Category Archives: microsoft

microsoft, MicrosoftSucksAss, sysadmin, Win10, Win11, Windows

How to Hide or Show User Accounts from Login Screen on Windows | Windows OS Hub

How to Hide or Show User Accounts from Login Screen on Windows

By default, the Windows login screen displays the account of the last user who logged on to this computer and a list of all local users. Windows allows you to hide or show the last signed-in user name, or even list all local or active domain users on the computer sign-in screen.

 

 

Contents:

 

Hide Last Signed-in Username from Windows Login Screen

Users find it convenient to see the last logged account name on the Windows Logon Screen without having to type it in manually each time.  For security reasons, you can prevent the last username from being displayed on the Windows logon screen on public computers (or other insecure locations) by using GPO:

  1. Open the domain (gpmc.msc) or local Group Policy editor (gpedit.msc) and go Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options;
  2. Enable the policy Interactive logon: Don’t display last signed-in. This policy is disabled by default;gpo: Interactive logon dont display last user name on windows 10 welcome screen
    You can hide the last logged username from the sign-in screen by changing the registry parameter. Go to reg key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, create a new DWORD parameter named dontdisplaylastusername with the value 1.dontdisplaylastusername registry parameter
  3. To hide the logged-in username on the lock screen (when the computer is locked by pressing Win+L or through the lock screen GPO), enable the Group Policy option “Interactive logon: Display user information when the session is locked” and set the value “Do not display user information”.windows 10 lock policy: Do not display user information
    The registry parameter DontDisplayLockedUserId in the same registry key with a value of 3 matches this policy setting.

Blank username and password fields now appear on the Windows logon and lock screens instead of the previously signed-in username.

dont display last username on login screen in windows 10

You can hide the list of users from the Windows lock screen by using the DisableBackButton registry parameter:

disablebackbutton registry parameter for winlogon

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /t REG_DWORD /f /d 0 /v DisableBackButton

To unlock the computer, the user must enter their password. To view a list of local user accounts, the user must first press the Switch User button on the lock screen.

hide local users on Windows lock screen

Show All Local Users on the Windows Sign-in Screen

By default, modern Windows builds (tested on Windows 11 23H2 and Windows 10 22H2) always show a list of enabled local users in the bottom left corner of the login screen. This only works on computers that are not joined to the Active Directory domain.  Hidden (see below) and disabled user accounts are not displayed on the sign-in screen.

showing all local users on windows 11 login screen

To log on to the computer, the user simply clicks on the required user account and enters its password.

If there is no password set for the user account (blank password), simply select a user and click the Sign-In button to automatically log on to Windows without a password.automatically sign in from windows welcome screen without password

If the list of local users is not displayed on the Windows logon screen, check the following settings in the Local GPO editor (gpedit.msc):

  • Interactive Logon: Do not display last signed-in Disabled (Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options);
  • Enumerate local users on domain-joined computers = Enabled (Computer Configuration -> Administrative Templates -> System -> Logon).

local gpo: Enumerate local users on domain-joined computers

Restart your computer to apply the new Group Policy settings.

Show Logged In Domain Users on Windows Logon Screen

If more than one user is using the same computer, you can see a list of users with active sessions on the Windows sign-in screen. An active session means that the user is logged on to the computer.  This can be a shared computer (used in user switching mode), a kiosk, Windows Server hosts running the RDS role, or Windows 11/10 devices that allow multiple RDP connections).

Check that the following policies are disabled in Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options:

  • Interactive logon: Don’t display last signed-in: Disabled
  • Interactive logon: Don’t display username at sign-in: Disabled

Then disable the GPO options in Computer Configuration -> Administrative Templates -> System -> Logon:

  • Block user from showing account details on sign-in: Disabled
  • Do not enumerate connected users on domain-joined computer: Disabled

gpo: • Do not enumerate connected users on domain-joined computer: Disabled

On a domain-joined computer, you can check the resulting settings of these GPO options using the rsop.msc or gpresult.

A list of logged-in users will then appear on the Windows Welcome Screen. Both active and disconnected user sessions (for example, due to RDP timeout) are displayed.

show logged domain user on windows 10 login screen

You can display Active Directory user profile photos on the Windows logon screen instead of the default user icons.

Hide Specific User Accounts from the Windows Sign-in Screen

The Windows Welcome screen always displays users who are members of one of the following local groups: AdministratorsUsersPower Users, and Guests (except the disabled user accounts).

You can hide specific users from the list on the Windows login screen through the registry. For each user you want to hide, create a DWORD parameter under the reg key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList with the username and value 0.

List all local user account names using PowerShell or cmd:

Get-LocalUser | where {$_.enabled –eq $true}

Or:

Net user

list local usernames on windows 11 with powershell

To hide a specific user account (for example, user123) from the Windows sign-in screen, run the command:

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /t REG_DWORD /f /d 0 /v User123

hide specific local user from login screen on windows

If you want to show the hidden user on the login screen, remove this registry entry or change its value to 1.

If the built-in Windows Administrator account is enabled, and it is not the only account with local administrator permissions on the computer (!!!), you can also hide it:

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /t REG_DWORD /f /d 0 /v administrator

To hide all users except the last logged-on user, set the following GPO settings in Computer Configuration -> Administrative Templates -> System -> Logon:

  • Enumerate local users on domain-joined computers = Disabled
  • Do not enumerate connected users on domain-joined computer = Enabled

Source: How to Hide or Show User Accounts from Login Screen on Windows | Windows OS Hub

microsoft, MicrosoftSucksAss, sysadmin, Win11, Windows

Win11 Setup for local account

Go through the normal installation process until you get to the sign-in screen
Press <Shift> + <F10> to open elevated command prompt

net user "YourUserName" */add
net localgroup administrators "YourUserName" / add
net user "YourUserName" /active:yes
net user "YourUserName" /expires:never
net user "Administrator" /active:no
net user "defaultUser0" /delete

Run net user to ensure that all was done properly. You should see the new user as admin account, and no default user.

Run regedit Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE
Delete 3 values: DefaultAccountAction, DefaultAccountSAMName, DefaultAccountSID
Rename value LaunceUserOOBE to SkipMachineOOBE and sure value is 1. Case is important.
Exit regedit.

Reboot machine with shutdown /r /t 0

exploits, malware, microsoft, MicrosoftSucksAss, Open Source, PowerShell, Privacy, Security, surveillance, sysadmin, Win10, Win11, Windows

Welcome to Winutil Documentation!

Welcome to the official documentation for Winutil, your go-to utility for optimizing and managing your Windows environment. Whether you’re an IT professional, power user, or regular user, Winutil provides a comprehensive set of tools to enhance your Windows experience.

Source: Welcome to Winutil Documentation!

microsoft, MicrosoftSucksAss, sysadmin, Win10, Windows

How to ALWAYS show all the Icons in Notification area of Windows

Use Control Panel to show the icons

To always show all the Icons in the System Tray or Notification area of Windows 11/10, via Control Panel follow these steps:

  1. Press Win+R to open the Run prompt.
  2. Enter this value: explorer shell:::{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}
  3. Tick the Always show all icons and notifications on the taskbar checkbox.
  4. Click the OK button.

Source: How to ALWAYS show all the Icons in Notification area of Windows

microsoft, MicrosoftSucksAss, Software, sysadmin, Win10, Windows

Disable the Cloud sign-in option on Office 2019

Note: Might be easier to install the admx admin templates to Group Policy Editor. See this post for more info

Office 2019 annoyingly wants you to sign in to either a domain or the cloud. It shares the same registry space as Office 2016, so the procedure is:

Preparation:

1. Note that this must be done on a per-user basis, for anyone who logins into the machine. So 2 users on the same machine = do it twice. Or if that user signs into another machine, do it again.
2. Go into one of the Office apps, go to Account, and select “Sign out” & then click Yes when prompted.

First, close all Office applications:

Word
Excel
PowerPoint
Outlook
etc.

Second, open the Registry Editor: (may need to Run As Admin)

Start > Run > regedit

Third, navigate down the tree:

HKEY_CURRENT_USER
SOFTWARE
Microsoft
Office
16.0
Common

Third, add the SignIn folder:

Right-click on the Common folder
Go to New > Key
Name it “SignIn” (without the quotes)

Fourth, add the registry key to disable the sign-in option:

Right-click on the SignIn folder
Go to New > DWORD (32-bit) VALUE
Name it “SignInOptions” (without the quotes)
Set the value to 3

Fifth, verify that it worked:

Open up Word
It should no longer have the “Sign in” button in the top bar
Under File > Account, all of the sign-in verbage should be gone

If you ever need to add it back in, just delete the SignInOptions reg key!

Source: Question – Tutorial: Disable the Cloud sign-in option on Office 2019 | AnandTech Forums: Technology, Hardware, Software, and Deals

microsoft, sysadmin, Win10, Windows

Could not authenticate to SMB share with correct creds [solved] : freenas

Could not authenticate to SMB share with correct creds [solved]

I solved this issue but wanted to share the solution.

I had set SMB permissions correctly according to this forum post and this video, but I was never able to access my SMB share.

I was able to see the server and the list of shares, but no matter what I could not actually open a share. No matter what user or group I used, each login from W10 would fail with ‘Access is Denied’ or ‘Incorrect user name or password’ or ‘Check with system admin to verify permissions’.

The first thing I wish I had known off the bat was that samba activity is logged in FreeNAS at /var/log/samba4/log.smbd. Tailing that log, it was obvious there were authentication issues. On each login attempt, I saw:

[2018/04/15 02:10:51.243374,  2] ../source3/param/loadparm.c:2787(lp_do_section)
  Processing section "[$fnstorage]"
[2018/04/15 02:10:51.245286,  2] ../libcli/auth/ntlm_check.c:430(ntlm_password_check)
  ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user msUser
[2018/04/15 02:10:51.245752,  2] ../source3/auth/auth.c:332(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [msUser] -> [msUser] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2018/04/15 02:10:51.245837,  2] ../auth/auth_log.c:760(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [MicrosoftAccount]\[msUser] at [Sun, 15 Apr 2018 02:10:51.245799 PDT] with [NTLMv1] status [NT_STATUS_WRONG_PASSWORD] workstation [win10-PC] remote host [remoteAddress] mapped to [MicrosoftAccount]\[msUser]. local host [hostAddress]
[2018/04/15 02:10:51.245934,  2] ../auth/gensec/spnego.c:605(gensec_spnego_server_negTokenTarg)
  SPNEGO login failed: NT_STATUS_WRONG_PASSWORD

Now at first glance, what jumps out is NT_STATUS_WRONG_PASSWORD, you might think you’re just typing your password wrong. But that’s not what’s really going on– the real culprit is

ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user msUser

You may remember that NTLMv2 is the standard for SMB security, and NTLMv1 authentication is disabled by default in FreeNAS SMB shares.

I figured my PC was using NTLMv1 for some reason. A little research led me to this GPO in Group Policy:

 Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\LAN Manager authentication level\

Set this to Send NTLMv2 Only instead of whatever else it is. Mine was set to Use NTLMv2 if negotiated. See Microsoft’s docs for the caveats here.

I’m not sure if the value my PC was using is default, and I’m not sure if FreeNAS should actually negotiate NTLMv2, but this resolved my issue with no impact to other SMB shares on my network.