0

I am a developer with no prior experience with GPO scripting. I have a request to create a user acceptance policy that is logged when user accept it. (about 1000 Windows workstations in an AD domain)

What I know so far is that creating a GPO script, pre-login should't be a challenge

The challenge is how to keep track of users accepting the policy. They suggest a network share with a file per user. This sounds rudimentary. I was thinking more of a sqlite DB file to avoid lock issues, but I could be wrong.

So my question is: Am I able to hook into user acceptance of a policy? If so, where can I find the resources for me to start with? Is this solution recommended?

tinonetic
  • 101
  • 2
  • You can use GPO to start a script or application when the user logs in. How your script handles this task is completely up to you. GPO does not have any feature related to user acceptance other than the interactive logon disclaimer which will not suit your purpose. – Appleoddity Jun 17 '20 at 05:41

1 Answers1

0

The challenge is how to keep track of users accepting the policy.

Yes. I did such stuff a few times and that's exactly where it may break and where it gets interesting.

They suggest a network share with a file per user.

Which is impossible pre-logon, beacause no user that should be logged is logged on.

I was thinking more of a sqlite DB file to avoid lock issues

Yes, totally. Make a "real" application and think about usual user-behaviour, like having no network connection when logging in an so on.

Am I able to hook into user acceptance of a policy?

If this means "Am I able to PAUSE a GPO until ..." then no, this isn't possible. But you can hook yourself (the script or app) into a GPO to be executed at every user login, controlled by various parameters.

Is this solution recommended?

It depends; this recommendation my have (a lot) other implications than just a technical one. Which is very broad and will not be answered here.

The technical answer ist: You can start as applicacation at login (even pre-login, which forbids logging a logged in user) and this app can do whatever it needs to. It is recommend to make an app that does this job right, like not using hard-coded UNC-Paths, respecting offline usage, authentication (maybe on machine level) and a backend capable of this load.

bjoster
  • 4,423
  • 5
  • 22
  • 32