Also, the GpNetworkStartTimeountPolicyValue can be set as a policy setting so you don't have to tattoo that into the registry (unless you want to override anything that is currently assigned by policy as discussed below). Creating a Group Policy network start timeout policy The GpNetworkStartTimeoutPolicyValue policy timeout can be specified in the registry in two locations: * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon * HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System You can do this by adding a DWORD value of GpNetworkStartTimeoutPolicyValue with a number of seconds between 30 and 600. Windows reads the Winlogon subkey first. Then, Windows reads the Policies subkey. The value in the Policies subkey supersedes any value in the Winlogon subkey. There is no user interface that you can use to set this Group Policy object (GPO). Therefore, you have to deploy a custom ADM file in order to set the GPO. The value specified should be of sufficient duration to make sure that the connection is made. During the timeout period, Windows examines the connection status every two seconds and continues with system startup as soon as the connection is confirmed. Therefore, setting the value larger than the minimum value of 30 is recommended. However, be advised that if the system is legitimately disconnected, Windows will stall for the whole timeout period. Note Examples of the system being legitimately disconnected include the network cable being disconnected or if the server is offline. This information is discussed in the MS KB Article 840669, "Group Policy application fails on a computer that is running Windows 2000, Windows XP Service Pack 1, or Windows XP Service Pack 2" located here <http://support.microsoft.com/kb/840669> . Jamie Nelson | Systems Engineer | Systems Support, Information Technology | I N T E G R I S Health | Phone 405.552.0903 | Fax 405.553.5687 | http://www.integrisok.com <http://www.integrisok.com/> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Nelson, Jamie R Sent: Wednesday, February 06, 2008 2:03 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Custom ADM Issues You don't need the HKEY_LOCAL_MACHINE in the KEYNAME. Jamie Nelson | Systems Engineer | Systems Support, Information Technology | I N T E G R I S Health | Phone 405.552.0903 | Fax 405.553.5687 | http://www.integrisok.com <http://www.integrisok.com/> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Jonathan Finkbiner Sent: Wednesday, February 06, 2008 1:55 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Custom ADM Issues Hey All, I thought I sent this on Monday, but apparently with this "email" thing you have to hit a send button to get it to work. I was looking for a little feedback on a custom adm template I've been working on. I am sure the problem is staring me right in the face but I am completely missing it. I want to generate and manage 3 keys on all computers across the domain. The three keys are the following: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global] "AuthMode"=dword:00000002 "SupplicantMode"=dword:00000003 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "GpNetworkStartTimeoutPolicyValue"=dword:0000003c (This should be a decimal value) I've created adm templates before, but it has been a while and so far all I can do is get the event log to spit angry messages at me. Here is a sample of the code I am using (I've left off the strings comments to keep this as brief as possible): CLASS MACHINE CATEGORY "System" CATEGORY "NAC Options" POLICY !!AMode EXPLAIN !!AMode_Exp KEYNAME "SOFTWARE\Microsoft\EAPOL\Parameters\General\Global" PART "Authentication Mode" NUMERIC VALUENAME "AuthMode" MIN 0 MAX 2 TXTCONVERT DEFAULT 2 SPIN 1 END PART END POLICY END CATEGORY CATEGORY "NAC Options" POLICY !!SMode EXPLAIN !!SMode_Exp KEYNAME "SOFTWARE\Microsoft\EAPOL\Parameters\General\Global" PART "Supplicant Mode" NUMERIC VALUENAME "SupplicantMode" MIN 1 MAX 3 TXTCONVERT DEFAULT 3 SPIN 1 END PART END POLICY END CATEGORY CATEGORY "NAC Options" POLICY !!Timeout EXPLAIN !!Timeout_Exp KEYNAME "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" PART "Timeout for NAC Negotiation" EDITTEXT REQUIRED VALUENAME "GpNetworkStartTimeoutPolicyValue" DEFAULT "0000003c" END PART END POLICY END CATEGORY END CATEGORY There are 2 seemingly non specific errors that I am getting that may help. These are both from the event log: "Windows cannot create registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. (The parameter is incorrect. )." "Windows cannot access the registry policy file, \\domain.com\SysVol\domain.com\Policies\{BA8CA221-6DC1-4631-B838-4135A66 DE872}\Machine\registry.pol. (The parameter is incorrect. )." As always, thanks in advance. Jonathan Finkbiner <mailto:jfinkbiner@xxxxxxx> Information Services Support Analyst Lifestyle Family Fitness <http://www.lff.com/> ________________________________ This e-mail may contain identifiable health information that is subject to protection under state and federal law. This information is intended to be for the use of the individual named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited and may be punishable by law. If you have received this electronic transmission in error, please notify us immediately by electronic mail (reply). ________________________________ This e-mail may contain identifiable health information that is subject to protection under state and federal law. This information is intended to be for the use of the individual named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited and may be punishable by law. If you have received this electronic transmission in error, please notify us immediately by electronic mail (reply). ********************************************************************** This e-mail may contain identifiable health information that is subject to protection under state and federal law. This information is intended to be for the use of the individual named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited and may be punishable by law. If you have received this electronic transmission in error, please notify us immediately by electronic mail (reply). This e-mail may contain identifiable health information that is subject to protection under state and federal law. This information is intended to be for the use of the individual named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited and may be punishable by law. If you have received this electronic transmission in error, please notify us immediately by electronic mail (reply).