Last week I received a question from one of my readers, asking how it was possible to hide the name of the user that has locked his or her workstation. The reason behind it was that in a secure environment, where computers need to be hardened in order to better protect them from any unauthorized access attempt, having the user name of a locked machine is considered to be “half the job”. With that information, the malicious user that wants to unlock the workstation, only needs to guess the user’s password. Naturally this information should not be easy to guess, but why make life easier for such a malicious user?
So I investigated this issue, and came up with a solution.
Note: You might want to also implement the setting that prevents the last user from being displayed on the logon screen.
Warning!
This document contains instructions for editing the registry. If you make any error while editing the registry, you can potentially cause Windows to fail or be unable to boot, requiring you to reinstall Windows. Edit the registry at your own risk. Always back up the registry before making any changes. If you do not feel comfortable editing the registry, do not attempt these instructions. Instead, seek the help of a trained computer specialist.
To hide the user name for the user that has locked the computer, follow the next steps:
1. Start Registry Editor.
2. Locate the following key in the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
3. If it doesn’t exist, on the Edit menu, point to New, click DWORD Value, and then add the following registry values:
Value name: DontDisplayLockedUserId
Value data: 1, 2 or 3 (see below)
Base: Decimal
The following values can be set:
- 1 = Show the locked user display name and the user ID
- 2 = Show the locked user display name only
- 3 = Do not display the locked user information
4. Exit Registry Editor.
Note: To prevent the last logged on user to be displayed in the Windows logon screen, also set the dontdisplaylastusername value and set it to 1.
This is how it looks like on a Windows Server 2008 machine.
Before:
After:
