayton Sutton" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> >> We are running Windows Server 2003 DC's and wanted to add a windows
> >> logon banner. I added the info. in "Interactive logon: Message text
> >> for users attempting to log on" and "Interactive logon: Message
> >> title for users attempting to log on".
> >>
> >> Here are the problems we are having:
> >>
> >> 1. It seems to cut off part of the msg. Is there a way to increses
> >> the limit of text that can go into the logon banner?
> >
> > I doubt it -- the dialog box is likely fixed.
>
> Yep. And there is really no reason for a novel-length login banner - make
it
> simple. "Access is for authorized users only. Clicking OK indicates that
you
> agree to abide by Company X's written Computer Use Policy".
>
> Done & dusted. Nobody is going to read a three paragraph login banner.
> >
> >> 2. Some Windows 2000 Workstation (sp4) users don't see the logon
> >> banner at all.
> >
> > They are probably not authenticating, or else
> > are in a location (e.g., an OU) unaffected by the
> > GPO due to blocking, permissions, etc.
> >
> > But failure to authenticate is most likely.
> >
> > Usually that is a DNS problem:
> >
> >
> > So check DNS for AD:
> >
> > 1) Dynamic for the zone supporting AD
> > 2) All internal DNS clients NIC\IP properties must specify SOLELY
> > that internal, dynamic DNS server (set.)
> > 3) DCs and even DNS servers are DNS clients too -- see #2
> > 4) If you have more than one Domain, every DNS server must
> > be able to resolve ALL domains (either directly or
> > indirectly)
> >
> > netdiag /fix
> >
> > ...or maybe:
> >
> > dcdiag /fix
> >
> > (Win2003 can do this from Support tools):
> > nltest /dsregdns /serverC-ServerNameGoesHere
> > http://support.microsoft.com/kb/q260371/
> >
> > Ensure that DNS zones/domains are fully replicated to all DNS
> > servers for that (internal) zone/domain.
> >
> > Also useful may be running DCDiag on each DC, sending the
> > output to a text file, and searching for FAIL, ERROR, WARN.
> >
> > Single Label domain zone names are a problem Google:
> > [ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]
> >
> >
> >
> >>
> >> Thanks for any help.
> >>
> >>
> >> Clayton
>
>

The logon banner length is an issue that started with XP and 2003. I can
tell you how we got around it.

Create a seperate policy using a Windows 2000 Pro or Server system and
import or type the message. After the policy is created, set the
permissions on the GPO so noone can edit it. We used an explicit deny to
write for everyone. You can get around the deny it if you need to, but it
prevents someone on a Windows XP or 2003 system from accidentally opening
the policy and messing up the format.

Otherwise, this article may help you:
http://support.microsoft.com/?kbid=823146

Steve


"Clayton Sutton" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> We are running Windows Server 2003 DC's and wanted to add a windows logon
> banner. I added the info. in "Interactive logon: Message text for users
> attempting to log on" and "Interactive logon: Message title for users
> attempting to log on".
>
> Here are the problems we are having:
>
> 1. It seems to cut off part of the msg. Is there a way to increses the
> limit of text that can go into the logon banner?
> 2. Some Windows 2000 Workstation (sp4) users don't see the logon banner
> at all.
>
> Thanks for any help.
>
>
> Clayton
>

Steve Head wrote:
> The logon banner length is an issue that started with XP and 2003.
> I can tell you how we got around it.
>
> Create a seperate policy using a Windows 2000 Pro or Server system and
> import or type the message. After the policy is created, set the
> permissions on the GPO so noone can edit it. We used an explicit
> deny to write for everyone. You can get around the deny it if you
> need to, but it prevents someone on a Windows XP or 2003 system from
> accidentally opening the policy and messing up the format.
>
> Otherwise, this article may help you:
> http://support.microsoft.com/?kbid=823146
>
> Steve
>
Thanks - I didn't know that - have added it to my faves.
Now I know it *can* be done. I still have absolutely no idea *why* it would
ever be done. People are not going to read it, period - you're better off
keeping it simple and issuing a paper document when people are hired,
included with their paperwork issues by HR.
Re banners - I'm fairly confident that you could add something in the middle
that says "Also, clicking OK indicates that you agree to wear unwashed
leiderhosen every day for the rest of your life" and you won't even get a
chuckle or a surprised squawk.

>
> "Clayton Sutton" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> We are running Windows Server 2003 DC's and wanted to add a windows
>> logon banner. I added the info. in "Interactive logon: Message text
>> for users attempting to log on" and "Interactive logon: Message
>> title for users attempting to log on".
>>
>> Here are the problems we are having:
>>
>> 1. It seems to cut off part of the msg. Is there a way to increses
>> the limit of text that can go into the logon banner?
>> 2. Some Windows 2000 Workstation (sp4) users don't see the logon
>> banner at all.
>>
>> Thanks for any help.
>>
>>
>> Clayton