Solved

Prevent manual default domain name change

Posted on 2007-04-03
9
1,267 Views
Last Modified: 2008-05-31
We are deploying Windows 2003 server/Active Directory with Windows XP workstations.

You can disable the drop-down box in the GINA from appearing (we've got that).  This coupled with setting the DefaultDomainName should set the domain and prevent users from changing it via the drop-down.
 
This works but isn't perfect.  Users can still login locally or to another domain by typing it in manually .  When this is done, the DefaultDomainName registry key gets set to the domain or computer name that the user entered.  It remains set to this other domain. When the next user logs in, their login fails because the default domain is no longer the right one.

How can we prevent the default domain name from being changed when a user manually logs into another domain or the local computer?
0
Comment
Question by:dlcarraw
9 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 18847150
You can't !
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 18847476
seconded
0
 
LVL 1

Author Comment

by:dlcarraw
ID: 18989046
The solution is to poke the registry at login using regedit /s to poke the right DefaultDomainName value into the registry. This assumes the user has rights to run regedit.

For example.
Create a file called DOIT.REG like this one. Save it somewhere safe-ish, like C:\Program Files\DOIT.
-------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"AltDefaultDomainName"="MyDomain"
"DefaultDomainName"="MyDomain"
-------------------

Add this string value to HKLM\Software\Microsoft\Windows\Run
doit="regedit /s c:\program files\doit\doit.reg"

Then at startup, after the  user logs in the registry value should be set back to the default you specified.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 1

Author Comment

by:dlcarraw
ID: 18989057
The comments of "you can't" with no explanation were not useful.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 18996361
thats a nice little trick - i will be using that in future i beleive
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 19167592
PAQed with points refunded (50)

Computer101
EE Admin
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now