locked
After WDP installed, last logged on user is now showing admin name from last saved change? RRS feed

  • Question

  • I just installed Steady State on a test machine. And now it shows the last admin to be logged on that made changes. I have security settings on the domain so that the last logged on user does not show. Having the last logged on user shown promotes getting that account locked out on log in violations from people that are too lazy to change the user name when they are trying to log in. Is there a way to fix this?

    Otherwise it looks like a good product and should save me a lot of money at the college where I work since I may not now have to buy DeepFreeze.
    Wednesday, February 4, 2009 4:01 PM

Answers

  • And to answer my own question:

    In the Set Computer Restrictions windows, the Privacy settings must have the  "Do not display username in the logon to Windows dialog box MUST be checked. Even though down at the bottom of this window it says "In a Domain managed environment the Domain Group Policy supersedes any settings made here".

    Guess I better check the other policy settings to make sure they are still working before I commit to rolling this out.
    • Marked as answer by Sean Zhu - Friday, February 6, 2009 6:34 AM
    Thursday, February 5, 2009 6:54 PM

All replies

  • I have now found that this has nothing to do with WDP. As soon as I install Steady State on a computer it starts to show the last logged on administrator that installed the software. Right now I have all options in Steady State turned off and have rebooted the computer a couple of times to see if it will clear. I've just checked the local security policy --> Interactive Logon: Do not display last user name and it is now set to disabled, which is strange because this is forced to enabled with a GPO.

     

    The defaults that I NEED for our domain log in screen are :

     

    Username - BLANK

    password - BLANK

    domain name- XXXdomain

     

    Obviously Steady State isn't looking at the forced group policy from the domain controller. If I uninstall Steady State, after a reboot the logon works properly with the GPO again, so it has to be something to do with Steady State.

    Thursday, February 5, 2009 6:39 PM
  • And to answer my own question:

    In the Set Computer Restrictions windows, the Privacy settings must have the  "Do not display username in the logon to Windows dialog box MUST be checked. Even though down at the bottom of this window it says "In a Domain managed environment the Domain Group Policy supersedes any settings made here".

    Guess I better check the other policy settings to make sure they are still working before I commit to rolling this out.
    • Marked as answer by Sean Zhu - Friday, February 6, 2009 6:34 AM
    Thursday, February 5, 2009 6:54 PM
  • Thank you for sharing the solution with us, I'm sure this will help other users in the forum. If you encounter any other SteadyState related issue in the future, please feel free to post it here.
    Sean Zhu - MSFT
    Friday, February 6, 2009 6:34 AM
  • No problem. Just wish I could find the time to get back to the books and learn more about Group Policy. I know there are many answers to some problems hidden in there, but I don't really know enough to get my way through and have things work coming out the other end. From the very little reading that I've done, it looks like it falls on policy inheritance going from domain level down to local level, with local being applied last in the chain. Since Steady State modifies some local policies, those are applied last. Unfortunately in my case, it looks like Steady State issued a "disabled" policy instead of a "not assigned" policy for display last logged in user name. If it had issued a "not assigned", then the domain group policy should have been applied.

    I have 3 great thick Microsoft books that I need to get through, and not nearly enough time in a workday to even open them. Let alone on the weekends. After I get some account/security changes in our Macintosh lab finished, I should be able to get back to this, so hopefully another week or so. Took me 3 days to figure out how to make some software that required Administrator level on the Macs to work as a normal user, would have taken 10 minutes to get it working on Windows by changing folder permissions, or 2 if I just allowed domain users local admin level privileges. Going to take me 15 or 20 minutes per Mac to make the changes which is going to kill all day tomorrow.

    Any way I'm very glad Microsoft made this utility, I'm extremely glad it is free and hope it stays that way. This could really save us some money and with budgets getting tight, I have a feeling our funding is going to dry up fast. If it turns into a for pay utility, please keep it free to non-profit and educational institutions through a registration process.

    Also it would be nice if there was an Enterprise class of download so that rolling it out to computers that are not connected to the internet is possible. I downloaded it on an genuine certified XP computer, but I am going to install on our network machines that do not have internet access. Still not sure what will happen.
    Thursday, February 19, 2009 10:46 PM