Solved

How to restrict users to logon to local account where the PC is a member of Windows domain ?

Posted on 2009-04-11
6
343 Views
Last Modified: 2013-12-04
We have Windows 2003 AD domain "example.com" where PCs are members of that domain and users are able to login on PCs through their domain account.

Now we would like to restrict users not to log on PCs through the local user accounts i.e. users must logon through their domain a/c only.

May be instead of the prompt [1. Username 2. Password 3. Log on to: = DOMAIN / PC-NAME (this computer)],

can we remove the the option " Log on to: = DOMAIN / PC-NAME (this computer)]" on all PCs or selectively on some?


We want the settings centrally so that for troubleshooting purpose if any time for a particular PC the local logon is required then we can enable that also.
0
Comment
Question by:Atulinfotech
6 Comments
 
LVL 6

Expert Comment

by:WizardWill
Comment Utility
you could try the reg setting

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Reg DWORD
NoDomainUI

Value = 1
0
 
LVL 5

Expert Comment

by:mfhorizon
Comment Utility
On all PC there must be a local administrator, you can change it's password which administrator should only knows. Remove all other local users.

In this case user will not have any option other than logging in with domain user.

we use this approach.!
0
 
LVL 6

Expert Comment

by:WizardWill
Comment Utility
Sorry i accidently posted the window 2000 regedit here is XP and a script to push through GPO

http://windowsitpro.com/article/articleid/82417/jsi-tip-8750-how-can-i-prevent-a-windows-xp-user-from-toggling-the-domain-box-during-log-on.html
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:Atulinfotech
Comment Utility
Dear mfhorizon,

Thanks for your help.

If there exists around 1000 desktops then changing local administrator's password and removing all other local user are very difficult job as we need to attend each one. That's why we want a centralized control for not allowing users to log on locally.

Please suggest us a solution so that we can remove the option itself for local login.

Also let us know that if we want to keep (allow) "local login option" for a particular PC, then when should be followed?
0
 
LVL 9

Expert Comment

by:bharrington83
Comment Utility
Here's two options.  Add the registry key to group policy or run the registry script through your logon script.  This should affect all users rather quickly.
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 500 total points
Comment Utility
You can prevent users from logging on locally through GPO. Be careful. There are two GPOs that say logon locally. One is used to prevent users from logging onto the machine interactively through terminal service.  that GPO says something like logon interactively>>logon locally. The seconed logon locally GPO is used to >

Use this as a guide:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23529413.html



0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Learn about cloud computing and its benefits for small business owners.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now