Customizing the Logon Process

Each time you log on to your NT machine you're completing an important task--identifying yourself to the operating system. While this seems like a very simple idea, NT couldn't perform many of the tasks we take for granted if it didn't know who was logged in. Actions like accessing files and printers, starting and stopping services, and changing system information are based on user's rights and privileges as determined by your user identity. In this article, we'll show you how to use NT's System Policy Editor to customize your logon process.

Logon preferences

NT stores your logon preferences in the system Registry. By changing certain Registry entries, you can modify the default logon options. These options include a logon banner, enabling shutdown from the logon dialog, and displaying the last user logged on. Because modifying the Registry manually can be tricky, and prone to errors, you should do so only if no other tools are available. Luckily, NT Server 4.0 comes with a handy tool -- the System Policy Editor -- that will handle these Registry entries for you.

System Policy Editor

NT Server 4.0's System Policy Editor is shown in Figure A.

Figure A: NT's System Policy Editor helps you make changes to the Registry.

You'll find it under Administrative Tools in the Start menu. This useful tool safely makes changes to the system Registry, thereby allowing you to customize your environment. You can also use the System Policy Editor to remotely connect to NT Workstations and change their Registry entries. The System Policy Editor won't let you modify all of the Registry entries, just a few important ones.

Please note:
You must be logged on as a member of the administrators group in order to save the changes made to the registry through the system policy editor.)

Please note:
You must be logged on as a member of the administrators group in order to save the changes made to the registry through the system policy editor.)

Next, we'll change two of the Registry settings with the System Policy Editor. First, we'll enable a Logon Banner. Then, we'll disable the display of the name the last user logged in.

Modifying your Registry

To modify your Registry, start by opening the System Policy Editor. Select File | Open Registry, and the program will open the Registry for the local machine. You'll now see two icons, one for the Local Computer Registry settings, the other for the Local User Registry settings. Double-click on the Local Computer icon to launch the Local Computer Properties dialog, as shown in Figure B.

Figure B: When you double click on the Local Computer icon, NT displays the Local Computer Properties dialog.

The Registry entries we wish to modify are found by expanding the Windows NT System book and then expanding the Logon book below it. You can expand a book by either clicking the plus sign (+) or by double-clicking on the text. Next, we'll configure a logon banner that will appear before the Authentication dialog.

Logon Banner

By default, the Logon Banner entry is checked. Highlight the entry by clicking on the text with your mouse. Be sure not to uncheck the box. In the window below the Local Computer tree, the options for the Logon banner will appear. You can change the caption or banner text, or you can use the defaults, as shown in Figure C.

Figure C: The System Policy Editor displays the Caption and Text when you highlight the Logon Banner entry.

When you've finished, click OK to return to the Policy Editor's main screen. Select File | Save to save your changes to the Registry. Close the System Policy Editor and log out of NT. When you try to log back in, you will see a dialog box with the caption and text you chose.

Last user logged on

Whenever you log out of NT, the system remembers who you were and automatically inserts your username in the Authentication dialog. While this can be convenient for you if you're the only user on your machine, it can also be a security risk. By allowing NT to display the username of the last user logged on, you give up one-half of the security supplied by a username and password. An unauthorized user would only need to figure out your password to break into your machine. Suppressing the username would force a hacker to guess both a valid username and its password. As you might have guessed, the System Policy Editor is the perfect tool for the job. To suppress the username, launch the program and select File | Open Registry. Double-click the Local Computer icon and expand the Windows NT System book and the Logon book. Click the check box on before the Do Not Display Last Logged On User Name.

Click OK and then choose File | Save. Close System Policy Editor and log off. Now, when you log back on, not only are you presented with your logon banner dialog, but your username has vanished as well.

Conclusion

The NT Logon process is a very important, but often overlooked, part of every user session. By using the System Police Editor to modify the Registry, you can create a more useful and secure logon.