• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1277
  • Last Modified:

Prevent manual default domain name change

We are deploying Windows 2003 server/Active Directory with Windows XP workstations.

You can disable the drop-down box in the GINA from appearing (we've got that).  This coupled with setting the DefaultDomainName should set the domain and prevent users from changing it via the drop-down.
This works but isn't perfect.  Users can still login locally or to another domain by typing it in manually .  When this is done, the DefaultDomainName registry key gets set to the domain or computer name that the user entered.  It remains set to this other domain. When the next user logs in, their login fails because the default domain is no longer the right one.

How can we prevent the default domain name from being changed when a user manually logs into another domain or the local computer?
1 Solution
You can't !
dlcarrawAuthor Commented:
The solution is to poke the registry at login using regedit /s to poke the right DefaultDomainName value into the registry. This assumes the user has rights to run regedit.

For example.
Create a file called DOIT.REG like this one. Save it somewhere safe-ish, like C:\Program Files\DOIT.
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

Add this string value to HKLM\Software\Microsoft\Windows\Run
doit="regedit /s c:\program files\doit\doit.reg"

Then at startup, after the  user logs in the registry value should be set back to the default you specified.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

dlcarrawAuthor Commented:
The comments of "you can't" with no explanation were not useful.
thats a nice little trick - i will be using that in future i beleive
PAQed with points refunded (50)

EE Admin
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now