How do I configure WIN 7 Pro to allow only one user at a time

Hi experts,

I am beginning to think this is not possible given I have worked on it for days using the server's group policy as well as local and Local Security Policy. Add to that, paying Microsoft $259.00 to show me what I already knew didn't work.

To try to keep this concise, I will simply state what my objective is. I simply want, like it was in XP Pro on my domain, to automatically log one user out when another user logged in. When a computer had been logged off, you would be at the Windows Welcome Screen and anyone with the proper log on credentials could log in. If, however, the computer were locked, the previous user was logged on and all of his/her programs, etc. were still active.

Another user with local admin privileges could log in with their username and password as it didn't remember the last user. But, when they hit enter to log on, they were given the message that they would be logging off the other user. For our network that was a good thing.

In group policy, I enabled "Hide Entry Points For Fast User Switching." This didn't work. I then used the Local Security Policy to "Do Not Display Last User Name." Requiring CTRL + ALT + DEL didn't seem to change things either way.

In playing around with these settings, you either make it where anyone can log in no matter how the log in screen got there or some scenarios where remembering the last username allowed only that user to log in.

Anyway, no matter how I set it up, when a second user logged on, the other user continued to stay logged in as would any other user. This causes problems with backups and running the same program for two different users.

So, maybe all this info is helpful or maybe confusing. But, again, I just want WIN 7 Pro on a domain using SBS 2008 Standard to only allow one user at a time.


Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

"In group policy, I enabled Hide Entry Points For Fast User Switching.  This didn't work." ~ Bert2005

What did happen when you enabled that policy?  That's exactly what we are utilizing on our domain, and it effectively ensures that only one user is logged into our Windows 7 Enterprise workstations.
When you enabled Hide Entry Points For Fast User Switching in group policy, did you either wait for the policy to update, or force the update, before checking to see if it worked?
Also, wouldn't you want this policy to be effective across the entire domain rather than just on a group within said domain?
Bert2005Author Commented:
I have HEPFFUS turned off (even though it shows up in RSOP), but it does not affect the clients.

When a client whether connected to the domain physically or not connected physically, Fast User Switching is turned off. You can see it greyed out in the Start Menu, and I cannot find it in Task Manager. It is not available when logging in.

The only problem is if a user is logged on and locks the computer, even with do not remember last user (which I think applies to log offs and restarts), no one can log in other than that user. That is a problem, and the other way works better.

With the setup in XP, a local admin could log in as the classic logon allowed username and password. Finally, when I allow that, a new user can log in, but the old user is still logged in, hence the problem.

Thanks Run5K. Please stick with me.
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

I'm always glad to help, but I think that your question's topic sentence may be accidentally misleading.  It simply says "How do I configure WIN 7 Pro to allow only one user at a time."  In face, the group policy to Hide Entry Points For Fast User Switching will achieve exactly that result.

Essentially, what you really want is more than that.  Unless I'm mistaken, you want it to work the way that Windows XP did where a person with full admin privileges can log into a locked machine and it will gracefully logoff the first person in the background.  Unfortunately, that capability doesn't exist on a Windows 7 machine.

As I said, we have a group policy implemented on our domain to Hide Entry Points For Fast User Switching.  If one of our administrators needs to log into a locked machine, they have our Help Desk team use either the native Shutdown command or the PsShutdown command to remotely reboot the machine.  It may take an extra minute, but it gets the job done smoothly.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Bert2005Author Commented:

Sorry for the confusion with the title of the question and thanks for your help. Your last post has been invaluable. Likely it was due to my trying diligently to get right to the point. Trust me, it was hard (for me). I certainly didn't get my question understood by Microsoft as you answered it in two posts.

I do not understand Microsoft at times. In fact, I am sure many don't. I don't know why they change a very good thing to one I think is not as good. I realize the key there is "I think." We certainly don't have a help desk (I am the help desk, and I can't change anything without remoting in while I am driving to work). So, I just have them do a hard reboot and all is well. At least I have it where log offs and restarts as well as hard reboots bring us to a log on screen which anyone can log into.

I guess my question has been answered so a diatribe is not really in order. But, it shouldn't be that difficult to allow any local admin to log in or a domain admin to provide access while not allowing two concurrent users. At least as a preference. Given the current choice, I will have to go with two users logged on at once.

Your frustration is certainly understandable.

At the same time, we need to remember that while some functions within the Windows XP operating system seemed more convenient and aided capability, they also led to security and stability problems.  While that may not necessarily be the case in this particular scenario, Microsoft was forced to change several capabilities and lock-down both Vista & Win7 in order to build a more secure, stable operating system.  Of course their are pros & cons to doing this, but ultimately I think that the advantages outweigh the detrimental factors.  Windows 7 is a terrific operating system, and with the paradigm shift that the Windows 8 metro interface is causing I think that we will see Win7 workstations in the corporate environment for many years to come.
Bert2005Author Commented:
Perarduaadastra and Run5k,

Thanks Perarduaadastra.

Actually, it was across the entire domain. It was Micrososft that suggested I make a new OU with just one computer to simplify things. I have changed it back. Yes, I forced the gpupdate. Thanks.

Run5k, I agree that WIN 7 Pro is even better than XP. I agree that some things are better for some and vice versa. I do that that having only one "live" user is safer than three people logged in, but I don't have all the info. It is nice (if possible) if one has choice. For instance, you can use Hide Fast User Switching to allow only one user or you can allow it to allow more users. I can definitely see advantages of being able to switch between users as long as one logs off at the end.
Bert2005Author Commented:
I have to give the answer to Run5k, although I was able to do more Googling and find a way to unlock the computer after applying Hide Fast User Switching. This method virtually does change the functionality back to XP  where a local admin can unlock a locked computer, the exact problem I was faced with. It also logs off the other user.

My group policy was to:

1. Allow Hide entery points to Fast User Switching
2. Do display last user name
3. Do not require CTRL + ALT + DEL (optional)

I then found this download, AdministrativeUnlock:  (and installed to all machines)
This resulted in this extra icon if a computer was locked shown below.

The program below seems it would give one more functionality, but I am not sure as I didn't download it. I couldn't find a trial version.

So, I was able to configure my clients the way I wanted them. If you find a hole in it, please don't tell me. :)

Thanks for the help.
Bert2005Author Commented:
Administrative Icon
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.