JSI Tip 8750. How can I prevent a Windows XP user from toggling the Domain box during log on?

In tip 3031, we prevented a Windows NT 4.0 user from toggling the Domain box during log on.

In Windows XP, you can hide the domain box AND require a UPN (User Principal Name) to log on to your domain, by setting the NoDomainUI Value Name, a REG_DWORD data type, to 1 at HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon on each Windows XP domain member.

NOTE: You must shutdown and restart Windows XP for this setting to become effective.

NOTE: If only the SAM account is entered, Windows XP will attempt a local logon.

NOTE: You can implement this change via group policy by defining a Shutdown script that contains:

REG ADD "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon" /V NoDomainUI /T REG_DWORD /D 1 /F

I have scripted NoDomainUI.bat to set the NoDomainUI Value Name to 1 on all your Windows XP domain members.

The syntax for using NoDomainUI.bat is:

NoDomainUI [Exclude1 Exclude2 ExcludeN]

Where ExcludeX is an optional list of \ComputerNames to bypass.

NoDomainUI.bat contains:

@echo offsetlocalset qry=reg.exe queryset add=reg.exe addset fnd=FINDSTR /L /I /B /V /G:"%TEMP%NoDomainUI.TMP"if exist "%TEMP%NoDomainUI.TMP" del /q "%TEMP%NoDomainUI.TMP":loopif {%1}=={} goto loopend@echo %1>>"%TEMP%NoDomainUI.TMP"shiftgoto loop:loopend@echo END_OF_NoDomainUI_EXCLUSION>>"%TEMP%NoDomainUI.TMP"for /f "Tokens=1" %%c in ('net view^|find /i "\"^|%fnd%') do ( for /f "Tokens=2*" %%r in ('%qry% "%%cHKLMSOFTWAREMicrosoftWindows NTCurrentVersion" /v CurrentVersion^|find "REG_SZ"') do ( if "%%s" EQU "5.1" @echo %%c&%add% "%%cHKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon" /V NoDomainUI /T REG_DWORD /D 1 /F &@echo. ))endlocal