Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, October 4, 2017 5:51 AM
I have been looking into solutions to display usernames that have successfully authenticated (at least once) on a domain-joined device when the Windows Logon screen comes up.
This is currently possible with local users as their username is visible on the Windows Logon screen - concerning domain users instead, the full username needs to be typed manually every time after clicking on Other User for sign-in.
This makes it very hard to handle in an education environment where users are still learning to spell their name properly!
I am interested in finding a way to cache the username (not necessarily the password) locally once the user logs in the first time to be then displayed at the Windows Logon - ideally a number of successfully-logged-in users can be retained (e.g. 10) and subsequently made available when the Windows Logon is visible.
To add some background to the scenario, I don't have any degree of control/access on the domain controller (Azure) however the clients (Windows 10 1703 Enterprise Education) run an OEM W10 image which I can manage entirely locally (i.e. not via InTune).
Any insights would be greatly appreciated.
All replies (5)
Thursday, October 5, 2017 3:28 AM âś…Answered | 1 vote
Hi,
Yes, that's possible.
Please confirm the following group policy configuration:
1. Type gpedit.msc into Run box, Enter.
2. Navigate to the following group policy object:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
3. Find the entry "Interactive logon: Don't display last signed-in" and "Interactive logon: Don't display username at sign in" in the right pane.
4. configure them as "Disabled".
Besides that, you can also confirm the following group policy is not configured:
1. Type gpedit.msc into Run box, Enter.
2. Navigate to the following group policy object:
Computer Configuration\Administrative Templates\System\Logon
3. Find the entry "Block user from showing account details on sign-in" and "Do not enumerate connected users on domain-joined computer" and "Enumerate local users on domain-joined computers" in the right pane.
4. Configure "Block user from showing account details on sign-in" and "Do not enumerate connected users on domain-joined computer" as "Not configured" or "Disabled".
5. If you want to list all local user account, you can set "Enumerate local users on domain-joined computers" policy as "Enabled".
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
Thursday, October 5, 2017 6:12 AM
Karen, thank you very much - this pointed me in the right direction!
Would it be possible to display more than just the last logged in domain user in Windows Logon?
So let's say I want Windows Logon to remember the last 3 logged in users - if there is a way to do that it would be unreal!
Appreciate your help!
Thursday, October 5, 2017 8:10 AM
Hi bitswap,
No, it only display the last user account information on the sign in screen.
If the account didn't sign out just lock, it will display all these connected user account name.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
Friday, October 6, 2017 3:13 AM
Thanks for your help Karen, I marked your first post as helpful answer.
Thanks again!
Wednesday, February 13, 2019 8:04 AM
As you said, I can see all the connected domain accounts. But once if I switch an account, I can see the logged in users account. but when tried to connect its telling credentials are invalid. I have to sign in through other user. What might be cause?