none
How to "hide" trusted domain in logon dropdown domain box in a 2-way transitive forest trust

    Question

  • Hello We need to setup a 2-way transitive forest trust between domain1.com and domain2.com.  If we enable selective authentication over a forst trust per:

    http://technet.microsoft.com/en-us/library/cc758152(WS.10).aspx

    Can I be certain useres in domain1 will not see the domain2 option when logging into their computers?  If I understand this correctly the only systems which would have multiple domains listed are servers that we explicitly allow groups authenticate permissions per http://technet.microsoft.com/en-us/library/cc738653(WS.10).aspx

    Can you please confirm?  We need the ability to only have users see their current/native domain when logging into their systems on 99% of all computers in both environments.  Please advise.

    Thanks,
    Jeremy
    Monday, July 20, 2009 11:54 PM

Answers

  • Hi,

    Thank you for posting here.

    Generally speaking, there is no built-in feature to hide some of trusted domains from the logon dropdown box.

    Additional to Marcin’s suggestions, there is another workaround:

    Trusted Domains Do Not Appear in the Available List for Domain Logon or Setting Security Permissions
    http://support.microsoft.com/kb/310611

    Please try to remove SYSTEM and Administrator from Netlogon.ftl’s permission or deny them.

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, July 21, 2009 7:54 AM
    Moderator

All replies

  • Hello,

    you can not remove trusted domains from the drop-down menu. And even if you hide the complete list and set the default logon domain in the registry for the machines, if the user knows the UPN logon, it will be possible to use the trusted domain.
    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, July 21, 2009 12:00 AM
  • Jeremy,
    with the native functionality, the best you can do is to hide domain listbox altogether and convince your users to use their UPN to log on (good luck with that). For more info, refer to http://technet.microsoft.com/en-us/library/bb742447.aspx (NoDomainUI option in the Disabling Domain Option of Logon Dialog Box section).
    Another option would be to develop your own custom implemenation of GINA - although I don't see any significant advantage of doing so...

    hth
    Marcin

    Tuesday, July 21, 2009 12:28 AM
  • Hi,

    Thank you for posting here.

    Generally speaking, there is no built-in feature to hide some of trusted domains from the logon dropdown box.

    Additional to Marcin’s suggestions, there is another workaround:

    Trusted Domains Do Not Appear in the Available List for Domain Logon or Setting Security Permissions
    http://support.microsoft.com/kb/310611

    Please try to remove SYSTEM and Administrator from Netlogon.ftl’s permission or deny them.

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, July 21, 2009 7:54 AM
    Moderator