Formatting “Message text for users attempting to log on”
If you have ever tried defining the Security Options policy setting called: "Interactive logon: Message text for users attempting to log on", you may have had some difficulties formatting the message the way you wanted it. This blog is about "how to" workaround a minor bug in the GPEDIT tool…
The issue:
First things first - the Group Policy setting is located here:
"Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\"
The value is a Multi-String registry value that allows you to make multiple lines in the message. The message pops up right after a users hits Ctrl+Alt+Del as a general warning to the user before actually logging on. But, unfortunately the formatting isn’t as perfect as it could be.
What happens is, that carriage returns are lost after formatting this "pre-logon message" with GPEDIT, imagine you would want a message like this (see Figure 3):
—>
I don’t know why this should be so hard? Jump next line please…
Let’s do a comma, and continue the line…
Line number 4 is ready, but let’s jump line 5 & 6 now…
Line 7 finishes up this story!
<—
Such a message would end up as (see Figure 5):
—>
I don’t know why this should be so hard? Jump next line please…
Let’s do a comma, and continue the line…
Line number 4 is ready, but let’s jump line 5 & 6 now…
Line 7 finishes up this story!
<—
So, basically the problem is: line feeds/carriage returns/empty lines disappear completely!
You can actually see this within the GPEDIT GUI, but only if you hit "Apply" before "OK" - if you just hit "OK" after typing in your message you cannot see that it’s actually changed by GPEDIT (so you think the formatting is working as it should). I tested this behavior with GPEDIT on Windows XP SP2 (local policy), Windows Server 2003 SP1 (domain policy), Windows Vista SP Pre-RC (local policy) and Windows Server 2008 RC1 (domain policy).
Figure 1 - I typed in my message with the format I wanted: 
Figure 2 - I clicked Apply, and the formatting was changed: 
If I had just click OK I wouldn’t have noticed the change - anyway it’s a bit annoying, right?
Solution/Workaround:
The solution I came up with is to modify the policy file directly/manually using Notepad. The file is located here:
"\\DOMAIN.local\SYSVOL\DOMAIN.local\Policies\{GPO-GUID}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf"
Within that file we have the relevant registry value, called "LegalNoticeText":
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,I don’t know why this should be so hard? Jump next line please…," ",Let’s do a comma"," and continue the line…,Line number 4 is ready"," but let’s jump line 5 & 6 now…," "," ",Line 7 finishes up this story!
Notice the " " (<quote><space><quote>) sequences, which are the same as empty lines.
This is the relevant line from a working GptTempl.inf file (the correct syntax written manually), and it actually works great:
Figure 3 - Pre-logon message on a Windows Server 2003 SP1 Domain Controller: 
Figure 4 - The above inserted GptTmpl.inf line also works for Windows XP SP2 in the same domain: 
So, this proves that the INI file can actually be correctly formatted so clients (tested w/WS2003 SP1 and XP SP2 in a domain) can show the message perfectly. Please notice that the behavior is similar with local policies, but my testing has been focused on domain environments so far.
If you try to modify the working policy setting using GPEDIT again - after changing just a tiny bit (or just hitting OK to an existing setting) within the GPO the formatting/syntax is ruined again unfortunately (when GPO is saved by GPEDIT)! Look here what came out of it when I tested it:
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,I don’t know why this should be so hard? Jump next line please…,Let’s do a comma"," and continue the line…,Line number 4 is ready"," but let’s jump line 5 & 6 now…,Line 7 finishes up this story!
Notice the " " (<quote><space><quote>) sequences are gone! This gives a wrong result (no empty lines) when clients get the pre-logon message.
Figure 5 - The formatting is lost (or wrong) when GPEDIT does the job: 
Please notice, if you’re testing this you will have to define an additional policy setting for it to work, namely the "Interactive logon: Message title for users attempting to log on" setting.
Figure 6 - The title must be set for pre-logon message to appear 
Conclusion
So, my conclusion is that (existing version of) GPEDIT doesn’t modify the GptTmpl.inf file properly (or the registry for local policies for that matter) - for this particular value at least… My best guess is that it doesn’t handle the quotes (") correctly, but I can’t be 100% sure. A bug report has been made for Microsoft - so hopefully it will be fixed before the final release of Windows Server 2008 and the Remote Server Administration Tools (RSAT).
However, as mentioned you can make it work with a workaround like this: Just perform the GptTmpl.inf (below SYSVOL) editing manually, make a backup of the file when it’s perfect - and never touch that GPO with GPEDIT again… Until Microsoft releases an updated version of GPEDIT anyway.
Related KB articles out there:
KB 330618
KB 238149
Technet article
.
Written by Jakob H. Heidelberg on November 30th, 2007 with comments disabled.
Read more articles on RSAT and Security and Windows Server 2008 and Windows Vista and Windows XP and gpedit and gpedit.msc and group policies and group policy and microsoft and sysvol and windows server 2003.
