Solved

How to restrict users to logon to local account where the PC is a member of Windows domain ?

Posted on 2009-04-11
6
346 Views
Last Modified: 2013-12-04
We have Windows 2003 AD domain "example.com" where PCs are members of that domain and users are able to login on PCs through their domain account.

Now we would like to restrict users not to log on PCs through the local user accounts i.e. users must logon through their domain a/c only.

May be instead of the prompt [1. Username 2. Password 3. Log on to: = DOMAIN / PC-NAME (this computer)],

can we remove the the option " Log on to: = DOMAIN / PC-NAME (this computer)]" on all PCs or selectively on some?


We want the settings centrally so that for troubleshooting purpose if any time for a particular PC the local logon is required then we can enable that also.
0
Comment
Question by:Atulinfotech
6 Comments
 
LVL 6

Expert Comment

by:WizardWill
ID: 24121988
you could try the reg setting

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Reg DWORD
NoDomainUI

Value = 1
0
 
LVL 5

Expert Comment

by:mfhorizon
ID: 24122010
On all PC there must be a local administrator, you can change it's password which administrator should only knows. Remove all other local users.

In this case user will not have any option other than logging in with domain user.

we use this approach.!
0
 
LVL 6

Expert Comment

by:WizardWill
ID: 24122028
Sorry i accidently posted the window 2000 regedit here is XP and a script to push through GPO

http://windowsitpro.com/article/articleid/82417/jsi-tip-8750-how-can-i-prevent-a-windows-xp-user-from-toggling-the-domain-box-during-log-on.html
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 1

Author Comment

by:Atulinfotech
ID: 24122217
Dear mfhorizon,

Thanks for your help.

If there exists around 1000 desktops then changing local administrator's password and removing all other local user are very difficult job as we need to attend each one. That's why we want a centralized control for not allowing users to log on locally.

Please suggest us a solution so that we can remove the option itself for local login.

Also let us know that if we want to keep (allow) "local login option" for a particular PC, then when should be followed?
0
 
LVL 9

Expert Comment

by:bharrington83
ID: 24122349
Here's two options.  Add the registry key to group policy or run the registry script through your logon script.  This should affect all users rather quickly.
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 500 total points
ID: 24123927
You can prevent users from logging on locally through GPO. Be careful. There are two GPOs that say logon locally. One is used to prevent users from logging onto the machine interactively through terminal service.  that GPO says something like logon interactively>>logon locally. The seconed logon locally GPO is used to >

Use this as a guide:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23529413.html



0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question