How do I configure WIN 7 Pro to allow only one user at a time

Posted on 2012-03-30
Medium Priority
Last Modified: 2012-04-04
Hi experts,

I am beginning to think this is not possible given I have worked on it for days using the server's group policy as well as local and Local Security Policy. Add to that, paying Microsoft $259.00 to show me what I already knew didn't work.

To try to keep this concise, I will simply state what my objective is. I simply want, like it was in XP Pro on my domain, to automatically log one user out when another user logged in. When a computer had been logged off, you would be at the Windows Welcome Screen and anyone with the proper log on credentials could log in. If, however, the computer were locked, the previous user was logged on and all of his/her programs, etc. were still active.

Another user with local admin privileges could log in with their username and password as it didn't remember the last user. But, when they hit enter to log on, they were given the message that they would be logging off the other user. For our network that was a good thing.

In group policy, I enabled "Hide Entry Points For Fast User Switching." This didn't work. I then used the Local Security Policy to "Do Not Display Last User Name." Requiring CTRL + ALT + DEL didn't seem to change things either way.

In playing around with these settings, you either make it where anyone can log in no matter how the log in screen got there or some scenarios where remembering the last username allowed only that user to log in.

Anyway, no matter how I set it up, when a second user logged on, the other user continued to stay logged in as would any other user. This causes problems with backups and running the same program for two different users.

So, maybe all this info is helpful or maybe confusing. But, again, I just want WIN 7 Pro on a domain using SBS 2008 Standard to only allow one user at a time.


Question by:Bert2005
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
LVL 28

Expert Comment

ID: 37790027
"In group policy, I enabled Hide Entry Points For Fast User Switching.  This didn't work." ~ Bert2005

What did happen when you enabled that policy?  That's exactly what we are utilizing on our domain, and it effectively ensures that only one user is logged into our Windows 7 Enterprise workstations.
LVL 15

Expert Comment

ID: 37791173
When you enabled Hide Entry Points For Fast User Switching in group policy, did you either wait for the policy to update, or force the update, before checking to see if it worked?
Also, wouldn't you want this policy to be effective across the entire domain rather than just on a group within said domain?

Author Comment

ID: 37791178
I have HEPFFUS turned off (even though it shows up in RSOP), but it does not affect the clients.

When a client whether connected to the domain physically or not connected physically, Fast User Switching is turned off. You can see it greyed out in the Start Menu, and I cannot find it in Task Manager. It is not available when logging in.

The only problem is if a user is logged on and locks the computer, even with do not remember last user (which I think applies to log offs and restarts), no one can log in other than that user. That is a problem, and the other way works better.

With the setup in XP, a local admin could log in as the classic logon allowed username and password. Finally, when I allow that, a new user can log in, but the old user is still logged in, hence the problem.

Thanks Run5K. Please stick with me.
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

LVL 28

Accepted Solution

Run5k earned 2000 total points
ID: 37791479
I'm always glad to help, but I think that your question's topic sentence may be accidentally misleading.  It simply says "How do I configure WIN 7 Pro to allow only one user at a time."  In face, the group policy to Hide Entry Points For Fast User Switching will achieve exactly that result.

Essentially, what you really want is more than that.  Unless I'm mistaken, you want it to work the way that Windows XP did where a person with full admin privileges can log into a locked machine and it will gracefully logoff the first person in the background.  Unfortunately, that capability doesn't exist on a Windows 7 machine.

As I said, we have a group policy implemented on our domain to Hide Entry Points For Fast User Switching.  If one of our administrators needs to log into a locked machine, they have our Help Desk team use either the native Shutdown command or the PsShutdown command to remotely reboot the machine.  It may take an extra minute, but it gets the job done smoothly.

Author Comment

ID: 37791579

Sorry for the confusion with the title of the question and thanks for your help. Your last post has been invaluable. Likely it was due to my trying diligently to get right to the point. Trust me, it was hard (for me). I certainly didn't get my question understood by Microsoft as you answered it in two posts.

I do not understand Microsoft at times. In fact, I am sure many don't. I don't know why they change a very good thing to one I think is not as good. I realize the key there is "I think." We certainly don't have a help desk (I am the help desk, and I can't change anything without remoting in while I am driving to work). So, I just have them do a hard reboot and all is well. At least I have it where log offs and restarts as well as hard reboots bring us to a log on screen which anyone can log into.

I guess my question has been answered so a diatribe is not really in order. But, it shouldn't be that difficult to allow any local admin to log in or a domain admin to provide access while not allowing two concurrent users. At least as a preference. Given the current choice, I will have to go with two users logged on at once.
LVL 28

Expert Comment

ID: 37791709

Your frustration is certainly understandable.

At the same time, we need to remember that while some functions within the Windows XP operating system seemed more convenient and aided capability, they also led to security and stability problems.  While that may not necessarily be the case in this particular scenario, Microsoft was forced to change several capabilities and lock-down both Vista & Win7 in order to build a more secure, stable operating system.  Of course their are pros & cons to doing this, but ultimately I think that the advantages outweigh the detrimental factors.  Windows 7 is a terrific operating system, and with the paradigm shift that the Windows 8 metro interface is causing I think that we will see Win7 workstations in the corporate environment for many years to come.

Author Comment

ID: 37791795
Perarduaadastra and Run5k,

Thanks Perarduaadastra.

Actually, it was across the entire domain. It was Micrososft that suggested I make a new OU with just one computer to simplify things. I have changed it back. Yes, I forced the gpupdate. Thanks.

Run5k, I agree that WIN 7 Pro is even better than XP. I agree that some things are better for some and vice versa. I do that that having only one "live" user is safer than three people logged in, but I don't have all the info. It is nice (if possible) if one has choice. For instance, you can use Hide Fast User Switching to allow only one user or you can allow it to allow more users. I can definitely see advantages of being able to switch between users as long as one logs off at the end.

Author Closing Comment

ID: 37809332
I have to give the answer to Run5k, although I was able to do more Googling and find a way to unlock the computer after applying Hide Fast User Switching. This method virtually does change the functionality back to XP  where a local admin can unlock a locked computer, the exact problem I was faced with. It also logs off the other user.

My group policy was to:

1. Allow Hide entery points to Fast User Switching
2. Do display last user name
3. Do not require CTRL + ALT + DEL (optional)

I then found this download, AdministrativeUnlock:

http://www.box.com/s/90b04b68e78e44213835  (and installed to all machines)
This resulted in this extra icon if a computer was locked shown below.

The program below seems it would give one more functionality, but I am not sure as I didn't download it. I couldn't find a trial version.


So, I was able to configure my clients the way I wanted them. If you find a hole in it, please don't tell me. :)

Thanks for the help.

Author Comment

ID: 37809336
Administrative Icon

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question