A proper way to create non-interactive accounts?
You need Resource Kit 2003 and this command:
ntrights -u "username" +r SeDenyInteractiveLogonRight
User rights explanation:
SeNetworkLogonRight Access this computer from the network
SeInteractiveLogonRight Log on locally
SeBatchLogonRight Log on as a batch job
SeServiceLogonRight Log on as a service
SeDenyNetworkLogonRight Deny access this computer from the network
SeDenyInteractiveLogonRight Deny log on locally
SeDenyBatchLogonRight Deny log on as a batch job
SeDenyServiceLogonRight Deny log on as a service
SeCreateGlobalPrivilege Create global objects
SeDebugPrivilege Debug programs
SeDenyRemoteInteractiveLogonRight Deny log on through Terminal Services
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation
SeImpersonatePrivilege Impersonate a client after authentication
SeManageVolumePrivilege Perform volume maintenance tasks
SeRemoteInteractiveLogonRight Allow log on through Terminal Services
SeSyncAgentPrivilege Synchronize directory service data
SeUndockPrivilege Remove computer from docking station
Add new user in Windows 8:
Install Resourse Kit 2003:
Set installation path:
Run in CMD with administrative priveleges: Disable interactive user logon. OS version info.
How to rus CMD with administrative priveleges:
Logoff:
shutdown /l
Don't log in to user without interactive logon priveleges - don't view the new user.
Enable, disable interactive logon priveleges. Add user to list:
Select user without interactive logon priveleges:
Not login, return at logon screen.
All works. Good luck!
Note: Go to this registry key:
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList"
AndreyT 0 DWORD - may be hidden, needs test and restart.
Related videos on Youtube
AnT
Updated on September 18, 2022Comments
-
AnT almost 2 years
In order to use password-protected file sharing in a basic home network I want to create a number of non-interactive user accounts on a Windows 8 Pro machine in addition to the existing set of interactive accounts. The users that corresponds to those extra accounts will not use this machine interactively, so I don't want their accounts to be available for logon and I don't want their names to appear on welcome screen.
In older versions of Windows Pro (up to Windows 7) I did this by first creating the accounts as members of "Users" group, and then including them into "Deny logon locally" list in Local Security Policy settings. This always had the desired effect. However, my question is whether this is the right/best way to do it.
The reason I'm asking is that even though this method works in Windows 8 Pro as well, it has one little quirk: interactive users from "User" group are still able to see these extra user names when they go to the Metro screen and hit their own user name in the top-right corner (i.e. open "Sign out/Lock" menu). The command list that drops out contains "Sign out" and "Lock" commands as well as the names of other users (for "switch user" functionality). For some reason that list includes the extra users from "Deny logon locally" list. It is interesting to note that this happens when the current user belongs to "Users" group, but it does not happen when the current user is from "Administrators".
For example, let's say I have three accounts on the machine: "Administrator" (from "Administrators", can logon locally), "A" (from "Users", can logon locally), "B" (from "Users", denied logon locally). When "Administrator" is logged in, he can only see user "A" listed in his Metro "Sign out/Lock" menu, i.e. all works as it should. But when user "A" is logged in, he can see both "Administrator" and user "B" in his "Sign out/Lock" menu.
Expectedly, in the above example trying to switch from user "A" to user "B" by hitting "B" in the menu does not work: Windows jumps to welcome screen that lists only "Administrator" and "A".
Anyway, on the surface this appears to be an interface-level bug in Windows 8. However, I'm wondering if going through "Deny logon locally" setting is the right way to do it in Windows 8. Is there any other way to create a hidden non-interactive user account?
-
afrazier over 11 yearsWhat if you were to exclude those users from the
Users
group as well? -
Taylor Gibb over 11 yearsIn all honesty this is the kind of problem the HomeGroup feature set out to solve, and does solve quite adequately in my opinion.
-
-
AnT over 11 yearsBut the pictures you posted demonstrate exactly the same problem I described in my question! In your Metro picture (second from the bottom) user
STTR
can see userAndreyT
in the list, even thoughAndreyT
has no logon privileges. This is exactly what I want to fix. I don't want userSTTR
to see userAndreyT
in that list. -
AnT over 11 yearsI know that user
AndreyT
cannot login. But on top of that I want userAndreyT
to be invisible toSTTR
. Your Metro screen shows thatAndreyT
is still visible toSTTR
. That is the problem. -
STTR over 11 yearsIf I not set
ntrights -u AndreyT -r SeDenyInteractiveLogonRight
after create user, and not press relogon, user not visible. You may enable audit logon, and change long password every day))). -
STTR over 11 years
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
AndreyT DWORD 0 -may bee hide it -
AnT over 11 yearsUnfortunately, this setting has no effect on the issue in question. The users are still visible in the "Sign out" list.
-
AnT over 11 yearsUnfortunately, this setting has no effect on the issue in question. The users are still visible in the "Sign out" list.