How to restrict users to logon to local account where the PC is a member of Windows domain ?

We have Windows 2003 AD domain "example.com" where PCs are members of that domain and users are able to login on PCs through their domain account.

Now we would like to restrict users not to log on PCs through the local user accounts i.e. users must logon through their domain a/c only.

May be instead of the prompt [1. Username 2. Password 3. Log on to: = DOMAIN / PC-NAME (this computer)],

can we remove the the option " Log on to: = DOMAIN / PC-NAME (this computer)]" on all PCs or selectively on some?


We want the settings centrally so that for troubleshooting purpose if any time for a particular PC the local logon is required then we can enable that also.
LVL 1
AtulinfotechAsked:
Who is Participating?
 
ChiefITConnect With a Mentor Commented:
You can prevent users from logging on locally through GPO. Be careful. There are two GPOs that say logon locally. One is used to prevent users from logging onto the machine interactively through terminal service.  that GPO says something like logon interactively>>logon locally. The seconed logon locally GPO is used to >

Use this as a guide:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23529413.html



0
 
WizardWillCommented:
you could try the reg setting

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Reg DWORD
NoDomainUI

Value = 1
0
 
mfhorizonCommented:
On all PC there must be a local administrator, you can change it's password which administrator should only knows. Remove all other local users.

In this case user will not have any option other than logging in with domain user.

we use this approach.!
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
WizardWillCommented:
Sorry i accidently posted the window 2000 regedit here is XP and a script to push through GPO

http://windowsitpro.com/article/articleid/82417/jsi-tip-8750-how-can-i-prevent-a-windows-xp-user-from-toggling-the-domain-box-during-log-on.html
0
 
AtulinfotechAuthor Commented:
Dear mfhorizon,

Thanks for your help.

If there exists around 1000 desktops then changing local administrator's password and removing all other local user are very difficult job as we need to attend each one. That's why we want a centralized control for not allowing users to log on locally.

Please suggest us a solution so that we can remove the option itself for local login.

Also let us know that if we want to keep (allow) "local login option" for a particular PC, then when should be followed?
0
 
Brian HarringtonIT ManagerCommented:
Here's two options.  Add the registry key to group policy or run the registry script through your logon script.  This should affect all users rather quickly.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.