How do I configure WIN 7 Pro to allow only one user at a time
Hi experts,
I am beginning to think this is not possible given I have worked on it for days using the server's group policy as well as local and Local Security Policy. Add to that, paying Microsoft $259.00 to show me what I already knew didn't work.
To try to keep this concise, I will simply state what my objective is. I simply want, like it was in XP Pro on my domain, to automatically log one user out when another user logged in. When a computer had been logged off, you would be at the Windows Welcome Screen and anyone with the proper log on credentials could log in. If, however, the computer were locked, the previous user was logged on and all of his/her programs, etc. were still active.
Another user with local admin privileges could log in with their username and password as it didn't remember the last user. But, when they hit enter to log on, they were given the message that they would be logging off the other user. For our network that was a good thing.
In group policy, I enabled "Hide Entry Points For Fast User Switching." This didn't work. I then used the Local Security Policy to "Do Not Display Last User Name." Requiring CTRL + ALT + DEL didn't seem to change things either way.
In playing around with these settings, you either make it where anyone can log in no matter how the log in screen got there or some scenarios where remembering the last username allowed only that user to log in.
Anyway, no matter how I set it up, when a second user logged on, the other user continued to stay logged in as would any other user. This causes problems with backups and running the same program for two different users.
So, maybe all this info is helpful or maybe confusing. But, again, I just want WIN 7 Pro on a domain using SBS 2008 Standard to only allow one user at a time.
Thanks.
Bert
I am beginning to think this is not possible given I have worked on it for days using the server's group policy as well as local and Local Security Policy. Add to that, paying Microsoft $259.00 to show me what I already knew didn't work.
To try to keep this concise, I will simply state what my objective is. I simply want, like it was in XP Pro on my domain, to automatically log one user out when another user logged in. When a computer had been logged off, you would be at the Windows Welcome Screen and anyone with the proper log on credentials could log in. If, however, the computer were locked, the previous user was logged on and all of his/her programs, etc. were still active.
Another user with local admin privileges could log in with their username and password as it didn't remember the last user. But, when they hit enter to log on, they were given the message that they would be logging off the other user. For our network that was a good thing.
In group policy, I enabled "Hide Entry Points For Fast User Switching." This didn't work. I then used the Local Security Policy to "Do Not Display Last User Name." Requiring CTRL + ALT + DEL didn't seem to change things either way.
In playing around with these settings, you either make it where anyone can log in no matter how the log in screen got there or some scenarios where remembering the last username allowed only that user to log in.
Anyway, no matter how I set it up, when a second user logged on, the other user continued to stay logged in as would any other user. This causes problems with backups and running the same program for two different users.
So, maybe all this info is helpful or maybe confusing. But, again, I just want WIN 7 Pro on a domain using SBS 2008 Standard to only allow one user at a time.
Thanks.
Bert
When you enabled Hide Entry Points For Fast User Switching in group policy, did you either wait for the policy to update, or force the update, before checking to see if it worked?
Also, wouldn't you want this policy to be effective across the entire domain rather than just on a group within said domain?
Also, wouldn't you want this policy to be effective across the entire domain rather than just on a group within said domain?
ASKER
I have HEPFFUS turned off (even though it shows up in RSOP), but it does not affect the clients.
When a client whether connected to the domain physically or not connected physically, Fast User Switching is turned off. You can see it greyed out in the Start Menu, and I cannot find it in Task Manager. It is not available when logging in.
The only problem is if a user is logged on and locks the computer, even with do not remember last user (which I think applies to log offs and restarts), no one can log in other than that user. That is a problem, and the other way works better.
With the setup in XP, a local admin could log in as the classic logon allowed username and password. Finally, when I allow that, a new user can log in, but the old user is still logged in, hence the problem.
Thanks Run5K. Please stick with me.
When a client whether connected to the domain physically or not connected physically, Fast User Switching is turned off. You can see it greyed out in the Start Menu, and I cannot find it in Task Manager. It is not available when logging in.
The only problem is if a user is logged on and locks the computer, even with do not remember last user (which I think applies to log offs and restarts), no one can log in other than that user. That is a problem, and the other way works better.
With the setup in XP, a local admin could log in as the classic logon allowed username and password. Finally, when I allow that, a new user can log in, but the old user is still logged in, hence the problem.
Thanks Run5K. Please stick with me.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Run5k,
Sorry for the confusion with the title of the question and thanks for your help. Your last post has been invaluable. Likely it was due to my trying diligently to get right to the point. Trust me, it was hard (for me). I certainly didn't get my question understood by Microsoft as you answered it in two posts.
I do not understand Microsoft at times. In fact, I am sure many don't. I don't know why they change a very good thing to one I think is not as good. I realize the key there is "I think." We certainly don't have a help desk (I am the help desk, and I can't change anything without remoting in while I am driving to work). So, I just have them do a hard reboot and all is well. At least I have it where log offs and restarts as well as hard reboots bring us to a log on screen which anyone can log into.
I guess my question has been answered so a diatribe is not really in order. But, it shouldn't be that difficult to allow any local admin to log in or a domain admin to provide access while not allowing two concurrent users. At least as a preference. Given the current choice, I will have to go with two users logged on at once.
Sorry for the confusion with the title of the question and thanks for your help. Your last post has been invaluable. Likely it was due to my trying diligently to get right to the point. Trust me, it was hard (for me). I certainly didn't get my question understood by Microsoft as you answered it in two posts.
I do not understand Microsoft at times. In fact, I am sure many don't. I don't know why they change a very good thing to one I think is not as good. I realize the key there is "I think." We certainly don't have a help desk (I am the help desk, and I can't change anything without remoting in while I am driving to work). So, I just have them do a hard reboot and all is well. At least I have it where log offs and restarts as well as hard reboots bring us to a log on screen which anyone can log into.
I guess my question has been answered so a diatribe is not really in order. But, it shouldn't be that difficult to allow any local admin to log in or a domain admin to provide access while not allowing two concurrent users. At least as a preference. Given the current choice, I will have to go with two users logged on at once.
Bert,
Your frustration is certainly understandable.
At the same time, we need to remember that while some functions within the Windows XP operating system seemed more convenient and aided capability, they also led to security and stability problems. While that may not necessarily be the case in this particular scenario, Microsoft was forced to change several capabilities and lock-down both Vista & Win7 in order to build a more secure, stable operating system. Of course their are pros & cons to doing this, but ultimately I think that the advantages outweigh the detrimental factors. Windows 7 is a terrific operating system, and with the paradigm shift that the Windows 8 metro interface is causing I think that we will see Win7 workstations in the corporate environment for many years to come.
Your frustration is certainly understandable.
At the same time, we need to remember that while some functions within the Windows XP operating system seemed more convenient and aided capability, they also led to security and stability problems. While that may not necessarily be the case in this particular scenario, Microsoft was forced to change several capabilities and lock-down both Vista & Win7 in order to build a more secure, stable operating system. Of course their are pros & cons to doing this, but ultimately I think that the advantages outweigh the detrimental factors. Windows 7 is a terrific operating system, and with the paradigm shift that the Windows 8 metro interface is causing I think that we will see Win7 workstations in the corporate environment for many years to come.
ASKER
Perarduaadastra and Run5k,
Thanks Perarduaadastra.
Actually, it was across the entire domain. It was Micrososft that suggested I make a new OU with just one computer to simplify things. I have changed it back. Yes, I forced the gpupdate. Thanks.
Run5k, I agree that WIN 7 Pro is even better than XP. I agree that some things are better for some and vice versa. I do that that having only one "live" user is safer than three people logged in, but I don't have all the info. It is nice (if possible) if one has choice. For instance, you can use Hide Fast User Switching to allow only one user or you can allow it to allow more users. I can definitely see advantages of being able to switch between users as long as one logs off at the end.
Thanks Perarduaadastra.
Actually, it was across the entire domain. It was Micrososft that suggested I make a new OU with just one computer to simplify things. I have changed it back. Yes, I forced the gpupdate. Thanks.
Run5k, I agree that WIN 7 Pro is even better than XP. I agree that some things are better for some and vice versa. I do that that having only one "live" user is safer than three people logged in, but I don't have all the info. It is nice (if possible) if one has choice. For instance, you can use Hide Fast User Switching to allow only one user or you can allow it to allow more users. I can definitely see advantages of being able to switch between users as long as one logs off at the end.
ASKER
I have to give the answer to Run5k, although I was able to do more Googling and find a way to unlock the computer after applying Hide Fast User Switching. This method virtually does change the functionality back to XP where a local admin can unlock a locked computer, the exact problem I was faced with. It also logs off the other user.
My group policy was to:
1. Allow Hide entery points to Fast User Switching
2. Do display last user name
3. Do not require CTRL + ALT + DEL (optional)
I then found this download, AdministrativeUnlock:
http://www.box.com/s/90b04b68e78e44213835 (and installed to all machines)
This resulted in this extra icon if a computer was locked shown below.
The program below seems it would give one more functionality, but I am not sure as I didn't download it. I couldn't find a trial version.
http://e-motional.com/ULAdmin.htm
So, I was able to configure my clients the way I wanted them. If you find a hole in it, please don't tell me. :)
Thanks for the help.
My group policy was to:
1. Allow Hide entery points to Fast User Switching
2. Do display last user name
3. Do not require CTRL + ALT + DEL (optional)
I then found this download, AdministrativeUnlock:
http://www.box.com/s/90b04b68e78e44213835 (and installed to all machines)
This resulted in this extra icon if a computer was locked shown below.
The program below seems it would give one more functionality, but I am not sure as I didn't download it. I couldn't find a trial version.
http://e-motional.com/ULAdmin.htm
So, I was able to configure my clients the way I wanted them. If you find a hole in it, please don't tell me. :)
Thanks for the help.
ASKER
What did happen when you enabled that policy? That's exactly what we are utilizing on our domain, and it effectively ensures that only one user is logged into our Windows 7 Enterprise workstations.