Solved

Stop users from switching user, and using auto log in

Posted on 2014-12-17
13
155 Views
Last Modified: 2014-12-19
I have a script to enable auto login with the machine's  user name and password that is needed for the auto login.
REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /f
REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName /t REG_SZ /d "domain /f
REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d "username" /f
REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d "password" /f

In addition I have a gpo set to only show one user.  - Users being users they always find a way to "mess things up"
My first issue is the script somehow gets changed in the registry and I have to re-run it.  My 2nd issue is - I need a way to prevent the user from logging in with there own user name and pw to the local machine.  I can't disallow them becuase I'm using single sign on and if I disable the user from loging into the machine Single Sign doesn't work for them.  Is there a way to stop the "OTher" user or switching user in the registry or from a GPO?  This is really becomming an issue because of settings for the particular account that needs to be logged in.  My goal is to only have 1 account login to the PC - the generic account and have my single sign on above it.
0
Comment
Question by:WellingtonIS
  • 7
  • 3
  • 2
  • +1
13 Comments
 
LVL 24

Accepted Solution

by:
VB ITS earned 500 total points
ID: 40504579
To disable the Switch user feature, enable the Hide entry points for Fast User Switching setting in Group Policy which can be found in Computer Configuration > Administrative Templates > System > Logon

Alternatively you can deploy the following registry key if you're more comfortable with this method:
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v HideFastUserSwitching /t REG_DWORD /d 1 /f

One issue I can see is that users will still have the ability to log off which will then allow them to attempt to log in with their own account. To prevent this we can look at removing Log off from the Start menu entirely. Steps to do this can be found here: http://technet.microsoft.com/en-us/library/cc940397.aspx

You'll need to provide more info as to how the script with the registry keys runs. Is it a login script defined through GPO or via the Profile tab in Active Directory Users and Computers?
0
 

Author Comment

by:WellingtonIS
ID: 40504582
I deploy the script with PSexec. When this was origionally set up I didn't realize that the settings in the registry would somehow change.  I thought when I changed the registry it would 'stay' changed.
 I will check out what you suggested and hopefully this will help. Thanks.
Also, they need the ability to get out of Single sign on and get in with different user accounts.  I will test your info and get back to you .
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40504643
Also, they need the ability to get out of Single sign on and get in with different user accounts.

Then they need either fast user switching OR logoff

You seem to have conflicting goals here
0
 

Author Comment

by:WellingtonIS
ID: 40504669
Actually not.  If they  hit ctrl- and left arrow it works.  I tired with a user name and pw on a test machine.  The idea is not to have them log off the actual PC.   For now I have it running on only one machine so we'll see how that works out. But it seems that the solution provided by VB ITS is working for now.  I'll give it a day before I accept it as a solution.  I want to try in the "real world"...
0
 

Author Comment

by:WellingtonIS
ID: 40504717
OK update.  That worked but it doesn't prevent the user from hitting ctrl-alt-del and logging off.
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 500 total points
ID: 40504727
Ah forgot about that. You can remove that using Group Policy as well:

User Configuration > Administrative Templates > System > Ctrl+Alt+Del Options > enable the Remove Logoff setting
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:WellingtonIS
ID: 40504732
Yes I just saw that.  Thx.  Boy sometimes you really have to get creative around users! They just don't understand! Thanks much.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40506134
Hi.

"the script somehow gets changed in the registry" - the regkeys listed cannot be changed without being administrator. Are your users admins? I they are not, setup registry key auditing (in the properties of those regkeys on the security tab, there's an advanced button) to see who changes them.
0
 

Author Comment

by:WellingtonIS
ID: 40506888
no but somehow when the machine gets rebooted it looses the registry setting for the autologin REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /f and sometimes the user name part.  I'm not sure why, but it happens.  As for my other issue it's appears to be solved.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40506951
To solve that as well, I recommended to use auditing to find out what changes it.
0
 

Author Comment

by:WellingtonIS
ID: 40506955
OK thanks will look into that.
0
 

Author Closing Comment

by:WellingtonIS
ID: 40509173
Thanks this worked well....
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40509178
Happy to help :)
0

Featured Post

Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

Join & Write a Comment

Resolve DNS query failed errors for Exchange
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now