Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / Windows 10 / How to Show/Hide All User Accounts from Login Screen in Windows 10?

August 30, 2019 Group PoliciesWindows 10

How to Show/Hide All User Accounts from Login Screen in Windows 10?

By default, the logon screen in Windows 10/8.1 and Windows Server 2016/2012 R2 displays the account of the last user who logged in to the computer (if the user password is not set, this user will be automatically logged on, even if the autologon is not enabled). However, it is possible to display all user accounts on the welcome screen in Windows 10. You can configure different behavior of this function: you can show the last logon username, hide it, or even list all local or logged domain users.

Contents:
  • How to Hide User Account from Windows Logon Screen?
  • How to Show All Local User Account on Login Screen in Windows 10?
  • Showing Logged Domain Users on Windows 10 Login Screen
  • How to Hide Specific User Account from the Sign-in Screen?

How to Hide User Account from Windows Logon Screen?

Displaying the account name on the Windows login screen is convenient for users, but reduces the computer security. An attacker who gained local access to a computer will have to pick up only a password (for this there are various ways of social engineering, brute force attacks, or a banal sticker with a password on the monitor).

You can hide the last logged user name on a Windows welcome screen through the GPO. Open the domain (gpmc.msc) or local (gpedit.msc) Group Policy editor and go to the section Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. Enable the policy “Interactive logon: Do not display last user name”. By default, this policy is disabled.

gpo: Interactive logon dont display last user name on windows 10 welcome screen

Also, you can hide the username on the login screen through the registry. To do this go to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, create a new DWORD parameter named dontdisplaylastusername with the value 1.

dontdisplaylastusername registry parameter

Additionally, you can hide the username on a locked computer. To do this, in the same GPO section you need to enable the policy “Interactive logon: Display user information when the session is locked” and select the value “Do not display user information”.

windows 10 lock policy: Do not display user information

A registry parameter named DontDisplayLockedUserId in the same registry key with a value of 3 corresponds to this policy setting.

Now on the computer login screen and on the Windows lock screen, an empty fields for entering a username and password are displayed.

dont display last username on login screen in windows 10

How to Show All Local User Account on Login Screen in Windows 10?

In Windows 10 / 8.1, you can list all local user accounts on the welcome screen. To log in to the computer, the user just needs to click on the desired account and specify its password.

To display all local users on the Windows login screen, you need to change the value of Enabled parameter to 1 in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\UserSwitch. You can change this parameter through the RegEdit GUI, Reg Add cli command or Set-ItemProperty PowerShell cmdlet:

Reg Add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\UserSwitch /v Enabled /t REG_DWORD /d 1 /f

or

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\UserSwitch' -Name Enabled -Value 1

UserSwitch enabled 1

However, the Windows automatically resets the value of the Enabled parameter to 0 at each user logon. In order to always change the registry value to 1, it’s easier to create a new task in the Task Scheduler that will run at user logon.

The Scheduler task must run one of the commands shown above. You can create this task manually using the taskschd.msc graphic console. But it seems to me that it is much easier to create a Scheduler task using PowerShell. In our case, the commands to create a new task may look as follows:

$Trigger= New-ScheduledTaskTrigger -AtLogOn
$User= "NT AUTHORITY\SYSTEM"
$Action= New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\UserSwitch -Name Enabled -Value 1"
Register-ScheduledTask -TaskName "UserSwitch_Enable" -Trigger $Trigger -User $User -Action $Action -RunLevel Highest –Force

Register-ScheduledTask UserSwitch_Enable

Make sure that the task appeared in Windows Task Scheduler (taskschd.msc).

new scheduler task

Log off and then log on again. The task must start automatically and change the value of Enabled registry parameter to 1. Check the current value of the parameter. As you can see, it is 1:

get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\UserSwitch' -Name Enabled

Get-ItemProperty

After the next reboot, all local user accounts will be displayed on Windows 10/8.1 logon screen instead of the last one.

Tip. Instead of the standard user icons, you can configure the user profile photo from Active Directory to be displayed. 

show all users on Windows 10 login screen

Tip. If the task is successfully triggered, but the list of local users is not displayed, make sure if the policy Interactive Logon: Do not display last username (see Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options) is disabled.

There is a separate group policy setting that makes it much easier to list local users account on the Welcome screen of the domain-joined computers. Open the GPO editor, go to the section Computer Configuration -> Administrative Templates -> System -> Logon and enable the policy “Enumerate local users on domain-joined computers”.

local gpo: Enumerate local users on domain-joined computers

Showing Logged Domain Users on Windows 10 Login Screen

If several domain users use one computer, on the welcome screen you can display a list of users who have local active/disconnected session (users will only be displayed if they are logged in, for example, when using public computers, kiosks, an RDS server or its Windows 10 analogue).

To do this, check that in the Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options the following policies are disabled:

  • Interactive logon: Don’t display last signed-in: Disabled
  • Interactive logon: Don’t display username at sign-in: Disabled

gpo: • Do not enumerate connected users on domain-joined computer: Disabled

Then disable the policies in the section Computer Configuration -> Administrative Templates -> System -> Logon:

  • Block user from showing account details on sign-in: Disabled
  • Do not enumerate connected users on domain-joined computer: Disabled

After that, the welcome screen will display a list of accounts with active sessions that have logged in but have been disconnected. It is enough for the user to log in once, and after that just select an account from the list and enter the password.

show logged domain user on windows 10 login screen

How to Hide Specific User Account from the Sign-in Screen?

The Windows Welcome screen displays users who are members of one of the following local groups: Administrators, Users, Power Users, Guests.

You can hide any user from the list on the Windows 10 sign-in screen by running the command:

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /t REG_DWORD /f /d 0 /v UserName

19 comments
4
Facebook Twitter Google + Pinterest
previous post
Managing Exchange Mailbox Inbox Rules with PowerShell
next post
How to Delegate Control and Administrator Privileges in Active Directory?

Related Reading

How to Sign a PowerShell Script (PS1) with...

February 25, 2021

How to Shadow (Remote Control) a User’s RDP...

February 22, 2021

Configuring PowerShell Script Execution Policy

February 18, 2021

Configuring Proxy Settings on Windows Using Group Policy...

February 17, 2021

Updating Group Policy Settings on Windows Domain Computers

February 16, 2021

19 comments

George December 19, 2017 - 4:37 pm

Mine displays all of the accounts by default. How come?

Reply
annoyed July 30, 2018 - 11:31 pm

This is absurd. If this is actually the setting- which has taken an hour of googling to find- to show all the local users on the login screen, the fact that it has to be set and then a timed script created to keep it set is… nucking futs. What a hate joke of an OS.

Reply
Andy May 19, 2020 - 4:05 pm

I agree completely. It’s as if none of the developers considered the basics only the settings one would need to perform a hostile takeover of IBM. I’ve been chasing a way for days to login as any other user in Windows 10. There’s no way to switch users and no solution anywhere. Ask Microsoft? Their response is “There’s no way to switch users in Windows 10? Have you tried logging out?” (Almost took a hostage.)

Reply
GIRARD Thibault September 7, 2018 - 8:41 am

Arf! This is not about local account, but this tuto is about domain account. When you have severals doamain users on the same domain computer, its interresting to show all users account on the start menu.
By default, they have to choose “other user” and type both their ID and password. So with this method, they just have to click on appropriate username and type password.

Reply
GIRARD Thibault September 7, 2018 - 11:25 am

For information, this doesn’t work. Scheduled task is working on all users, the reg value switch from 0 to 1 at startup for all users but on startup screen, only last user logged appear.

Reply
Mike W November 9, 2018 - 8:55 pm

Not working. MS probably killed it in an update.

Reply
Roland Pascolo May 21, 2019 - 4:52 pm

You have to change the permissions of the userswitch reg key : change the owner to Admin group and enable full control of the key for Admin and disable the write permission for SYSTEM. This is working since Windows 8.

Reply
Laura M June 21, 2019 - 3:13 pm

@Roland – not an adminstrator but often end up having to do deskside support. How do I do what you suggested?

Reply
Roland p June 21, 2019 - 5:59 pm

Try to run this powershell script as admin :
## Taken from P/Invoke.NET with minor adjustments.
$Definition = @’
using System;
using System.Runtime.InteropServices;
public class AdjPriv {
[DllImport(“advapi32.dll”, ExactSpelling = true, SetLastError = true)]
internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr rele);
[DllImport(“advapi32.dll”, ExactSpelling = true, SetLastError = true)]
internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
[DllImport(“advapi32.dll”, SetLastError = true)]
internal static extern bool LookupPrivilegeValue(string host, string name,
ref long pluid);
[StructLayout(LayoutKind.Sequential, Pack = 1)]
internal struct TokPriv1Luid {
public int Count;
public long Luid;
public int Attr;
}
internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
internal const int TOKEN_QUERY = 0x00000008;
internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
public static bool EnablePrivilege(long processHandle, string privilege) {
bool retVal;
TokPriv1Luid tp;
IntPtr hproc = new IntPtr(processHandle);
IntPtr htok = IntPtr.Zero;
retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
ref htok);
tp.Count = 1;
tp.Luid = 0;
tp.Attr = SE_PRIVILEGE_ENABLED;
retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero,
IntPtr.Zero);
return retVal;
}
}
‘@
# Take ownership privilege
$ProcessHandle = (Get-Process -id $pid).Handle
$type = Add-Type $definition -PassThru
for ($i=1; $i -le 10;$i++){
$status=$type[0]::EnablePrivilege($processHandle, “SeTakeOwnershipPrivilege”)
if ($status){break}
if ($i -eq 10){read-host “Unable to take ownership privilege”;exit}
start-sleep 1|out-null
}
#
$keypath=”SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\UserSwitch”
#
# Get localized admin group name
$admin=(get-wmiobject win32_group| Where-Object {$_.sid -eq “s-1-5-32-544”}).name
# Change Owner to the local Administrators group
$regKey = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey(“$keypath”, “ReadWriteSubTree”, “TakeOwnership”)
$regACL = $regKey.GetAccessControl()
$regACL.SetOwner([System.Security.Principal.NTAccount]”$admin”)
$regKey.SetAccessControl($regACL)
# Change Permissions for the local Administrators group
$regKey = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey(“$keypath”, “ReadWriteSubTree”, “ChangePermissions”)
$regACL = $regKey.GetAccessControl()
$regRule = New-Object System.Security.AccessControl.RegistryAccessRule (“$admin”,”FullControl”,”ContainerInherit”,”None”,”Allow”)
$regACL.SetAccessRule($regRule)
# Change Permissions for System
$regRule = New-Object System.Security.AccessControl.RegistryAccessRule (“SYSTEM”,”SetValue”,”ContainerInherit”,”None”,”Deny”)
$regACL.SetAccessRule($regRule)
$regKey.SetAccessControl($regACL)
New-ItemProperty -Path “HKLM:\$keyPath” -Name “Enabled” -Value 1 -PropertyType DWORD -Force |out-null

You need to run this as admin since admin privilege is required to get ownership of the userswitch key owned by the system account.

Reply
Laura M June 21, 2019 - 8:21 pm

Thank you, Roland! I may have it fixed, after making some changes to the group policy. If not, this topic is bookmarked. 🙂

Reply
elias July 18, 2019 - 8:46 am

is this working on domain users i did everything and still the users not showing at startup.

Reply
Nate O August 1, 2019 - 4:30 pm

Hi Laura M, Can you explain what group policy changes you made to fix this?

Reply
Laura M August 1, 2019 - 4:52 pm

Hi Nate. i actually followed the instructions I found on this site (first reply to the topic):
https://social.technet.microsoft.com/Forums/en-US/2ab569f5-ec46-4f54-a544-42504589d920/windows-10-logon-screen-retain-previously-logged-domain-users?forum=win10itprosetup

Please be aware that I am *not* a sysadmin. I am just a regular user who ends up having to try and play deskside support, so there may well be things I am making more diffiucult than they need to be. 🙁

Things I did notice-
1. The users I added didn’t actually show on the list on the list until after they logged in the first time.

2. When they did log in the first time, i found that it didn’t work if anyone else was currently logged in (it has to go through the set up for each user, and have them set a PIN). So, since their name wasn’t on the list, I had them select Other user. Then I had them click “Sign in options” and click the globe icon. Assuming that the ids were created using their email addresses, I had them enter that and followed prompts from there.

That’s what worked for me, but your experience may be different.

Reply
HGer August 16, 2019 - 7:36 pm

This (userswitch) was working for me until 1903 update. Now the reg values are correct, but some users (without passwords) are automatically logged in on start up.

Reply
David January 24, 2020 - 6:38 pm

Why should the user have to know ANYTHING that is going on behind the GUI? This is as bad as old MSDOS days!

Reply
Laura February 7, 2020 - 9:01 pm

I logged into my work computer cortana usuing my personal Microsoft account, which apparently created a new user profile (also started displaying my beach vacation photos as the background) so I deleted the user profile and restarted the computer now the only option to logon is usuing the same user profile I just deleted (my personal) but now asking for a password that I did not create nor is my existing Microsoft personal password. my original default login profile is not displayed as an option either.. Effectively I’m locked out of my brand new office computer.

Reply
Vernon April 27, 2020 - 4:48 am

None of the the above worked for me.
I have searched high and low on the web for a solution to get multiple users
to show on login screen in Windows 10. The best I could do is a workaround
based on info on a Tenforum thread. I provide this in case it helps
someone else. It is not elegant, but suffices until a real solution comes along.
My thanks to Shawn Brink.

0. Create new user [Admin] with password
1. type ‘run’ or {Win+R} to get the Run dialogue box
2. type ‘netplwiz’ and click on OK
3. Check [if not already checked] “Users must enter a user name and password to use this computer” checkbox
4. select user you are not signed on as [see #0 above]
5. Uncheck “Users must enter a user name and password to use this computer checkbox”
6. Click OK
7. Click OK [leave password boxes blank]
8. Reboot.

Login will fail, but available signons will show. Repeat 1-8 on New User.

I have not tried this for nonAdmin accounts nor for more than two User Accounts.

Reply
Reena December 9, 2020 - 1:31 pm

It helped me, i was looking for this login solution everywhere and only this one worked finally. I am so happy that i am connecred ro right peopke and solutions and so is my laptop.

Reply
windows 10 login screen other user - Credit One February 16, 2021 - 3:34 pm

[…] 8. How to Show/Hide All User Accounts from Login Screen in … […]

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Recent Posts

  • How to Sign a PowerShell Script (PS1) with a Code Signing Certificate?

    February 25, 2021
  • Change the Default Port Number (TCP/1433) for a MS SQL Server Instance

    February 24, 2021
  • How to Shadow (Remote Control) a User’s RDP session on RDS Windows Server 2016/2019?

    February 22, 2021
  • Configuring PowerShell Script Execution Policy

    February 18, 2021
  • Configuring Proxy Settings on Windows Using Group Policy Preferences

    February 17, 2021
  • Updating Group Policy Settings on Windows Domain Computers

    February 16, 2021
  • Managing Administrative Shares (Admin$, IPC$, C$, D$) in Windows 10

    February 11, 2021
  • Packet Monitor (PktMon) – Built-in Packet Sniffer in Windows 10

    February 10, 2021
  • Fixing “Winload.efi is Missing or Contains Errors” in Windows 10

    February 5, 2021
  • How to Move (Clone) Windows to a New Hard Drive (HDD/SSD)?

    February 4, 2021

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • How to Configure Google Chrome Using Group Policy ADMX Templates?
  • Updating List of Trusted Root Certificates in Windows 10/8.1/7
  • Allow RDP Access to Domain Controller for Non-admin Users
  • Backup/Restore and Export Local Group Policy Settings to Another Computer
  • Reset Local Group Policy Settings in Windows
  • How to Block USB Drives in Windows using Group Policy?
  • Changing Desktop Background Wallpaper in Windows through GPO
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top