Remove Domain from ' Log in to' drop down list

matt

Distinguished
Apr 2, 2004
321
0
18,780
Archived from groups: microsoft.public.win2000.security (More info?)

Can you remove a domain in the "log in to" drop down list on the login page?
I have a dedicated forest root domain that I do not want viewable.
Removing from WINS only removes from the network browser.
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Hi Matt,

AFAIK as long as you have trusts between these domains there is nothing you
can do to filter out drop down menu.

I hope you didn't setup additional (root) domain for security reasons.
Security boundary is not domain any more as it was when Windows 2000 and
Active Directory first came out. Later security boundary was change to
Active Directory forest.

Problem is if unauthorized person gets physical access to active directory
of child domain he/she could spoof (Enterprise) Administrator's SID and take
over whole AD forest. What you need to have in this case is good physical
security of your domain controllers. Only trusted people should have access
to them.
If you establish trusts between two forests you can setup SID filters that
will prevent SID spoofing.

Mike

"Matt" <Matt@discussions.microsoft.com> wrote in message
news:652C83E0-182F-4206-A856-AADDD518E1A3@microsoft.com...
> Can you remove a domain in the "log in to" drop down list on the login
page?
> I have a dedicated forest root domain that I do not want viewable.
> Removing from WINS only removes from the network browser.
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

I don't know of any way to do that. JSI has a link that may provide a work around
though one method works for only NT.

http://www.jsiinc.com/subg/tip3000/rh3031.htm

You can of courser use the logon locally and access this computer from the network
user rights to restrict which users can logon to a domains computer. --- Steve


"Matt" <Matt@discussions.microsoft.com> wrote in message
news:652C83E0-182F-4206-A856-AADDD518E1A3@microsoft.com...
> Can you remove a domain in the "log in to" drop down list on the login page?
> I have a dedicated forest root domain that I do not want viewable.
> Removing from WINS only removes from the network browser.
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

I don't know of any way that you can remove a domain, why do you need to do
this?
If its because users log onto the incorrect domain, then you can force a
default domain and then hide the domain list using group policy.

Although there is no group policy setting to do this, I got around the problem
by writing a custom ADM file which changes a couple of registry keys in:
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon.

The 2 keys to change are:
ShowLogonOptions - set to 0 to hide the domain list &
DefaultDomainList - set this to the domain you need to logon to.

Here's a copy of the ADM file:
;****************************************************************
;* Custom ADM file to force specific domain to logon to. You'll *
;* need to also change group policy \Computer\AdminTemplates\Sy *
;* stem\GroupPolicy\ Enable Registry Policy Processing, and *
;* enable "process even if the group policy objects have not *
;* changed" *
;* Written by Gary Middleton,UK *
;****************************************************************



CLASS MACHINE

CATEGORY !!Logon

POLICY !!HideDomainList
EXPLAIN !!HideDomainList_Help
KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
VALUENAME ShowLogonOptions
VALUEON NUMERIC 0 ; removes dropdown list
VALUEOFF NUMERIC 1 ; enables dropdown list
END POLICY

POLICY !!DefaultDomain
EXPLAIN !!DefaultDomain_Help
KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
VALUENAME DefaultDomainName
VALUEON "DOMAINNAME" ;where DOMAINNAME is the domain you want the
users to logon to
VALUEOFF ""
END POLICY


END CATEGORY

[strings]
Logon="Logon Options"
HideDomainList="Hide Domain List"
HideDomainList_Help="Enabling this settings hides the domain list from the
CTRL+ALT+DELETE screen.Disabling will show the domain list."
DefaultDomain="Default Domain"
DefaultDomain_Help="Default domain name to set to DOMAINNAME if enabled. It
will be the default option in the drop down list at the CTRL+ALT+DELETE
screen"


Just cut & paste into wordpad, save
with a .ADM extension. Load GPMC, right click administrative Tools &
add template, find location of the saved adm file.
To view change view\filtering from the menu with the policy loaded,
uncheck box "only show policy settings that can be fully managed"
You'll then be able to edit the 2 keys in your new Admin Template
within the policy.

Hope this helps,

Gary Middleton.

p.s. At least if you've already fixed this, it will show up in google groups
& help someone else - I couldnt find this solution anywhere.

"Matt" wrote:

> Can you remove a domain in the "log in to" drop down list on the login page?
> I have a dedicated forest root domain that I do not want viewable.
> Removing from WINS only removes from the network browser.
 

Destruckt

Distinguished
Jan 16, 2010
1
0
18,510
go to your domain controler, active directory trust site, right click in each of your domains and go to the tab ''trust site'' there you will see the list of all the domains that is listed in the drop down box domain list :eek: .

It worked for me!

Hugs

Destruckt