No local logon - only to domain??

Guest · May 3, 2004

Hi, could you tell me how you could remove the local logon option for clients in an AD domain

So they can only choose to logon to a domain.....expanding this can you make OU's, place computers in and apply a GPO so it specifies exactly what domain that those specific computers can logon to and remove local logon too??

Thanks!!

Lanwench [MVP - Exchange] · May 3, 2004

Bbs said:
Hi, could you tell me how you could remove the local logon option for
clients in an AD domain?

Make sure they don't have any local accounts on the workstations - delete
any that were created, make sure they don't know the local administrator
credentials.

So they can only choose to logon to a domain.....expanding this can
you make OU's, place computers in and apply a GPO so it specifies
exactly what domain that those specific computers can logon to and
remove local logon too???

Not sure about GPOs there, as I'm not so great with policies (yet!) but
regarding what domain they can log on to, they can only log on to the one
you joined the computer to unless you have trusts in place....

Laura E. Hunter \(MVP\) · May 3, 2004

On Windows NT4/2000/XP clients, you can do this by simply deleting/disabling
any local machine accounts on the workstations. Since users on these
machines require either a local or domain account to access them, at that
point you are restricting them to using the domain account only.

There's no real way to do this for Windows 9x or ME clients, only NT4 or
better.

Steven L Umbach · May 3, 2004

There is no Group Policy to disable showing the local machine during logon
to a non dc domain member. You could configure the user rights assignment
for logon locally to be only domain users which I think will still allow
local administrators to logon also.

Domain controllers actually do have a local account - the administrator
account that is used for Recovery Console and Directory Services Restore
which is kept in the local sam and can be accessed only by booting into
Directory Services Restore mode.

I know of no registry mod to do what you want. One may exist but I have
never heard of it. --- Steve

Bbs said:
So how does a Domain controller disable local users and groups and when

logging onto a DC not allow you to choose the local machine SAM database,
and only its AD domain (and any other domains it trusts??)

I'm guessing if it can be done via member server promotion then it can be

done manually via registry settings / group policy.

Cannot Logon to Domain	1	Feb 7, 2007
Welcome logon screen and attached domain on windows xp	1	Mar 6, 2011
User account logon to domain	2	Sep 3, 2004
Doman Controller Logon denied	2	Nov 5, 2003
AD Domain member server not showing SAM names	2	Apr 20, 2006
Default Domain Policy 2003	7	Apr 6, 2009
Cannot Find Domain Controller	2	Mar 29, 2005
Cant logon to local machine (this computer) as administrator	4	Jul 12, 2004

No local logon - only to domain??

Guest

Lanwench [MVP - Exchange]

Laura E. Hunter \(MVP\)

Steven L Umbach

Ask a Question

Similar Threads