By default, the login screen on Windows 10/11 and Windows Server 2019/2016/2012R2 displays the account of the last user who logged in to the computer. You can configure different behavior of this feature: you can show the last logon username, hide it, or even list all local/logged domain users on your device’s welcome screen.
Do Not Display the Last Username on Windows Logon Screen
End users are comfortable when the last logged account name is displayed on the Windows Logon Screen and doesn’t need to be typed in manually. But this makes it easier for an attacker to access the computer. To access your device, he only needs to find the correct password. To do this, there are various ways of social engineering, brute-force attacks, or a banal sticky piece of paper with a password on the monitor.
You can hide the last logged username on a Windows logon screen through the GPO. Open the domain (gpmc.msc) or local Group Policy editor (gpedit.msc) and go to the section Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. Enable the policy “Interactive logon: Do not display last user name”. This policy is disabled by default.
The username is also displayed on the computer if its screen is locked (by pressing Win+L or via the lock screen GPO). You can hide the username on a computer lock screen. To do this, in the same section of the GPO, you must enable the policy “Interactive logon: Display user information when the session is locked” and set the value “Do not display user information.
A registry parameter named DontDisplayLockedUserId in the same registry key with a value of 3 matches this policy parameter.
- 1 — show user display name, domain, and usernames
- 2 — show only user display names
- 3 — do not display users.
The computer login screen and Windows lock screen now display the blank username and password fields.
Show All Users on Windows 10/11 Sign-in Screen
By default, modern versions of Windows (tested on Windows 11 21H2 and Windows 10 21H1) always show the list of enabled local users in the bottom left corner of the login screen. Only hidden (see below) or disabled users are not displayed.
To log in to the computer, the user just needs to click on the required user account and specify its password. This only works on computers that are not joined to the Active Directory domain.
If the list of local users is not displayed on the computer logon screen, check the settings of the following local Group Policy options (use the gpedit.msc):
- Interactive Logon: Do not display last signed-in =
Disabled(Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options); - Enumerate local users on domain-joined computers =
Enabled(Computer Configuration -> Administrative Templates -> System -> Logon) - Do not enumerate connected users on domain-joined computer =
Disabled/Not Configured(in the same GPO section)
Restart your computer to apply the new Group Policy settings.
In some old Windows 10 builds (from 1609 up to 1903), there was another problem with displaying all local users on the Windows Welcome screen, related to user switching mode.
To display all local user accounts on the Windows login screen, you need to change the value of Enabled parameter to 1 in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\UserSwitch. This option allows you to switch the current user on the Windows sign-in screen. However, Windows automatically resets the value of the Enabled parameter to 0 at each user logon.
In order to fix this problem, you need to create a scheduler task that will change the parameter value to 0 on each user logon.
You can create a new Scheduler task with PowerShell:
$Trigger= New-ScheduledTaskTrigger -AtLogOn
$User= "NT AUTHORITY\SYSTEM"
$Action= New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\UserSwitch -Name Enabled -Value 1"
Register-ScheduledTask -TaskName "UserSwitch_Enable" -Trigger $Trigger -User $User -Action $Action -RunLevel Highest –Force
Make sure that the task appeared in Windows Task Scheduler (taskschd.msc).
Log off and then log on again. The task must start automatically and change the value of Enabled registry parameter to 1. Check the current value of the parameter using Get-ItemProperty. As you can see, it is 1:
get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\UserSwitch' -Name Enabled
Show Logged In Domain Users on Windows Login Screen
If multiple domain users share the same computer, you can display a list of users with active sessions on the welcome screen. An active session means that users are logged into the computer. It can be a shared computer (used in user switching mode), kiosks, Windows Server RDS hosts, or Windows 11 and 10 devices with multiple RDP connections allowed).
To do this, check that in the Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options the following policies are disabled:
- Interactive logon: Don’t display last signed-in: Disabled
- Interactive logon: Don’t display username at sign-in: Disabled
Then disable the policies in the section Computer Configuration -> Administrative Templates -> System -> Logon:
- Block user from showing account details on sign-in: Disabled
- Do not enumerate connected users on domain-joined computer: Disabled
After that, the welcome screen will display a list of logged-on users. Both active sessions and sessions of users with the disconnected status (for example, by RDP timeout) will be displayed here. The user only needs to log in once, and then just select an account from the list and enter a password.
rsop.msc or gpresult to get the resulting Group Policy settings on your device.Hide Specific User Accounts from the Sign-in Screen on Windows 10 and 11
The Windows Welcome screen always displays users who are members of one of the following local groups: Administrators, Users, Power Users, Guests.
You can hide specific users from the list on the welcome screen through the registry. To do this, you need to use the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList registry key. You need to create a DWORD parameter with username and value 0 for each user you want to hide.
You can list local user names with PowerShell or cmd:
Net user
Or:
Get-LocalUser | where {$_.enabled –eq $true}
To hide a specific user account from the Windows 11 or 10 welcome screen (for example, user1), run the command:
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /t REG_DWORD /f /d 0 /v UserName
If the built-in Windows administrator account is enabled on the computer, and this is not the only account with local administrator permissions on the computer (!!!), you can hide it too:
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /t REG_DWORD /f /d 0 /v administrator
If you want to hide all users except the last one logged into the computer, configure the following GPO settings in Computer Configuration -> Administrative Templates -> System -> Logon:
- Enumerate local users on domain—joined computers = Disabled
- Do not enumerate connected users on domain-joined computer = Enabled
