Here's the dilemma: you've set up multiple
user accounts on a machine, and you've gone the extra mile to ensure
that your data is properly protected by configuring permissions and
employing encryption. Now you find Windows so locked-down that you can't
do anything without having to enter a password first. Fortunately, you
can streamline the logon process to suit your needs and tolerance for
cumbersome logon procedures, or use some lesser-known features to lock
it down even further.
1. Hide the List of User Accounts
The friendly Welcome screen is the default interface you see when you log on to Windows Vista.
Back in the old days, we didn't have any fancy pictures to click; we actually had to type our usernames and passwords to log on. In the snow. Uphill, both ways.
If you long for those simpler times, or perhaps if you just realize that it's wise not to show a list of all the user accounts on a PC, you can opt for a more retro-style login box.
Unfortunately,
Microsoft removed the bare-bones, "classic" Windows NT-style logon
window that was present even in Windows XP, but there is an alternative.
To get a login screen with both username and password fields, albeit
with a look reminiscent of Vista's Welcome screen, follow these steps:
Open the Start menu Search box, type secpol.msc, and press Enter to display the Local Security Policy editor. (This tool is only available in the Windows Vista Business and Ultimate editions.)
Expand the Local Policies branch and click the Security Options folder.
In the right pane, double-click the Interactive logon: Do not display last user name option, select Enabled, and click OK.
Close the Local Security Policy window when you're done; the change will take effect the next time you log in.
Keep
in mind that if your goal is to hide the list of user accounts from
everyone but you, then this is only part of the solution. Sure, this
hides the user list from passersby, but anyone with an administrator
account on the PC could log in and open the User Accounts window to view
other users on the system. (Of course, anyone could also re-enable the
Welcome screen, or even create new accounts.) So, to keep your user list
hidden, use standard user accounts for all other users.
2. Log In Automatically
If
you assign a password to your account, or if you add a second user
account in Control Panel, Vista will show you the Welcome screen when
Windows first starts.
But
it's never a good idea to have any accounts on your system set up
without passwords, not so much because someone could break in to your
computer while sitting at your desk, but because if you're connected to a
network or the Internet, an account—any account—without a password is a
big security hole.
The
problem with setting up a password, however, is that Windows will then
prompt you for the password every time you turn on your computer, which
can be a pain if you're the only person who uses the machine.
Fortunately, there is a rather easy way to password-protect your
computer and not be bothered with the Welcome screen.
Open the alternate User Accounts window by opening the Start menu, typing control userpasswords2 in the Search box, and pressing Enter.
Select from the list the username you'd like to be your primary login, and then turn off the Users must enter a username and password to use this computer option.
The Automatically Log On dialog will appear, prompting you to enter (and confirm) the password for the selected user.
Click OK when you're done. The change will take effect the next time you restart your computer.
Note
that these steps won't affect your ability to log out and then log in
to another user account (see the next topic if that's what you're
after). Furthermore, this is not a temporary setting; if you log out and
then log back in, you'll be logged in automatically the next time you
restart Windows.
2.1. Prevent users from bypassing the automatic login
Automatic
logins are also good for machines you wish to use in public
environments (typically called "kiosks"), but you'll want to take steps
to ensure that a visitor can't log in to a more privileged account.
There are two ways for a user to skip the automatic login and log in to
another user account:
Hold the Shift key while Windows is logging in.
Once Windows has logged in, log out by selecting Log Off from the Start menu or pressing Ctrl-Alt-Del and selecting Log Off.
To eliminate both of these backdoors, follow these steps:
Open the Registry Editor .
Expand the branches to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. (Note the Windows NT branch here, as opposed to the more common Windows branch.)
Create a new string value here by going to Edit → New → String Value, and name the new value IgnoreShiftOverride. Double-click the new value, type 1 for its value data, and click OK. (This disables the Shift key during the automatic login.)
Next, create a new DWORD value in this same key by going to Edit → New → DWORD (32-bit) Value, and name the new value ForceAutoLogon. Double-click the new value, type 1 for its value data, and click OK. (This automatically logs back in if the user tries to log out.)
Close the Registry Editor when you're done. The change will take effect immediately.
To remove either or both of these restrictions, just delete the corresponding Registry values.
2.2. Limit automatic logins
It's
possible to limit the automatic login feature, so that the Log On
dialog (or Welcome screen) reappears after a specified number of boots:
Open the Registry Editor .
Expand the branches to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. (Note the Windows NT branch here, as opposed to the more common Windows branch.)
Create a new DWORD value here by going to Edit → New → DWORD (32-bit) Value, and type AutoLogonCount for the name of the new value.
Double-click the new AutoLogonCount value, and type the number of system boots for which you'd like the automatic login to remain active.
Every
successive time Windows starts, it will decrease this value by one.
When the value is zero, the username and password entered at the
beginning of this topic are forgotten, and the AutoLogonCount value is removed.
2.3. Force passwords to expire
Treat your password like your toothbrush. Don't let anybody else use it, and get a new one every six months.
—Clifford Stoll
If you have the Business or Ultimate edition of Vista, you can have Windows force you to routinely change your password.
Open the Local Users and Groups manager (in the Start menu Search box, type lusrmgr.msc), and then open the Users folder. Double-click your username, turn off the Password never expires option, and click OK. (Do the same for any other accounts here, if needed.) When you're done, close the Local Users and Groups manager.
Next, open the Local Security Policy editor (in the Start menu, type secpol.msc) and expand the branches to Account Policies\Password Policy. On the right, double-click Maximum password age and enter the amount of time before Windows expires your password. (To take Cliff Stoll's advice, enter 182 days.) Close the Local Security Policy editor; the change takes effect the next time you log in.
3. Reset a Forgotten Administrator Password
Forgot your password? No problem. There are two ways to get into your PC: the easy way and the hard way.
If
there are any other administrator-level accounts on your PC, the easy
way is to log in to one of those accounts, open the User Accounts page
in Control Panel, and change your password there.
If
yours is the only administrator account, you'll have to reset your
password the hard way. (This won't work if your drive is protected by
BitLocker Drive Encryption) Start by
downloading the free Trinity Rescue Kit from http://www.trinityhome.org/, and burn the ISO image to a blank CD.
Next, boot your PC with the Trinity Rescue Kit disc, which is essentially a bootable Linux CD. At the prompt, type
winpass -uusername
where username is your login name.
The software will then search your hard disk for Windows installations,
display a list of any it finds, and ask you to choose one.
At this point you'll be asked to either provide a new password or type merely *
(asterisk) to choose a blank password. Confirm that you wish to change
the password, and you'll be sent back to the terminal prompt when it's
done.
Now, restart your PC to log in to your newly unlocked Windows account.
4. Prevent Users from Shutting Down
Among
the restrictions you may want to impose on others who use your computer
is that of shutting down Windows. For instance, if you're logging in
remotely, you'll want to make sure that your PC is always on. Or,
if you're setting up a system to be used by the public, you won't want
to allow anyone to shut down or reboot the system in an effort to
compromise it. Here's how to do it:
Open the Registry Editor .
Expand the branches to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer.
Create a new DWORD value by going to Edit → New → DWORD (32-bit) Value, and type NoClose for its name.
Double-click the new NoClose value and type 1 for its data.
Close the Registry Editor when you're done. You'll need to restart Windows for this change to take effect.
Keep in mind that this isn't a bulletproof solution. For instance, anyone will be able to shut down Windows by pressing Ctrl-Alt-Del and clicking Shut Down
there. Also, someone with ready access to your computer's on/off
switch, reset button, or power cord will be able to circumvent this
restriction. At the very least, though, it'll provide some reasonable
assurance that your PC will remain powered on.
