Wednesday, December 27, 2017

How can I disable the automatic login of the last active user in Windows 8.1?


I'm running Windows 8.1 Pro with two user accounts, mine being a password-protected administrator and the other being a standard user with no password.


Now, when the latter logs in, shuts the computer down, and I turn it back on, I'm not taken to the login screen — instead, Windows logs me in as the standard user again. Seems like Windows 8 will automatically log in the last active user (unless, of course, that user has a password). I'd like to always see the login screen on startup, no matter who last used the computer.


(I've had this problem before and was able to solve it, but I can't remember what I did to made it work.)


There are a plethora of suggestions on the internet, but none of them actually worked for me. Here's what I tried:



  • In netplwiz, check the "users must enter a password [...]" box

  • In regedit, change the value of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\UserSwitch\Enabled to 1 (will only work once, resets after restart)

  • In gpedit.msc, add a script to do the above that runs every time someone logs off (as described here)

  • Use the "User List Enabler" tool that does the above (appears to do what it says, but what it does doesn't work in the first place)

  • In regedit, create a key called HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableAutomaticRestartSignOn and set it to 1


By "doesn't work", I mean there's no effect at all.


I vaguely recall my previous solution having to do with lusrmgr, specifically, with removing some user from the Administrator group ... removing some user's (or group's) rights to change the UserSwitch\Enabled registry value perhaps?


I'd much appreciate any help, as this is really bugging me. I'd rather not set a password for the other account, or force logging in with Ctrl-Alt-Del, just for this reason.


Answer



Alright, I found the source that helped me solve the problem before, and I finally got it to work. :)


Here's my attempt at a definitive answer for everyone wanting to disable the auto-login in Windows 8.
For the solution that worked for me, see "preferred approach".


The easiest thing to do is to give every user a password, so they're not being logged in automatically. If they still are, you need to make entering a password mandatory: press Win+R, type netplwiz, and check the box that says "Users must enter a user name and password to use this computer".
You can also require users to press Ctrl+Alt+Del to login: in the "Advanced" tab of netplwiz, check the box that says "Require users to press Ctrl+Alt+Delete".


These two approaches are subpar for those who don't want their workflow disturbed, including me.


I learned about this from Steven's answer.


Press Win+R, type regedit, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, and change the value of the dontdisplaylastusername key to 1. The same can be achieved using a security policy (see Steven's answer for details).


This is also not ideal for everyone in that it changes the way the login screen works: you'll have to type not just your password, but also your username, when logging in.


I got this solution from a Microsoft site.


It involved opening regedit, navigating to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, and changing the value of the DisableAutomaticRestartSignOn key to 1.


It seemed to be just the answer I needed — only later did I realize, however, that it only applied to Windows Server 2012. (Which would explain why the key wasn't there in the first place, and why creating it had no effect.)


We're getting closer to my preferred method!


In regedit, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\UserSwitch, and change the value of the Enabled key to 1.


Now this would be the perfect solution — except the value resets every time you restart the computer, so this trick will work at most once.


Lots of sites suggest creating a script that runs during logoff and sets the value back to 1 every time. Here's how to do that:



  • Press Win+R and type gpedit.msc.

  • In the left column, navigate to "User Configuration" -> "Windows Settings" -> "Scripts (Logon/Logoff)", and double click "Logoff" on the right.

  • Click "Add..." and type the following:

    • Script Name: C:\Windows\System32\reg.exe

    • Script Parameters: add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\UserSwitch /v Enabled /t REG_DWORD /d 1 /f



Source: http://winaero.com/blog/how-to-disable-automatic-logon-of-last-user-in-window-8/
That same site also provides a handy tool that will do that automatically for you.


Chances are this approach will work for you. It didn't for me, however, most likely because one of the accounts on my computer is not an administrator.


This last approach was one way to set the UserSwitch\Enabled key every time you logoff. Wouldn't it be even better, though, if Windows wouldn't keep resetting it in the first place?


This is the approach I ended up using, and that finally worked for me. I learned about it in an eightforums.com post by NiFu, which was immensely helpful to me.


Here's what to do, paraphrased from that post:



  • In regedit, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\UserSwitch.

  • Right click the "UserSwitch" folder and click "Permissions...".

  • Click "Advanced", then "Disable inheritance" and select "Convert inherited permission into explicit permission on this object."

  • Next to "Owner: SYSTEM", click "Change...", type Administrators in the box at the bottom, click "Check Names" to expand the name, and click "OK".

  • Check the box that says "Replace owner on subcontainers and objects".

  • Select "Administrators", click on "Edit", and make sure that "Type" is set to "Allow" and that "Full Control" is checked.

  • Select "SYSTEM", click on "Edit", set "Type" to "Deny", click "show advanced permissions", and make sure the "Set value" box is checked and all the other boxes are not. Also check the box that says "Only apply these permissions to objects and/or containers within this container".

  • Click "OK" and similar buttons until you're back to the first dialog you opened.

  • Now confirm you did things right: Click "Advanced" again, in the "Effective Access" tab, click "Select a user", type "SYSTEM", click "OK", and click "View effective access".

  • Verify that there's an X next to "Full Control" and "Set Value", and that all the other entries still have a green checkmark.


Now set the Enabled key to 1 again. This should be the last time you have to do that, as SYSTEM can no longer interfere now.
The next time you start your computer now, you should see the regular login screen with user icons and all, regardless of who last used the computer.


Phew. Hope this helps a few people who've run into similar issues. :)


No comments:

Post a Comment

hard drive - Leaving bad sectors in unformatted partition?

Laptop was acting really weird, and copy and seek times were really slow, so I decided to scan the hard drive surface. I have a couple hundr...