mojoxp Posted July 23, 2006 Share Posted July 23, 2006 Is there any way that you can specify the default "Log On To" select through group policy?We've recently rolled out a second child domain, and are having a bunch of users trying to log onto it. In a perfect world there would be a magic GPO to only list a single login destination, but I'm not betting on that. Link to comment Share on other sites More sharing options...
hosebeast Posted July 23, 2006 Share Posted July 23, 2006 (edited) No, there is no policy available for this, but you can deploy a Startup Script via GPO which will accomplish it. Startup Scripts are set under Computer Configuration, Windows Settings, Scripts (Startup/Shutdown), Startup. These run in the context of the local system account before the logon dialog is displayed.In VBScript, you would use something like:On Error Resume NextSet oShell = CreateObject("WScript.Shell")oShell.RegWrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName", "YOURDOMAIN", "REG_SZ"oShell.RegWrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AltDefaultDomainName", "YOURDOMAIN", "REG_SZ"If you have disabled VBScript on client computers and/or your client antivirus is configured to block all scripts without regard to actual content and/or you already have existing Startup Scripts using BAT/CMD and want to stay consistent, you could use something like:REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName /d "YOURDOMAIN" /fREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultDomainName /d "YOURDOMAIN" /fJust don't try to run regedit and merge a reg file from a file share because network shares are not accessible at the time Startup Scripts run.Obviously, replace "YOURDOMAIN" with the name of your domain. If it doesn't match one of the domains in the drop-down list, it will be ignored.Note that this won't stop users from dropping down the list and changing it, but it will ensure that the default is set before every logon. Another thing you can do with GPO is display a message at every logon. Look under Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options for the policies named:Interactive logon: Message text for users attempting to log onInteractive logon: Message title for users attempting to log onLarge organizations frequently use these policies to display "Authorized users only" types of messages (because it apparently makes it easier to prosecute intruders) but you can display anything you want, such as "If your password is rejected, please make sure you are logging on to YOURDOMAIN and not NEWDOMAIN." Edited July 23, 2006 by hosebeast Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now