2

I am working on a simple internal tool that does some work, reboots the machine, auto-logs in, and then continues doing its work (until it's done). This worked fine on our Windows Server 2008 machines that were not very locked down. Recently I have tried running this tool on some of our newer Windows Server 2012 machines that have more security lock downs and various GPOs enabled. One consequence that I noticed is that auto-login functionality was no longer working.

The tool uses the Winlogon registry location @ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon to specify to enable auto-logon, a default username, and a default password via the values AutoAdminLogon, DefaultUserName, and DefaultPassword respectively. These values were the first things that I checked when I ran the tool and I saw the values being set prior to a reboot and after the reboot/login the Winlogon registry values were all reset to the default and my changes were undone.

I'm assuming that there's some GPO or security feature causing this (which is fine) but I'm curious to see if there is a way to track down which GPO or setting is doing it. I have checked the Local Group Policy Editor dialog but I wasn't able to find anything concrete. Is there any other place I can check or maybe look at some specific GPO that I may not know about?

Update: I found that the GPO Configure registry policy processing is set to Process even if Group Policy objects have not changed. If I'm not mistaken, this would explain why the policy is being applied on every reboot but I'm not still not clear on which policy it is.

Fizz
  • 121
  • 3

1 Answers1

1

Check to see if there is a legal notice in place, those will interrupt the auto logon. Run RSOP and see if there is a GPO for the following settings:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
Interactive logon: Message title for users attempting to log on
Interactive logon: Message text for users attempting to log on

It's common to deploy that for an enterprise via GPO. If the legal notice is part of another GPO you do not want to block, you may need to relocate those settings to their own GPO. Then set an ACL to deny the appply gpo permission for a group containing the computers that need auto logon, or re-locate those computers to a different OU and block inheritance for that GPO.

Not sure what your tool is doing. If the legal notice settings are not in place, try some of the steps from this duplicate question

Clayton
  • 4,483
  • 16
  • 24
  • I'll check this out but its not necessarily that the auto-login isn't working, it's that the registry modifications I did to enable it were reverted after a reboot. – Fizz Mar 29 '18 at 19:35