Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Stop users from switching user, and using auto log in

Posted on 2014-12-17
13
Medium Priority
?
168 Views
Last Modified: 2014-12-19
I have a script to enable auto login with the machine's  user name and password that is needed for the auto login.
REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /f
REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName /t REG_SZ /d "domain /f
REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d "username" /f
REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d "password" /f

In addition I have a gpo set to only show one user.  - Users being users they always find a way to "mess things up"
My first issue is the script somehow gets changed in the registry and I have to re-run it.  My 2nd issue is - I need a way to prevent the user from logging in with there own user name and pw to the local machine.  I can't disallow them becuase I'm using single sign on and if I disable the user from loging into the machine Single Sign doesn't work for them.  Is there a way to stop the "OTher" user or switching user in the registry or from a GPO?  This is really becomming an issue because of settings for the particular account that needs to be logged in.  My goal is to only have 1 account login to the PC - the generic account and have my single sign on above it.
0
Comment
Question by:WellingtonIS
  • 7
  • 3
  • 2
  • +1
13 Comments
 
LVL 24

Accepted Solution

by:
VB ITS earned 2000 total points
ID: 40504579
To disable the Switch user feature, enable the Hide entry points for Fast User Switching setting in Group Policy which can be found in Computer Configuration > Administrative Templates > System > Logon

Alternatively you can deploy the following registry key if you're more comfortable with this method:
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v HideFastUserSwitching /t REG_DWORD /d 1 /f

One issue I can see is that users will still have the ability to log off which will then allow them to attempt to log in with their own account. To prevent this we can look at removing Log off from the Start menu entirely. Steps to do this can be found here: http://technet.microsoft.com/en-us/library/cc940397.aspx

You'll need to provide more info as to how the script with the registry keys runs. Is it a login script defined through GPO or via the Profile tab in Active Directory Users and Computers?
0
 

Author Comment

by:WellingtonIS
ID: 40504582
I deploy the script with PSexec. When this was origionally set up I didn't realize that the settings in the registry would somehow change.  I thought when I changed the registry it would 'stay' changed.
 I will check out what you suggested and hopefully this will help. Thanks.
Also, they need the ability to get out of Single sign on and get in with different user accounts.  I will test your info and get back to you .
0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 40504643
Also, they need the ability to get out of Single sign on and get in with different user accounts.

Then they need either fast user switching OR logoff

You seem to have conflicting goals here
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:WellingtonIS
ID: 40504669
Actually not.  If they  hit ctrl- and left arrow it works.  I tired with a user name and pw on a test machine.  The idea is not to have them log off the actual PC.   For now I have it running on only one machine so we'll see how that works out. But it seems that the solution provided by VB ITS is working for now.  I'll give it a day before I accept it as a solution.  I want to try in the "real world"...
0
 

Author Comment

by:WellingtonIS
ID: 40504717
OK update.  That worked but it doesn't prevent the user from hitting ctrl-alt-del and logging off.
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 2000 total points
ID: 40504727
Ah forgot about that. You can remove that using Group Policy as well:

User ConfigurationAdministrative TemplatesSystem > Ctrl+Alt+Del Optionsenable the Remove Logoff setting
0
 

Author Comment

by:WellingtonIS
ID: 40504732
Yes I just saw that.  Thx.  Boy sometimes you really have to get creative around users! They just don't understand! Thanks much.
0
 
LVL 57

Expert Comment

by:McKnife
ID: 40506134
Hi.

"the script somehow gets changed in the registry" - the regkeys listed cannot be changed without being administrator. Are your users admins? I they are not, setup registry key auditing (in the properties of those regkeys on the security tab, there's an advanced button) to see who changes them.
0
 

Author Comment

by:WellingtonIS
ID: 40506888
no but somehow when the machine gets rebooted it looses the registry setting for the autologin REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /f and sometimes the user name part.  I'm not sure why, but it happens.  As for my other issue it's appears to be solved.
0
 
LVL 57

Expert Comment

by:McKnife
ID: 40506951
To solve that as well, I recommended to use auditing to find out what changes it.
0
 

Author Comment

by:WellingtonIS
ID: 40506955
OK thanks will look into that.
0
 

Author Closing Comment

by:WellingtonIS
ID: 40509173
Thanks this worked well....
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40509178
Happy to help :)
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
Suggested Courses

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question