Force user to logon to local computer

[wtotten]

I have the client computers as members of a domain. There is now the option for the user to choose whether to login to the local computer or the domain. I want to use Group Policy to remove the "options <<" button and/or force the user to logon to the local machine or the domain (whatever I decide in the future). How do I do this?

Thanks,
Bill

 

[gmail2]

I don't think that you can remove the Logon To option completely ... after all, you'll probably want SOME domain accounts to have the ability to logon (eg Domain Admins).

You could use Group Policy to define who can logon to the PC. I think you'll need to do this on the local policy (if you only want them to logon locally that is) however as domain policy won't know about the local accounts - so if you have the same policy defined at the domain level, it will overwrite the local policy. You could also use group policy to to write the default value for logon to. This would however be a preference rather than a true policy as it's not written to one of the policies hive in the registry.

I'm curious why you'd want users to logon locally rather than onto the domain? Doesn't it defeat the purpose of having a domain if you want users logging on locally?!

Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau

 

[wtotten]

gmail2,

The problem I'm trying to solve is that when a user logs on to a computer that's part of a domain, they can logon to the local PC or the domain - if they logon to the local computer and then later logon to the domain, or vice-versa, they get different Desktops, My docs, etc. I want them to have one or the other and not go back and forth.

Bill

 

[gmail2]

OK, I understand. I think the only way around this then is to define who can logon to the PC with policy - that way if they're logging in locally for months, and then decide to use their domain account one day, they won't be able to login and (hopefully ) will realize why. However, I still think the easiest option would be to disable the users' local accounts and just have them logon to the domain - but I guess you have your own reason for that.

Hope I've been of some help.

Good Luck

Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau

 

[wtotten]

Can you direct me as to how I would prevent them from logging on locally via a domain-wide GP?

Bill

 

[gmail2]

OK, here goes:

1. Security Policy to define who can login locally
If you only want domain users loggin in then you can define this at the domain level which is probably better than using local policy. Open the appropriate policy and go to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.

Here you can defin who can logon locally, logon through Terminal Services etc. The good thing about security settings (as opposed to admin templates etc) is that if you edit the local policy, it will not let you modify anything that is already confised at the domain level (it would be overwritten anyway). If you can modify the setting, it appears with the blue 0101 icon, if you can't it'll appear with a grey icon.

You'll probably want the local administrator account to be able to logon localy also. I'm pretty sure that typing Administrators into the policy will work fine. Any builtin users/groups such as Administrator, the Administrators group etc will always have the same SID

2. Defining default value for Logon To box
If you want to ensure that users don't have to manually select the Logon to box, then you can use GPO to do this also. If you want to do this then copy the above into a text editor and save it with a .adm file extension. Then load it into a policy which the member server will fall under the scope of. I've defined a help string also which explains where this is written etc - you will see it under the explain tab of the policy when you load it. Because it's a preference rather than a policy, you'll need to right click in a blank area and select filtering then turn off "Only show policies that can be fully managed"

CLASS MACHINE
	CATEGORY "System"
		CATEGORY "Logon"
			POLICY "Default Logon To Value"
	
			KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
				PART "Default Domain" EDITTEXT REQUIRED
					VALUENAME "DefaultDomainName"
				END PART
			EXPLAIN !!Help
			END POLICY
		END CATEGORY
	END CATEGORY

			
[strings]
Help="This policy defines what the default value is for the Logon To box when users attempt to logon.  Because it is not written to a policies hive in the registry, it is a preference rather than a policy.  This means it will only be written when first defined and each time the policy it is defined uner is modified.\n\nIf you want this value to be written to the registry each time Group Policy is applied, then enable the the "Registry policy processing" policy under Computer Configuration > Administrative Templates > System > Group Policy and turn on the "Process even if Group Policy objects have not changed", however be careful as this will apply to ALL preference policies that are applied, not just this policy."

Hope I've covered everything here? Let me know how you get on

Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau