Link to home
Start Free TrialLog in
Avatar of Aaron_Denton
Aaron_DentonFlag for United States of America

asked on

Customize windows Vista Lock screen

I need to make a customization to the logon screen you see after the screen has been locked.  I've changed a setting in the machines local security policy:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Display user information when the session is locked

I have that set to User display name only.  My goal was to hide the domain name.

When I press CTRL+ALT+DEL to logon I then have to type in my username and password to logon.

This is annoying to users and I'm hoping somebody knows how I can add an option for that setting to allow me to hide the domain name at the locked screen but still have the username filled in automatically for the user when the press CTRL+ALT+DEL to unlock the screen.
Avatar of NJComputerNetworks
NJComputerNetworks
Flag of United States of America image

what happens when you use UPN instead of classic domain\username when you logon?

Maybe you can instruct the users to logon this way...

user@something.com
ASKER CERTIFIED SOLUTION
Avatar of NJComputerNetworks
NJComputerNetworks
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Aaron_Denton

ASKER

User's are currently logging in using UPN.
http://technet.microsoft.com/en-us/library/cc739093(WS.10).aspx

For example, if your organization uses a deep domain tree, organized by department and region, domain names can get quite long. The default user UPN for a user in that domain might be sales.westcoast.microsoft.com. The logon name for a user in that domain would be user@sales.westcoast.microsoft.com. Creating a UPN suffix of "microsoft" would allow that same user to log on using the much simpler logon name of user@microsoft. For more information about user accounts, see User and computer accounts and Object names.

So, you could change of the UPN to something different if you like...
my problem is not the username.

The problem is that when unlocking a screen the user is forced to retype the username when the Local Security setting is set to only display User Display Name.

Even using UPN logons the locked screen logon will display the Win2k compatible domain name.  I need to hide that.
using UPN you can't hide the ...@something.com  <--- the last part.
oh... I think I understand what you are saying...

You want... after you lock workstation... the user name should be hidden?

Q: Our Windows computers display logged on users' names and domain when their console is locked. Because of our very strict security requirements, our systems aren't supposed to reveal this information. Is there a way to disable this setting?

A: Yes, you can disable this setting on users' computers via Group Policy. On a Windows Server 2003 system, open the Microsoft Management Console (MMC) Group Policy editor (GPE) snap-in, navigate to Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options, and double-click Interactive Logon: Display user information when the session is locked. Then select Do not display user information and click OK. Now the users' computers won't display any information about the current user when the console is locked. Given your security policy, you should also enable the Interactive logon: Do not display last user name option, which you'll find in the same folder. Enabling this policy will prevent Windows from displaying the logon name of the last user in the Logon to Windows dialog box.

http://windowsitpro.com/articles/print.cfm?articleid=96922

No.

There are three options in Local Security... Interactive logon: Display user information...

1. User display name, domain and user names
2. User display name only
3. Do not display user information

With option 1, the Win2k compatible domain name is displayed (even when you use UPN to logon).  With this option the user only has to type in a password to unlock.

With option 2, Win2k compatible domain name is hidden but then the user has to type in the UPN and password to unlock.

With option 3, Win2k compatible domain name is hidden along with all other user information but then the user has to type in the UPN and password to unlock.

I want to know how to use option 2 or 3 but avoid requiring the user to type in their UPN to unlock the computer.  I need option 2 or 3 so that the Win2k compatible domain name is hidden.
Maybe on the unlock... try to tell the user to use this format...

%USERDOMAIN%\username


Let me clarify:

When I said Win2k compatible I should have said Pre-Win2k compatible.

I'm trying to hide the Pre-Win2k compatible domain name.
Found the solution for this:

In Vista or Windows 7, Open Local GPO, Computer Configuration, Windows Settings, Security Options, Local Policies, Security Options, Interactive logon: Display user information when the session is locked.

This setting can be modified to only display the username or so that no user specific information is shown when the screen has been locked either by screensaver or using Windows key + L.