Removing "This Computer" from domain logon screen

[Michael.Patten]

I know it's a bit of a wild one, but i want to restrict my users from being able to change their login domain, and can't find instructions anywhere on how to remove the This Computer local domain from the logon screen.

As a part of my Unattend i am already adding a domain group to the local admin's group, so all user's get admin rights to every computer (all but the bare essential profile data is stored on the local computer).

Does anyone have any idea how to either remove or "hide" the above from the logon screen?

[Michael.Patten]

The only way i know how to not have any options on the logon screen is with a workgroup, but don't want to step backwards with security.

Hopefully someone out there has come across this issue.

I'm going to be removing the cacheing of logons, as i don't want the user's to be able to log on without authenticating with the server, and I don't want the users to be able to create user's.

I guess the better way of doing what i want is to "Hide" the additional logon domain option... and assign the users "power user" access... but i know that will have (management based) implications... i'm sure you all know what i mean...

[FAT64]

Can you simply deny them the "Logon locally" in Group Policy?

[Michael.Patten]

Yeah, I can, and only let the localadmin account log on locally... that might be a doer - just have to make sure no-one changes their logon domain...

[Richard Slater]

It would be really nice if MS did implement, a group policy to restrict the Domain drop down box, the number of call outs I get due to people choosing the wrong thing thing in the Domain box, or not understanding that although they are sitting infront of a computer they can't log on to "This Machine".

[FAT64]

Has this been dealt with in Windows 2003 Server Group Policy perhaps?