How to hide a trusted domain in the logon screen?

login active-directory domain

I need to create a bidirectional trust between two Active Directory domains. But management is worried that users will be puzzled out when seeing another domain name in the drop-down list in the Windows logon screen (many of them use Windows XP), and that help desk calls for failed logins due to having selected the wrong domain will skyrocket. Also, the two domain names are quite similar, adding to the possible user confusion.

Is there any way to hide a trusted domain from the drop-down list in the Windows logon screen?


Solution 1:

The "Right" Way:

There is, yes (sort of), but before I tell you the way I know to do this, let me advise that the safer approach to this issue is to use group policy to force a default domain on the users - so by default, they log into the domain you dictate, and don't have to worry about the domain drop down list.

The "Disable the Domain List" way:

Anyhow, to remove the drop down list, which will force users to use the full UPN (user principal name):

  1. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  2. Create a new DWORD of NoDomainUI
  3. Set the value of this DWORD to 1
  4. Reboot the machine.

The logon screen will no longer show a drop-down list of domains when the machine boots up, and users will need to enter the full UPN to log on.

Obviously, as this is just a registry change, you can push it out by GPO or GPP to all your machines instead of doing it manually.

Using a Documented Bug to Hide All Domains but One:

EDIT: In response to @Massimo's comment with more explicit requirements, I found this Technet thread, which suggests the bug in this KB as a workaround.

Basically, as a result of the Netlogon.ftl file not having the proper permissions to be opened by the winlogon process, the list of trusted domains cannot be displayed, resulting in only the domain the machine/user belongs to being displayed.

Based on a quick test, this seems to work, in a 2003 FL forest, on an XP client (all virtualized in the lab environment on my laptop). I can't do more extensive testing at the moment, but would be really curious if someone else can and report whether it works for newer OSes or in different environments.

Using a bug like this has to be the hackiest thing I've ever done, and am morbidly curious to hear about how this fares in other environments.

Related

dnsResolve and isInNet functions Problem
multiple puppet masters
Modify XFS filesystem creation parameters during kickstart installation
Grant permission in Active Directory to add users / modify / changed password / add them to group them but not delete them
rsync via multiple ssh connections with a key
HP Proliant ml350p g8 not booting after installing new CPUs
How to extract information from a Wikipedia infobox?
Mongodb sort inner array
Convert pandas.Series from dtype object to float, and errors to nans
Convert hour:minute:second (HH:MM:SS) string to proper time class
Negative integer division surprising result
Convert Text to Date?