Home > Active Directory, Networking, Uncategorized > Set default logon domain via Group Policy

Set default logon domain via Group Policy

October 4, 2010

How many of us have had a call that someone could not log on to their computer, only to find that they were trying to log on to the local machine instead of the domain? Worse yet, what if you have a forest with multiple domains?

Server 2008 and Windows Vista, Windows 7

If you are the lucky administrator of a Windows 2008 or 2008 R2 Active Directory with just Windows Vista and Windows 7 clients then your job is easy. There is a group policy found in Computer Configuration\Administrative Templates\System\Logon called “Assign a default domain for logon“. Enable this policy, enter your domain’s name and you are finished.

Server 2003 and Windows XP

However, what if you are one of the many who still run an older version of  Active Directory or happen to have tens, hundreds or thousands of those faithful Windows XP clients operating? You will need to create a script and set it in the machine startup scripts of your Group Policy Object (GPO).

Let us examine the following script courtesy of Microsoft’s Knowledge Base Article 555050:

Dim sDomName
Set oWshShell = CreateObject(“WScript.Shell”)
sDomName = “TEST-DOMAIN”
oWshShell.RegWrite “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName”, sDomName

Create this script in notepad and save it with a .vbs extension, for example DefaultDomainScript.vbs.

  • sDomName is just a variable that holds your domain’s NETBIOS name which in this case is TEST-DOMAIN. Change this to whatever your domain name actually is.
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName is a registry key of the client machine that we want to set. This key will be set to the value of sDomName.

Now you need to open the Group Policy Management Editor of one of your Domain Controllers and choose to edit or create a Group Policy Object that applies to the Organizational Unit (OU) containing those computers you want to affect. If for some reason you have not organized your domain into OUs or you want to affect every single PC on your domain, then edit the Default Domain Policy.

Expand Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown) and double click on Startup. Under the Scripts tab, click on “Add…” and then “Browse…”. You will be provided with a dialog box. Copy and paste the startup script you created into the dialog box and open it. You do not need to provide any parameters in the second text entry box.

That’s it! Your clients will use the script at their next restart. Microsoft’s article suggests running GPUPDATE on a domain controller as well, but I have personally found this step not really necessary as the changes tend to propagate quickly enough on their own.

Just how well does the script work? It works well, but there is one little flaw. If the user hits CTRL+ALT+DEL to  log on as soon as the machine completes booting, then the script will not have time to set the default domain. This should generally not present much of an issue unless the systems use sandboxing software such as SteadyState that undo session changes upon restart.

Nonetheless, this can help reduce at least some of those calls by users trying to log on to the wrong domain.

  1. Kris Deen
    October 4, 2010 at 7:06 pm

    This could also save precious seconds to login.. A fraction of a second over many times is a lot of seconds.

  2. October 15, 2010 at 5:38 pm

    I can really use this. I often do maintenance on users machines and have to remember to log in once as that user when I’m done. If I don’t, they won’t know to change the domain back and I always get a call from them saying “I can’t log in!”.

    Now if there was a way to change their username back so it doesn’t show “administrator”, that would be even better, since some users don’t even remember their username.

  3. tim lillis
    May 3, 2011 at 9:09 am

    I had to change the ” as the copy and paste had weird characters, but otherwise it worked great. Also if you are doing this on a x64 server you will need to add this line:

    oWshShell.RegWrite “HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName”, sDomName

    I also added the: on error resume next and put both the x64 and 32 bit line in there

  4. Bob Dylan
    July 28, 2011 at 7:04 am

    Why bother with the variable? It’s only used once so it seems a bit pointless defining it, typical Microsoft adding bloat to scripts that isn’t needed.

    Why not just execute: oWshShell.RegWrite “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName”, “”

  5. Bob Dylan
    July 28, 2011 at 7:05 am

    Hmm, what I put in the quotes got deleted. It should say:

    oWshShell.RegWrite “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName”, “COMPUTERNAMEHERE”

  1. No trackbacks yet.
Comments are closed.
%d bloggers like this: