?
Solved

How to restrict users to logon to local account where the PC is a member of Windows domain ?

Posted on 2009-04-11
6
Medium Priority
?
349 Views
Last Modified: 2013-12-04
We have Windows 2003 AD domain "example.com" where PCs are members of that domain and users are able to login on PCs through their domain account.

Now we would like to restrict users not to log on PCs through the local user accounts i.e. users must logon through their domain a/c only.

May be instead of the prompt [1. Username 2. Password 3. Log on to: = DOMAIN / PC-NAME (this computer)],

can we remove the the option " Log on to: = DOMAIN / PC-NAME (this computer)]" on all PCs or selectively on some?


We want the settings centrally so that for troubleshooting purpose if any time for a particular PC the local logon is required then we can enable that also.
0
Comment
Question by:Atulinfotech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 6

Expert Comment

by:WizardWill
ID: 24121988
you could try the reg setting

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Reg DWORD
NoDomainUI

Value = 1
0
 
LVL 5

Expert Comment

by:mfhorizon
ID: 24122010
On all PC there must be a local administrator, you can change it's password which administrator should only knows. Remove all other local users.

In this case user will not have any option other than logging in with domain user.

we use this approach.!
0
 
LVL 6

Expert Comment

by:WizardWill
ID: 24122028
Sorry i accidently posted the window 2000 regedit here is XP and a script to push through GPO

http://windowsitpro.com/article/articleid/82417/jsi-tip-8750-how-can-i-prevent-a-windows-xp-user-from-toggling-the-domain-box-during-log-on.html
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 1

Author Comment

by:Atulinfotech
ID: 24122217
Dear mfhorizon,

Thanks for your help.

If there exists around 1000 desktops then changing local administrator's password and removing all other local user are very difficult job as we need to attend each one. That's why we want a centralized control for not allowing users to log on locally.

Please suggest us a solution so that we can remove the option itself for local login.

Also let us know that if we want to keep (allow) "local login option" for a particular PC, then when should be followed?
0
 
LVL 9

Expert Comment

by:bharrington83
ID: 24122349
Here's two options.  Add the registry key to group policy or run the registry script through your logon script.  This should affect all users rather quickly.
0
 
LVL 39

Accepted Solution

by:
ChiefIT earned 1500 total points
ID: 24123927
You can prevent users from logging on locally through GPO. Be careful. There are two GPOs that say logon locally. One is used to prevent users from logging onto the machine interactively through terminal service.  that GPO says something like logon interactively>>logon locally. The seconed logon locally GPO is used to >

Use this as a guide:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23529413.html



0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses
Course of the Month7 days, 19 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question