JSI Tip 8750. How can I prevent a Windows XP user from toggling the Domain box during log on?

In tip 3031, we prevented a Windows NT 4.0 user from toggling the Domain box during log on.

In Windows XP, you can hide the domain box AND require a UPN (User Principal Name) to log on to your domain, by setting the NoDomainUI Value Name, a REG_DWORD data type, to 1 at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon on each Windows XP domain member.

NOTE: You must shutdown and restart Windows XP for this setting to become effective.

NOTE: If only the SAM account is entered, Windows XP will attempt a local logon.

NOTE: You can implement this change via group policy by defining a Shutdown script that contains:

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /V NoDomainUI /T REG_DWORD /D 1 /F

I have scripted NoDomainUI.bat to set the NoDomainUI Value Name to 1 on all your Windows XP domain members.

The syntax for using NoDomainUI.bat is:

NoDomainUI \[Exclude1 Exclude2 ExcludeN\]

Where ExcludeX is an optional list of \\ComputerNames to bypass.

NoDomainUI.bat contains:

@echo off
set qry=reg.exe query
set add=reg.exe add
set fnd=FINDSTR /L /I /B /V /G:"%TEMP%\NoDomainUI.TMP"
if exist "%TEMP%\NoDomainUI.TMP" del /q "%TEMP%\NoDomainUI.TMP"
if \{%1\}==\{\} goto loopend
@echo %1>>"%TEMP%\NoDomainUI.TMP"
goto loop
@echo END_OF_NoDomainUI_EXCLUSION>>"%TEMP%\NoDomainUI.TMP"
for /f "Tokens=1" %%c in ('net view^|find /i "\\"^|%fnd%') do (
 for /f "Tokens=2*" %%r in ('%qry% "%%c\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentVersion^|find "REG_SZ"') do (
 if "%%s" EQU "5.1" @echo %%c&%add% "%%c\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /V NoDomainUI /T REG_DWORD /D 1 /F &@echo.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.