How do I configure WIN 7 Pro to allow only one user at a time

Posted on 2012-03-30
Medium Priority
Last Modified: 2012-04-04
Hi experts,

I am beginning to think this is not possible given I have worked on it for days using the server's group policy as well as local and Local Security Policy. Add to that, paying Microsoft $259.00 to show me what I already knew didn't work.

To try to keep this concise, I will simply state what my objective is. I simply want, like it was in XP Pro on my domain, to automatically log one user out when another user logged in. When a computer had been logged off, you would be at the Windows Welcome Screen and anyone with the proper log on credentials could log in. If, however, the computer were locked, the previous user was logged on and all of his/her programs, etc. were still active.

Another user with local admin privileges could log in with their username and password as it didn't remember the last user. But, when they hit enter to log on, they were given the message that they would be logging off the other user. For our network that was a good thing.

In group policy, I enabled "Hide Entry Points For Fast User Switching." This didn't work. I then used the Local Security Policy to "Do Not Display Last User Name." Requiring CTRL + ALT + DEL didn't seem to change things either way.

In playing around with these settings, you either make it where anyone can log in no matter how the log in screen got there or some scenarios where remembering the last username allowed only that user to log in.

Anyway, no matter how I set it up, when a second user logged on, the other user continued to stay logged in as would any other user. This causes problems with backups and running the same program for two different users.

So, maybe all this info is helpful or maybe confusing. But, again, I just want WIN 7 Pro on a domain using SBS 2008 Standard to only allow one user at a time.


Question by:Bert2005
  • 5
  • 3
LVL 28

Expert Comment

ID: 37790027
"In group policy, I enabled Hide Entry Points For Fast User Switching.  This didn't work." ~ Bert2005

What did happen when you enabled that policy?  That's exactly what we are utilizing on our domain, and it effectively ensures that only one user is logged into our Windows 7 Enterprise workstations.
LVL 15

Expert Comment

ID: 37791173
When you enabled Hide Entry Points For Fast User Switching in group policy, did you either wait for the policy to update, or force the update, before checking to see if it worked?
Also, wouldn't you want this policy to be effective across the entire domain rather than just on a group within said domain?

Author Comment

ID: 37791178
I have HEPFFUS turned off (even though it shows up in RSOP), but it does not affect the clients.

When a client whether connected to the domain physically or not connected physically, Fast User Switching is turned off. You can see it greyed out in the Start Menu, and I cannot find it in Task Manager. It is not available when logging in.

The only problem is if a user is logged on and locks the computer, even with do not remember last user (which I think applies to log offs and restarts), no one can log in other than that user. That is a problem, and the other way works better.

With the setup in XP, a local admin could log in as the classic logon allowed username and password. Finally, when I allow that, a new user can log in, but the old user is still logged in, hence the problem.

Thanks Run5K. Please stick with me.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 28

Accepted Solution

Run5k earned 2000 total points
ID: 37791479
I'm always glad to help, but I think that your question's topic sentence may be accidentally misleading.  It simply says "How do I configure WIN 7 Pro to allow only one user at a time."  In face, the group policy to Hide Entry Points For Fast User Switching will achieve exactly that result.

Essentially, what you really want is more than that.  Unless I'm mistaken, you want it to work the way that Windows XP did where a person with full admin privileges can log into a locked machine and it will gracefully logoff the first person in the background.  Unfortunately, that capability doesn't exist on a Windows 7 machine.

As I said, we have a group policy implemented on our domain to Hide Entry Points For Fast User Switching.  If one of our administrators needs to log into a locked machine, they have our Help Desk team use either the native Shutdown command or the PsShutdown command to remotely reboot the machine.  It may take an extra minute, but it gets the job done smoothly.

Author Comment

ID: 37791579

Sorry for the confusion with the title of the question and thanks for your help. Your last post has been invaluable. Likely it was due to my trying diligently to get right to the point. Trust me, it was hard (for me). I certainly didn't get my question understood by Microsoft as you answered it in two posts.

I do not understand Microsoft at times. In fact, I am sure many don't. I don't know why they change a very good thing to one I think is not as good. I realize the key there is "I think." We certainly don't have a help desk (I am the help desk, and I can't change anything without remoting in while I am driving to work). So, I just have them do a hard reboot and all is well. At least I have it where log offs and restarts as well as hard reboots bring us to a log on screen which anyone can log into.

I guess my question has been answered so a diatribe is not really in order. But, it shouldn't be that difficult to allow any local admin to log in or a domain admin to provide access while not allowing two concurrent users. At least as a preference. Given the current choice, I will have to go with two users logged on at once.
LVL 28

Expert Comment

ID: 37791709

Your frustration is certainly understandable.

At the same time, we need to remember that while some functions within the Windows XP operating system seemed more convenient and aided capability, they also led to security and stability problems.  While that may not necessarily be the case in this particular scenario, Microsoft was forced to change several capabilities and lock-down both Vista & Win7 in order to build a more secure, stable operating system.  Of course their are pros & cons to doing this, but ultimately I think that the advantages outweigh the detrimental factors.  Windows 7 is a terrific operating system, and with the paradigm shift that the Windows 8 metro interface is causing I think that we will see Win7 workstations in the corporate environment for many years to come.

Author Comment

ID: 37791795
Perarduaadastra and Run5k,

Thanks Perarduaadastra.

Actually, it was across the entire domain. It was Micrososft that suggested I make a new OU with just one computer to simplify things. I have changed it back. Yes, I forced the gpupdate. Thanks.

Run5k, I agree that WIN 7 Pro is even better than XP. I agree that some things are better for some and vice versa. I do that that having only one "live" user is safer than three people logged in, but I don't have all the info. It is nice (if possible) if one has choice. For instance, you can use Hide Fast User Switching to allow only one user or you can allow it to allow more users. I can definitely see advantages of being able to switch between users as long as one logs off at the end.

Author Closing Comment

ID: 37809332
I have to give the answer to Run5k, although I was able to do more Googling and find a way to unlock the computer after applying Hide Fast User Switching. This method virtually does change the functionality back to XP  where a local admin can unlock a locked computer, the exact problem I was faced with. It also logs off the other user.

My group policy was to:

1. Allow Hide entery points to Fast User Switching
2. Do display last user name
3. Do not require CTRL + ALT + DEL (optional)

I then found this download, AdministrativeUnlock:

http://www.box.com/s/90b04b68e78e44213835  (and installed to all machines)
This resulted in this extra icon if a computer was locked shown below.

The program below seems it would give one more functionality, but I am not sure as I didn't download it. I couldn't find a trial version.


So, I was able to configure my clients the way I wanted them. If you find a hole in it, please don't tell me. :)

Thanks for the help.

Author Comment

ID: 37809336
Administrative Icon

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Assume you have an outside contractor who comes in seasonally or once a week to do some work in your office, but you only want to give him access to the programs and files he needs and keep all other documents and programs private. Can you do this o…
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Suggested Courses

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question