Solved

How to restrict users to logon to local account where the PC is a member of Windows domain ?

Posted on 2009-04-11
6
347 Views
Last Modified: 2013-12-04
We have Windows 2003 AD domain "example.com" where PCs are members of that domain and users are able to login on PCs through their domain account.

Now we would like to restrict users not to log on PCs through the local user accounts i.e. users must logon through their domain a/c only.

May be instead of the prompt [1. Username 2. Password 3. Log on to: = DOMAIN / PC-NAME (this computer)],

can we remove the the option " Log on to: = DOMAIN / PC-NAME (this computer)]" on all PCs or selectively on some?


We want the settings centrally so that for troubleshooting purpose if any time for a particular PC the local logon is required then we can enable that also.
0
Comment
Question by:Atulinfotech
6 Comments
 
LVL 6

Expert Comment

by:WizardWill
ID: 24121988
you could try the reg setting

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Reg DWORD
NoDomainUI

Value = 1
0
 
LVL 5

Expert Comment

by:mfhorizon
ID: 24122010
On all PC there must be a local administrator, you can change it's password which administrator should only knows. Remove all other local users.

In this case user will not have any option other than logging in with domain user.

we use this approach.!
0
 
LVL 6

Expert Comment

by:WizardWill
ID: 24122028
Sorry i accidently posted the window 2000 regedit here is XP and a script to push through GPO

http://windowsitpro.com/article/articleid/82417/jsi-tip-8750-how-can-i-prevent-a-windows-xp-user-from-toggling-the-domain-box-during-log-on.html
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 1

Author Comment

by:Atulinfotech
ID: 24122217
Dear mfhorizon,

Thanks for your help.

If there exists around 1000 desktops then changing local administrator's password and removing all other local user are very difficult job as we need to attend each one. That's why we want a centralized control for not allowing users to log on locally.

Please suggest us a solution so that we can remove the option itself for local login.

Also let us know that if we want to keep (allow) "local login option" for a particular PC, then when should be followed?
0
 
LVL 9

Expert Comment

by:bharrington83
ID: 24122349
Here's two options.  Add the registry key to group policy or run the registry script through your logon script.  This should affect all users rather quickly.
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 500 total points
ID: 24123927
You can prevent users from logging on locally through GPO. Be careful. There are two GPOs that say logon locally. One is used to prevent users from logging onto the machine interactively through terminal service.  that GPO says something like logon interactively>>logon locally. The seconed logon locally GPO is used to >

Use this as a guide:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23529413.html



0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question