Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Windows 10 / How to Hide or Show User Accounts from Login Screen on Windows 10/11?

November 18, 2021 Group PoliciesWindows 10Windows 11Windows Server 2019

How to Hide or Show User Accounts from Login Screen on Windows 10/11?

By default, the login screen on Windows 10/11 and Windows Server 2019/2016/2012R2 displays the account of the last user who logged in to the computer. You can configure different behavior of this feature: you can show the last logon username, hide it, or even list all local/logged domain users on your device’s welcome screen.

Contents:
  • Do Not Display the Last Username on Windows Logon Screen
  • Show All Users on Windows 10/11 Sign-in Screen
  • Show Logged In Domain Users on Windows Login Screen
  • Hide Specific User Accounts from the Sign-in Screen on Windows 10 and 11

Do Not Display the Last Username on Windows Logon Screen

End users are comfortable when the last logged account name is displayed on the Windows Logon Screen and doesn’t need to be typed in manually. But this makes it easier for an attacker to access the computer. To access your device, he only needs to find the correct password. To do this, there are various ways of social engineering, brute-force attacks, or a banal sticky piece of paper with a password on the monitor.

You can hide the last logged username on a Windows logon screen through the GPO. Open the domain (gpmc.msc) or local Group Policy editor (gpedit.msc) and go to the section Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. Enable the policy “Interactive logon: Do not display last user name”. This policy is disabled by default.

gpo: Interactive logon dont display last user name on windows 10 welcome screen

Also, you can hide the last username from the login screen through the registry. To do this go to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, create a new DWORD parameter named dontdisplaylastusername with the value 1.

dontdisplaylastusername registry parameter

The username is also displayed on the computer if its screen is locked (by pressing Win+L or via the lock screen GPO). You can hide the username on a computer lock screen. To do this, in the same section of the GPO, you must enable the policy “Interactive logon: Display user information when the session is locked” and set the value “Do not display user information.

windows 10 lock policy: Do not display user information

A registry parameter named DontDisplayLockedUserId in the same registry key with a value of 3 matches this policy parameter.

Other possible values for this parameter:

  • 1 — show user display name, domain, and usernames
  • 2 — show only user display names
  • 3 — do not display users.

The computer login screen and Windows lock screen now display the blank username and password fields.

dont display last username on login screen in windows 10

Show All Users on Windows 10/11 Sign-in Screen

By default, modern versions of Windows (tested on Windows 11 21H2 and Windows 10 21H1) always show the list of enabled local users in the bottom left corner of the login screen. Only hidden (see below) or disabled users are not displayed.

To log in to the computer, the user just needs to click on the required user account and specify its password. This only works on computers that are not joined to the Active Directory domain.

If no password is set for the user account, this user will be automatically logged on, even if autologon is not enabled.

showing all local users on windows 11 login screen

Tip. Instead of the standard user icons, you can configure the user profile photo from Active Directory to be displayed.

If the list of local users is not displayed on the computer logon screen, check the settings of the following local Group Policy options (use the gpedit.msc):

  • Interactive Logon: Do not display last signed-in = Disabled (Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options);
  • Enumerate local users on domain-joined computers = Enabled (Computer Configuration -> Administrative Templates -> System -> Logon)
  • Do not enumerate connected users on domain-joined computer = Disabled/Not Configured (in the same GPO section)

 

local gpo: Enumerate local users on domain-joined computers

Restart your computer to apply the new Group Policy settings.

In some old Windows 10 builds (from 1609 up to 1903), there was another problem with displaying all local users on the Windows Welcome screen, related to user switching mode.

To display all local user accounts on the Windows login screen, you need to change the value of Enabled parameter to 1 in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\UserSwitch. This option allows you to switch the current user on the Windows sign-in screen. However, Windows automatically resets the value of the Enabled parameter to 0 at each user logon.

In order to fix this problem, you need to create a scheduler task that will change the parameter value to 0 on each user logon.

You can create a new Scheduler task with PowerShell:

$Trigger= New-ScheduledTaskTrigger -AtLogOn
$User= "NT AUTHORITY\SYSTEM"
$Action= New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\UserSwitch -Name Enabled -Value 1"
Register-ScheduledTask -TaskName "UserSwitch_Enable" -Trigger $Trigger -User $User -Action $Action -RunLevel Highest –Force

Register-ScheduledTask UserSwitch_Enable

Make sure that the task appeared in Windows Task Scheduler (taskschd.msc).

new scheduler task

Log off and then log on again. The task must start automatically and change the value of Enabled registry parameter to 1. Check the current value of the parameter using Get-ItemProperty. As you can see, it is 1:

get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\UserSwitch' -Name Enabled

Get-ItemProperty

Show Logged In Domain Users on Windows Login Screen

If multiple domain users share the same computer, you can display a list of users with active sessions on the welcome screen. An active session means that users are logged into the computer. It can be a shared computer (used in user switching mode), kiosks, Windows Server RDS hosts, or Windows 11 and 10 devices with multiple RDP connections allowed).

To do this, check that in the Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options the following policies are disabled:

  • Interactive logon: Don’t display last signed-in: Disabled
  • Interactive logon: Don’t display username at sign-in: Disabled

gpo: • Do not enumerate connected users on domain-joined computer: Disabled

Then disable the policies in the section Computer Configuration -> Administrative Templates -> System -> Logon:

  • Block user from showing account details on sign-in: Disabled
  • Do not enumerate connected users on domain-joined computer: Disabled

After that, the welcome screen will display a list of logged-on users. Both active sessions and sessions of users with the disconnected status (for example, by RDP timeout) will be displayed here. The user only needs to log in once, and then just select an account from the list and enter a password.

show logged domain user on windows 10 login screen

Note that Group Policy settings on domain computers can be managed by domain administrators. If one of the local GPO settings doesn’t apply to your computer, check to see if it is overridden by domain GPOs. Use rsop.msc or gpresult to get the resulting Group Policy settings on your device.

Hide Specific User Accounts from the Sign-in Screen on Windows 10 and 11

The Windows Welcome screen always displays users who are members of one of the following local groups: Administrators, Users, Power Users, Guests.

Disabled users don’t show on the Windows sign-in screen.

You can hide specific users from the list on the welcome screen through the registry. To do this, you need to use the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList registry key. You need to create a DWORD parameter with username and value 0 for each user you want to hide.

You can list local user names with PowerShell or cmd:

Net user

Or:

Get-LocalUser | where {$_.enabled –eq $true}

list local usernames on windows 11 with powershell

To hide a specific user account from the Windows 11 or 10 welcome screen (for example, user1), run the command:

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /t REG_DWORD /f /d 0 /v UserName

If you want to show the hidden user on the login screen again, you need to delete this registry parameter or change its value to 1.

If the built-in Windows administrator account is enabled on the computer, and this is not the only account with local administrator permissions on the computer (!!!), you can hide it too:

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /t REG_DWORD /f /d 0 /v administrator

If you want to hide all users except the last one logged into the computer, configure the following GPO settings in Computer Configuration -> Administrative Templates -> System -> Logon:

  • Enumerate local users on domain—joined computers = Disabled
  • Do not enumerate connected users on domain-joined computer = Enabled

21 comments
8
Facebook Twitter Google + Pinterest
previous post
How to Enable DNS Query Logging and Parse Log File on Windows Server?
next post
Increasing VMFS Datastore Capacity on VMware ESXi (vSphere)

Related Reading

Configuring Event Viewer Log Size on Windows

May 24, 2023

How to Detect Who Changed the File/Folder NTFS...

May 24, 2023

Enable Single Sign-On (SSO) Authentication on RDS Windows...

May 23, 2023

Allow Non-admin Users RDP Access to Windows Server

May 22, 2023

How to Create, Change, and Remove Local Users...

May 17, 2023

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Configuring Event Viewer Log Size on Windows

    May 24, 2023
  • How to Detect Who Changed the File/Folder NTFS Permissions on Windows?

    May 24, 2023
  • Enable Single Sign-On (SSO) Authentication on RDS Windows Server

    May 23, 2023
  • Allow Non-admin Users RDP Access to Windows Server

    May 22, 2023
  • How to Create, Change, and Remove Local Users or Groups with PowerShell?

    May 17, 2023
  • Fix: BSOD Error 0x0000007B (INACCESSABLE_BOOT_DEVICE) on Windows

    May 16, 2023
  • View Success and Failed Local Logon Attempts on Windows

    May 2, 2023
  • Fix: “Something Went Wrong” Error When Installing Teams

    May 2, 2023
  • Querying Windows Event Logs with PowerShell

    May 2, 2023
  • Configure Windows LAPS (Local Administrator Passwords Solution) in AD

    April 25, 2023

Follow us

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Updating List of Trusted Root Certificates in Windows
  • Configure Google Chrome Settings with Group Policy
  • How to Find the Source of Account Lockouts in Active Directory?
  • Reset Local Group Policy Settings in Windows
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
  • How to Disable or Enable USB Drives in Windows using Group Policy?
  • Changing Default File Associations in Windows 10 and 11
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top