Working with Logon and Startup Policies in Vista

9/5/2010 9:32:18 AM

Windows Vista provides a set of policies to control the logon process, some of which allow you to configure the way programs run at logon. This makes them similar to logon scripts, in that you can execute specific tasks at logon. Other policies change the view in the welcome and logon screens. The main logon and startup policies that you'll use are available at Administrative Templates\System\Logon and are summarized in Table 1.

Table 1: Logon and Startup Policies
Policy Type	Policy Name	Description
Computer	Always Use Classic Logon	This overrides the default simple logon screen and uses the logon screen from previous versions of Windows.
Computer	Always Wait For The Network At Computer Startup And Logon	Requires the computer to wait for the network to be fully initialized. At startup, this Group Policy is fully applied rather than using a background refresh. At logon, this means the user account cannot be authenticated against cached credentials and must be authenticated against a domain controller.
Computer	Don't Display The Getting Started Welcome Screen At Logon	Hides the welcome screen that is displayed when new users log on. This only applies to Windows Vista and not to servers.
Computer/User	Do Not Process The Legacy Run List	Disables running startup applications other than those set through System Policy Editor in Windows NT 4.
Computer/User	Do Not Process The Run-Once List	Forces the system to ignore customized run-once lists.
Computer/User	Run These Programs At User Logon	Sets programs that all users should run at logon. Use the full file path (unless program is in %SystemRoot%).

Hiding the Welcome Screen

Experienced users often find the welcome screen annoying, particularly because it is displayed automatically every time they log on to a new computer. To hide the welcome screen at logon, follow these steps:

Access Group Policy for the computer you want to work with. Next, access Computer Configuration\Administrative Templates\System\Logon.
Double-click Don't Display The Getting Started Welcome Screen At Logon. On the Setting tab, select Enabled and then click OK.

Using Classic Logon vs. Simple Logon

The simple logon window is new in Windows Vista. It is the default authentication, and although that view can be useful, some users might prefer to see only the classic logon window. To use classic logon rather than simple logon, follow these steps:

Access Group Policy for the computer you want to work with. Next, access Computer Configuration\Administrative Templates\System\Logon.
Double-click Always Use Classic Logon. On the Setting tab, select Enabled and then click OK.

Setting Policy-Based Startup Programs

Although users can configure their startup applications separately, it usually makes more sense to handle this through policy, especially in an enterprise in which the same applications should be started by groups of users. To specify programs that should start at logon, follow these steps:

Access Group Policy for the computer you want to work with. Next, access Computer Configuration\Administrative Templates\System\Logon.
Double-click Run These Programs At User Logon. On the Setting tab, select Enabled.
To assign startup applications through policy, click Show. In the Show Contents dialog box, specify applications according to their full file or UNC path, such as D:\Program Files\Internet Explorer\IEXPLORE.EXE or \\DCServ01\Apps\STATS.EXE.
Close all open dialog boxes.

Disabling Run Lists Through Policy

Using policy, you can disable legacy run lists as well as run-once lists. Legacy run lists are stored in the registry in

HKEY_LOCAL_MACHINE
 \SOFTWARE
  \Microsoft
   \Windows
    \CurrentVersion
     \Run

and

HKEY_CURRENT_USER
 \Software
  \Microsoft
   \Windows
    \CurrentVersion
     \Run

Run-once lists can be created by administrators to specify programs that should run the next time the system starts but not on subsequent restarts. Run-once lists are stored in the registry under

HKEY_LOCAL_MACHINE
 \SOFTWARE
  \Microsoft
   \Windows
    \CurrentVersion
     \RunOnce

To disable run lists, follow these steps:

Access Group Policy for the computer you want to work with. Next, access Computer Configuration\Administrative Templates\System\Logon or User Configuration\Administrative Templates\System\Logon.
Double-click Do Not Process The Run Once List. On the Setting tab, select Enabled. Click OK.
Double-click Do Not Process The Legacy Run List. On the Setting tab, select Enabled and then click OK.

Other

Controlling Access to Files and Folders with NTFS Permissions

Sharing Files and Folders Over the Network in Vista

Using and Configuring Public Folder Sharing

Customizing the Browser User Interface

Setting Default Internet Programs

Managing Connection and Proxy Settings

Managing Browser Cookies and Other Temporary Internet Files

Secure Browsing and Local Machine Lockdown in Vista

Managing Internet Explorer Security Zones

Some Policies That Might Be Useful for Managing Internet Options