Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Stop users from switching user, and using auto log in

Posted on 2014-12-17
13
Medium Priority
?
170 Views
Last Modified: 2014-12-19
I have a script to enable auto login with the machine's  user name and password that is needed for the auto login.
REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /f
REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName /t REG_SZ /d "domain /f
REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d "username" /f
REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d "password" /f

In addition I have a gpo set to only show one user.  - Users being users they always find a way to "mess things up"
My first issue is the script somehow gets changed in the registry and I have to re-run it.  My 2nd issue is - I need a way to prevent the user from logging in with there own user name and pw to the local machine.  I can't disallow them becuase I'm using single sign on and if I disable the user from loging into the machine Single Sign doesn't work for them.  Is there a way to stop the "OTher" user or switching user in the registry or from a GPO?  This is really becomming an issue because of settings for the particular account that needs to be logged in.  My goal is to only have 1 account login to the PC - the generic account and have my single sign on above it.
0
Comment
Question by:WellingtonIS
  • 7
  • 3
  • 2
  • +1
13 Comments
 
LVL 24

Accepted Solution

by:
VB ITS earned 2000 total points
ID: 40504579
To disable the Switch user feature, enable the Hide entry points for Fast User Switching setting in Group Policy which can be found in Computer Configuration > Administrative Templates > System > Logon

Alternatively you can deploy the following registry key if you're more comfortable with this method:
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v HideFastUserSwitching /t REG_DWORD /d 1 /f

One issue I can see is that users will still have the ability to log off which will then allow them to attempt to log in with their own account. To prevent this we can look at removing Log off from the Start menu entirely. Steps to do this can be found here: http://technet.microsoft.com/en-us/library/cc940397.aspx

You'll need to provide more info as to how the script with the registry keys runs. Is it a login script defined through GPO or via the Profile tab in Active Directory Users and Computers?
0
 

Author Comment

by:WellingtonIS
ID: 40504582
I deploy the script with PSexec. When this was origionally set up I didn't realize that the settings in the registry would somehow change.  I thought when I changed the registry it would 'stay' changed.
 I will check out what you suggested and hopefully this will help. Thanks.
Also, they need the ability to get out of Single sign on and get in with different user accounts.  I will test your info and get back to you .
0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 40504643
Also, they need the ability to get out of Single sign on and get in with different user accounts.

Then they need either fast user switching OR logoff

You seem to have conflicting goals here
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 

Author Comment

by:WellingtonIS
ID: 40504669
Actually not.  If they  hit ctrl- and left arrow it works.  I tired with a user name and pw on a test machine.  The idea is not to have them log off the actual PC.   For now I have it running on only one machine so we'll see how that works out. But it seems that the solution provided by VB ITS is working for now.  I'll give it a day before I accept it as a solution.  I want to try in the "real world"...
0
 

Author Comment

by:WellingtonIS
ID: 40504717
OK update.  That worked but it doesn't prevent the user from hitting ctrl-alt-del and logging off.
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 2000 total points
ID: 40504727
Ah forgot about that. You can remove that using Group Policy as well:

User ConfigurationAdministrative TemplatesSystem > Ctrl+Alt+Del Optionsenable the Remove Logoff setting
0
 

Author Comment

by:WellingtonIS
ID: 40504732
Yes I just saw that.  Thx.  Boy sometimes you really have to get creative around users! They just don't understand! Thanks much.
0
 
LVL 58

Expert Comment

by:McKnife
ID: 40506134
Hi.

"the script somehow gets changed in the registry" - the regkeys listed cannot be changed without being administrator. Are your users admins? I they are not, setup registry key auditing (in the properties of those regkeys on the security tab, there's an advanced button) to see who changes them.
0
 

Author Comment

by:WellingtonIS
ID: 40506888
no but somehow when the machine gets rebooted it looses the registry setting for the autologin REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /f and sometimes the user name part.  I'm not sure why, but it happens.  As for my other issue it's appears to be solved.
0
 
LVL 58

Expert Comment

by:McKnife
ID: 40506951
To solve that as well, I recommended to use auditing to find out what changes it.
0
 

Author Comment

by:WellingtonIS
ID: 40506955
OK thanks will look into that.
0
 

Author Closing Comment

by:WellingtonIS
ID: 40509173
Thanks this worked well....
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40509178
Happy to help :)
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
Suggested Courses

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question