Set default logon domain via Group Policy
How many of us have had a call that someone could not log on to their computer, only to find that they were trying to log on to the local machine instead of the domain? Worse yet, what if you have a forest with multiple domains?
Server 2008 and Windows Vista, Windows 7
If you are the lucky administrator of a Windows 2008 or 2008 R2 Active Directory with just Windows Vista and Windows 7 clients then your job is easy. There is a group policy found in Computer Configuration\Administrative Templates\System\Logon called “Assign a default domain for logon“. Enable this policy, enter your domain’s name and you are finished.
Server 2003 and Windows XP
However, what if you are one of the many who still run an older version of Active Directory or happen to have tens, hundreds or thousands of those faithful Windows XP clients operating? You will need to create a script and set it in the machine startup scripts of your Group Policy Object (GPO).
Let us examine the following script courtesy of Microsoft’s Knowledge Base Article 555050:
Set oWshShell = CreateObject(“WScript.Shell”)
sDomName = “TEST-DOMAIN”
oWshShell.RegWrite “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName”, sDomName
Create this script in notepad and save it with a .vbs extension, for example DefaultDomainScript.vbs.
- sDomName is just a variable that holds your domain’s NETBIOS name which in this case is TEST-DOMAIN. Change this to whatever your domain name actually is.
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName is a registry key of the client machine that we want to set. This key will be set to the value of sDomName.
Now you need to open the Group Policy Management Editor of one of your Domain Controllers and choose to edit or create a Group Policy Object that applies to the Organizational Unit (OU) containing those computers you want to affect. If for some reason you have not organized your domain into OUs or you want to affect every single PC on your domain, then edit the Default Domain Policy.
Expand Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown) and double click on Startup. Under the Scripts tab, click on “Add…” and then “Browse…”. You will be provided with a dialog box. Copy and paste the startup script you created into the dialog box and open it. You do not need to provide any parameters in the second text entry box.
That’s it! Your clients will use the script at their next restart. Microsoft’s article suggests running GPUPDATE on a domain controller as well, but I have personally found this step not really necessary as the changes tend to propagate quickly enough on their own.
Just how well does the script work? It works well, but there is one little flaw. If the user hits CTRL+ALT+DEL to log on as soon as the machine completes booting, then the script will not have time to set the default domain. This should generally not present much of an issue unless the systems use sandboxing software such as SteadyState that undo session changes upon restart.
Nonetheless, this can help reduce at least some of those calls by users trying to log on to the wrong domain.