How to hide a trusted domain in the logon screen?

I need to create a bidirectional trust between two Active Directory domains. But management is worried that users will be puzzled out when seeing another domain name in the drop-down list in the Windows logon screen (many of them use Windows XP), and that help desk calls for failed logins due to having selected the wrong domain will skyrocket. Also, the two domain names are quite similar, adding to the possible user confusion.

Is there any way to hide a trusted domain from the drop-down list in the Windows logon screen?


Solution 1:

The "Right" Way:

There is, yes (sort of), but before I tell you the way I know to do this, let me advise that the safer approach to this issue is to use group policy to force a default domain on the users - so by default, they log into the domain you dictate, and don't have to worry about the domain drop down list.


The "Disable the Domain List" way:

Anyhow, to remove the drop down list, which will force users to use the full UPN (user principal name):

  1. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  2. Create a new DWORD of NoDomainUI
  3. Set the value of this DWORD to 1
  4. Reboot the machine.

The logon screen will no longer show a drop-down list of domains when the machine boots up, and users will need to enter the full UPN to log on.

Obviously, as this is just a registry change, you can push it out by GPO or GPP to all your machines instead of doing it manually.


Using a Documented Bug to Hide All Domains but One:

EDIT: In response to @Massimo's comment with more explicit requirements, I found this Technet thread, which suggests the bug in this KB as a workaround.

Basically, as a result of the Netlogon.ftl file not having the proper permissions to be opened by the winlogon process, the list of trusted domains cannot be displayed, resulting in only the domain the machine/user belongs to being displayed.

Based on a quick test, this seems to work, in a 2003 FL forest, on an XP client (all virtualized in the lab environment on my laptop). I can't do more extensive testing at the moment, but would be really curious if someone else can and report whether it works for newer OSes or in different environments.

Using a bug like this has to be the hackiest thing I've ever done, and am morbidly curious to hear about how this fares in other environments.