Jump to content

Set default "Log On To" Domain Through GPO?

mojoxp

By mojoxp
in Windows XP

 Share

Recommended Posts

mojoxp

mojoxp

Posted
Posted

Is there any way that you can specify the default "Log On To" select through group policy?

We've recently rolled out a second child domain, and are having a bunch of users trying to log onto it. In a perfect world there would be a magic GPO to only list a single login destination, but I'm not betting on that.

Link to comment
Share on other sites

hosebeast

hosebeast

Posted
Posted (edited)

No, there is no policy available for this, but you can deploy a Startup Script via GPO which will accomplish it. Startup Scripts are set under Computer Configuration, Windows Settings, Scripts (Startup/Shutdown), Startup. These run in the context of the local system account before the logon dialog is displayed.

In VBScript, you would use something like:

On Error Resume Next
Set oShell = CreateObject("WScript.Shell")
oShell.RegWrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName", "YOURDOMAIN", "REG_SZ"
oShell.RegWrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AltDefaultDomainName", "YOURDOMAIN", "REG_SZ"

If you have disabled VBScript on client computers and/or your client antivirus is configured to block all scripts without regard to actual content and/or you already have existing Startup Scripts using BAT/CMD and want to stay consistent, you could use something like:

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName /d "YOURDOMAIN" /f
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultDomainName /d "YOURDOMAIN" /f

Just don't try to run regedit and merge a reg file from a file share because network shares are not accessible at the time Startup Scripts run.

Obviously, replace "YOURDOMAIN" with the name of your domain. If it doesn't match one of the domains in the drop-down list, it will be ignored.

Note that this won't stop users from dropping down the list and changing it, but it will ensure that the default is set before every logon. Another thing you can do with GPO is display a message at every logon. Look under Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options for the policies named:

  • Interactive logon: Message text for users attempting to log on
  • Interactive logon: Message title for users attempting to log on

Large organizations frequently use these policies to display "Authorized users only" types of messages (because it apparently makes it easier to prosecute intruders) but you can display anything you want, such as "If your password is rejected, please make sure you are logging on to YOURDOMAIN and not NEWDOMAIN."

Edited by hosebeast
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...