Remove Domain from ' Log in to' drop down list

Archived from groups: microsoft.public.win2000.security (More info?)

Can you remove a domain in the "log in to" drop down list on the login page?
I have a dedicated forest root domain that I do not want viewable.
Removing from WINS only removes from the network browser.
4 answers Last reply
More about remove domain drop list
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Matt,

    AFAIK as long as you have trusts between these domains there is nothing you
    can do to filter out drop down menu.

    I hope you didn't setup additional (root) domain for security reasons.
    Security boundary is not domain any more as it was when Windows 2000 and
    Active Directory first came out. Later security boundary was change to
    Active Directory forest.

    Problem is if unauthorized person gets physical access to active directory
    of child domain he/she could spoof (Enterprise) Administrator's SID and take
    over whole AD forest. What you need to have in this case is good physical
    security of your domain controllers. Only trusted people should have access
    to them.
    If you establish trusts between two forests you can setup SID filters that
    will prevent SID spoofing.

    Mike

    "Matt" <Matt@discussions.microsoft.com> wrote in message
    news:652C83E0-182F-4206-A856-AADDD518E1A3@microsoft.com...
    > Can you remove a domain in the "log in to" drop down list on the login
    page?
    > I have a dedicated forest root domain that I do not want viewable.
    > Removing from WINS only removes from the network browser.
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    I don't know of any way to do that. JSI has a link that may provide a work around
    though one method works for only NT.

    http://www.jsiinc.com/subg/tip3000/rh3031.htm

    You can of courser use the logon locally and access this computer from the network
    user rights to restrict which users can logon to a domains computer. --- Steve


    "Matt" <Matt@discussions.microsoft.com> wrote in message
    news:652C83E0-182F-4206-A856-AADDD518E1A3@microsoft.com...
    > Can you remove a domain in the "log in to" drop down list on the login page?
    > I have a dedicated forest root domain that I do not want viewable.
    > Removing from WINS only removes from the network browser.
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    I don't know of any way that you can remove a domain, why do you need to do
    this?
    If its because users log onto the incorrect domain, then you can force a
    default domain and then hide the domain list using group policy.

    Although there is no group policy setting to do this, I got around the problem
    by writing a custom ADM file which changes a couple of registry keys in:
    HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon.

    The 2 keys to change are:
    ShowLogonOptions - set to 0 to hide the domain list &
    DefaultDomainList - set this to the domain you need to logon to.

    Here's a copy of the ADM file:
    ;****************************************************************
    ;* Custom ADM file to force specific domain to logon to. You'll *
    ;* need to also change group policy \Computer\AdminTemplates\Sy *
    ;* stem\GroupPolicy\ Enable Registry Policy Processing, and *
    ;* enable "process even if the group policy objects have not *
    ;* changed" *
    ;* Written by Gary Middleton,UK *
    ;****************************************************************


    CLASS MACHINE

    CATEGORY !!Logon

    POLICY !!HideDomainList
    EXPLAIN !!HideDomainList_Help
    KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
    VALUENAME ShowLogonOptions
    VALUEON NUMERIC 0 ; removes dropdown list
    VALUEOFF NUMERIC 1 ; enables dropdown list
    END POLICY

    POLICY !!DefaultDomain
    EXPLAIN !!DefaultDomain_Help
    KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
    VALUENAME DefaultDomainName
    VALUEON "DOMAINNAME" ;where DOMAINNAME is the domain you want the
    users to logon to
    VALUEOFF ""
    END POLICY


    END CATEGORY

    [strings]
    Logon="Logon Options"
    HideDomainList="Hide Domain List"
    HideDomainList_Help="Enabling this settings hides the domain list from the
    CTRL+ALT+DELETE screen.Disabling will show the domain list."
    DefaultDomain="Default Domain"
    DefaultDomain_Help="Default domain name to set to DOMAINNAME if enabled. It
    will be the default option in the drop down list at the CTRL+ALT+DELETE
    screen"


    Just cut & paste into wordpad, save
    with a .ADM extension. Load GPMC, right click administrative Tools &
    add template, find location of the saved adm file.
    To view change view\filtering from the menu with the policy loaded,
    uncheck box "only show policy settings that can be fully managed"
    You'll then be able to edit the 2 keys in your new Admin Template
    within the policy.

    Hope this helps,

    Gary Middleton.

    p.s. At least if you've already fixed this, it will show up in google groups
    & help someone else - I couldnt find this solution anywhere.

    "Matt" wrote:

    > Can you remove a domain in the "log in to" drop down list on the login page?
    > I have a dedicated forest root domain that I do not want viewable.
    > Removing from WINS only removes from the network browser.
  4. go to your domain controler, active directory trust site, right click in each of your domains and go to the tab ''trust site'' there you will see the list of all the domains that is listed in the drop down box domain list :o .

    It worked for me!

    Hugs

    Destruckt
Ask a new question

Read More

Domain Login Microsoft Windows