In tip 3031, we prevented a Windows NT 4.0 user from toggling the Domain box during log on.
In Windows XP, you can hide the domain box AND require a UPN (User Principal Name) to log on to your domain, by setting the NoDomainUI Value Name, a REG_DWORD data type, to 1 at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon on each Windows XP domain member.
NOTE: You must shutdown and restart Windows XP for this setting to become effective.
NOTE: If only the SAM account is entered, Windows XP will attempt a local logon.
NOTE: You can implement this change via group policy by defining a Shutdown script that contains:
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /V NoDomainUI /T REG_DWORD /D 1 /F
I have scripted NoDomainUI.bat to set the NoDomainUI Value Name to 1 on all your Windows XP domain members.
The syntax for using NoDomainUI.bat is:
NoDomainUI \[Exclude1 Exclude2 ExcludeN\]
Where ExcludeX is an optional list of \\ComputerNames to bypass.
NoDomainUI.bat contains:
@echo off
setlocal
set qry=reg.exe query
set add=reg.exe add
set fnd=FINDSTR /L /I /B /V /G:"%TEMP%\NoDomainUI.TMP"
if exist "%TEMP%\NoDomainUI.TMP" del /q "%TEMP%\NoDomainUI.TMP"
:loop
if \{%1\}==\{\} goto loopend
@echo %1>>"%TEMP%\NoDomainUI.TMP"
shift
goto loop
:loopend
@echo END_OF_NoDomainUI_EXCLUSION>>"%TEMP%\NoDomainUI.TMP"
for /f "Tokens=1" %%c in ('net view^|find /i "\\"^|%fnd%') do (
for /f "Tokens=2*" %%r in ('%qry% "%%c\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentVersion^|find "REG_SZ"') do (
if "%%s" EQU "5.1" @echo %%c&%add% "%%c\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /V NoDomainUI /T REG_DWORD /D 1 /F &@echo.
)
)
endlocal
