You will have to restrict their ability from logging on to their computers using a local computer account. A user can have a local logon profile and a domain profile. When they log on to the local computer they would use the local computer profile and not a domain profile. When you restrict their ability to logon locally, the user’s computer profile will no longer be used, so ANYTHING that they have in this profile, like favorites, documents stored locally, Outlook’s auto fill (NK2 file) will not be available to them. So you want to ensure that you move these types of data to their new domain profile. You can use Microsoft,s Windows Easy Transfer. But, forcing them to logon with a domain account is what you should implement. If they need to logon to their computer when not connected to the domain, they will still have that ability by the use of cached credentials.