I’m far to lazy to type my user name in every time I start up, I tried and searched for a solution to no avail, I asked on the ubuntu forums and user KryTarik pointed me at the document I needed.
Solution
1. The settings are stored in /etc/gdm/custom.conf
2. We need to edit that file (Applications > Accessories > Terminal), and execute the following command.
3. I am going to add my domain user object, and hide the local user I created, by adding the following.
I’m in the United Kingdom, and even when I set the UK Keyboard layout, Ubuntu wants to use a US keyboard layout for the logon/login screen. For most people this won’t be a problem, but if you log into a domain you need the @ symbol. A US Keyboard has that in a different place, it’s only a small niggle because I know where it is, but if it annoys me, it will be annoying someone else.
Solution
1. Login and open a terminal window (Applications > Accessories > Terminal,) and issue the following command.
[box]sud nano /etc/default/console-setupo[/box]
2. You will be asked for your password, supply it and edit the file as shown below, set the XKBMODEL value to pc105 (assuming you have a standard 105 key keyboard), and XKBLAYOUT set to gb.
3. Press CTRL+X to exit and save the file, after a reboot you should be on the correct keyboard layout on your logon screen.
Related Articles, References, Credits, or External Links
By default Windows will display the last user that successfully logged on, on shared machines or in a secure domain environment you might not want this..
Solution
On a Single (stand alone) machine.
1. Click start and in the run/search box type gpedit.msc{enter}
2. Navigate to > Computer Configuration > Windows settings > Security Settings > Local Policies > Security Options > “Interactive Logon: Do not display last user name”.
3. Simply enable the policy.
4. Reboot the PC or run gpupdate /force.
In a Windows Domain Environment
Note: This procedure was carried out Server 2008 R2.
1. On one of your domain controllers > Start > Administrative Tools > Group Policy Management Console > Either select and existing policy or create and link one to the COMPUTERS you want this policy to affect. Then edit the policy.
2. Navigate to > Computer Configuration > Policies > Windows settings > Security Settings > Local Policies > Security Options > “Interactive Logon: Do not display last user name”.
3. Tick to define the policy, and set it to enabled.
4. Reboot the PC or run gpupdate /force.
Related Articles, References, Credits, or External Links
Did a migration of a school the other week, afterwards it seems the “little darlings” had discovered that they could (from the logon screen) access the “Ease of access” settings and enable “High Contrast”, which is obviously hilarious, but annoying for their teachers.
Ease of Access, is designed as part of the accessibility options, and as such has no GPO settings, (I’m assuming because a policy that excludes disabled people would not be the best of things in a modern society). However when these options start to harm productivity we need a mechanism to enable and disable them. (At least then we can enable them for only the people that need them).
Anyway, it took me ages to get it turned off, heres how to do it.
Solution
1. On your domain controller , Start > Administrative Tools > Group Policy Management Console > Either create a new policy and link it to your targeted COMPUTERS or edit an existing one, then navigate to:
2. Right click “File system” > Add File > Type in the following;
[box]C:WindowsSystem32Utilman.exe[/box]
3. Click OK > Add in the Everyone group > Deny the following, Read and Execute, List Folder Contents, and Read > Apply > Yes > “Replace existing permissions….” > OK.
4. Then either reboot the clients, wait a couple of hours, or manually run “gpupdate /force” on them.
Related Articles, References, Credits, or External Links
A few weeks back I wrote about a client who was having problems with kids at his school launching the ease of access button from the login screen. And how I disabled the ease of access button.
High Contrast
After a site visit it seems that the “little darlings” had now worked out that by pressing “Alt+Shift+Print Screen” they could turn on high contrast. And this, which is obviously hilarious (once again), and annoying for their teachers, needs disabling.
As with the ease of access button, these options are designed for the disabled. So there is no mechanism for doing this. I had great fun working out how to do this via group policy.
2. This assumes your clients are Windows 7 if your client OS’s are earlier, you need to install the Client Side Extensions.
If you don’t have a 2008 domain, you can still disable these options via the registry, click here
If you want to import a Group Policy Object to do this, click here.
Solution
Disable Accessibility via Group Policy
Note: creating the policy is VERY time consuming and soul destroyingly boring! I’ve pre-written it for you download this file.
1. Once you have downloaded the file above, extract it to the desktop of your domain controller.
2. Launch the “Group Policy Management Console”.
3. Create a policy, and either link it to the domain or the OU that contains the users you want to enforce the policy on, (Or edit an existing policy).
4. Right click the policy you are working with, and select edit.
5. Right click the policy > Properties > Take note of the policy’s “Unique name”.
6. Now you need to locate the policy itself, click Start > in the search run box type:
[box]{your domain name}sysvol{your domain and extension}policies[/box]
e.g. My test domain ins domaina.com so the command I would use is domainasysvoldomaina.compolicies
7. Once there locate and open the folder that has the same unique name as the policy you noted down in step 5. Within that folder open the “User Folder. Then from the file you extracted above copy the “Preferences” Folder into the “User” Folder.
So now your policy will look like:
{CFE1314E-A13B-4E31-9EC5-FD9028D21945} Yours will have a different name! — Machine — User —- Preferences —— Registry ——– Registry.xml
8. That’s you finished. if you want to see what the policy is doing, go back the the Group Policy Management Console > Edit the policy and navigate to:
[box]User Configuration > Preferences > Windows Settings > Registry[/box]
There you will see all the registry keys that this policy resets (and I had to configure, one by one!).
Disable Accessibility via the Registry
1. Download this file containing the registry files, and extract it onto your target machine.
2. Within the extracted files you will find a folder called “Registry Keys”. There are two called AccessibilityOFF and AccessibilityON (As the name suggests, the fist disables the settings, and the second reinstates them). Simply double click them to merge them into the registry.
Disable Accessibility via Group Policy
Import the following file and save it with a .adm extension.
[box]
CLASS MACHINE
CLASS USER
CATEGORY "Control Panel"
CATEGORY "Accessibility Lockdown"
KEYNAME "SoftwarePoliciesAccessibility"
POLICY "Automatic Reset"
KEYNAME "SoftwarePoliciesAccessibility"
VALUENAME "TimeoutConfig"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
ACTIONLISTON
KEYNAME "Control PanelAccessibilityTimeout"
VALUENAME "Flags"
VALUE "3"
END ACTIONLISTON
ACTIONLISTOFF
KEYNAME "Control PanelAccessibilityTimeout"
VALUENAME "Flags"
VALUE "2"
END ACTIONLISTOFF
PART "Timeout after idle for" DROPDOWNLIST
REQUIRED
KEYNAME "Control PanelAccessibilityTimeout"
VALUENAME "TimeToWait"
ITEMLIST
NAME "5 minutes"
VALUE "300000"
NAME "10 minutes"
VALUE "600000"
NAME "15 minutes"
VALUE "900000"
NAME "20 minutes"
VALUE "1200000"
NAME "25 minutes"
VALUE "1500000"
NAME "30 minutes"
VALUE "1800000"
END ITEMLIST
END PART
END POLICY
POLICY "Disable StickyKeys (including shortcut)"
KEYNAME "SoftwarePoliciesAccessibility"
VALUENAME "StickyKeysLockdown"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
ACTIONLISTON
KEYNAME "Control PanelAccessibilityStickyKeys"
VALUENAME "Flags"
VALUE "506"
END ACTIONLISTON
ACTIONLISTOFF
KEYNAME "Control PanelAccessibilityStickyKeys"
VALUENAME "Flags"
VALUE "510"
END ACTIONLISTOFF
END POLICY
POLICY "Disable FilterKeys (including shortcut)"
KEYNAME "SoftwarePoliciesAccessibility"
VALUENAME "FilterKeysLockdown"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
ACTIONLISTON
KEYNAME "Control PanelAccessibilityKeyboard Response"
VALUENAME "Flags"
VALUE "122"
END ACTIONLISTON
ACTIONLISTOFF
KEYNAME "Control PanelAccessibilityKeyboard Response"
VALUENAME "Flags"
VALUE "126"
END ACTIONLISTOFF
END POLICY
POLICY "Disable ToggleKeys (including shortcut)"
KEYNAME "SoftwarePoliciesAccessibility"
VALUENAME "ToggleKeysLockdown"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
ACTIONLISTON
KEYNAME "Control PanelAccessibilityToggleKeys"
VALUENAME "Flags"
VALUE "58"
END ACTIONLISTON
ACTIONLISTOFF
KEYNAME "Control PanelAccessibilityToggleKeys"
VALUENAME "Flags"
VALUE "62"
END ACTIONLISTOFF
END POLICY
POLICY "Disable High Contrast (including shortcut)"
KEYNAME "SoftwarePoliciesAccessibility"
VALUENAME "HighContrastLockdown"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
ACTIONLISTON
KEYNAME "Control PanelAccessibilityHighContrast"
VALUENAME "Flags"
VALUE "122"
VALUENAME "Pre-High Contrast Scheme"
VALUE ""
END ACTIONLISTON
ACTIONLISTOFF
KEYNAME "Control PanelAccessibilityHighContrast"
VALUENAME "Flags"
VALUE "126"
END ACTIONLISTOFF
END POLICY
POLICY "Disable MouseKeys (including shortcut)"
KEYNAME "SoftwarePoliciesAccessibility"
VALUENAME "MouseKeysLockdown"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
ACTIONLISTON
KEYNAME "Control PanelAccessibilityMouseKeys"
VALUENAME "Flags"
VALUE "58"
END ACTIONLISTON
ACTIONLISTOFF
KEYNAME "Control PanelAccessibilityMouseKeys"
VALUENAME "Flags"
VALUE "62"
END ACTIONLISTOFF
END POLICY
END CATEGORY
END CATEGORY
[/box]
Related Articles, References, Credits, or External Links
This was asked on EE the other day, and I’ve been asked it before, so I put it on my list of “Articles to write up”. Windows by default will display all “Enabled” accounts on the welcome screen. In most cases that’s fine, but the poster had installed SQL and all the service accounts were listed.
Solution
Option 1
Updated 09/08/12
Site visitor (Fehlmann Paolo ) Emailed in to suggest a better method of removing users from the logon screen. Essentially this removes ALL the local accounts from the login screen and only leaves the username and password option.
1. Here’s my test machine setup with multiple local accounts.
2. Log as a user with administrative access > Start > In the Search/Run box type regedit {enter} > Navigate to the following key;
[box]HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > Policies > System[/box]
Locate the ‘dontdisplaylastusername’ DWORD and change its value to 1 (number one).
3. Now you will get the following.
Option 2
1. Log on as a user with administrative rights and launch the registry editor.
4. Right click the SpecialAccounts key, and create a new key.
5. Call this one UserList.
6. In the right hand window, right click and create a new DWORD (32 bit) value.
7. Create a value for each account you want to hide. By default its value will be 0 (zero) to stop hiding an account (in you require this in the future), you can delete the DWORD or change its value to 1 (one).
Note: You CAN create a value for Administrator and hide that in this way, however it’s considered “Good Practice” to have the local administrators account disabled, so that’s what I’m going to do.
8. Right click Computer and select Manage.
9. Navigate to “Local Users and Groups” > Users > Administrator > Right click >Properties.
10. Set “Account is disabled” > Apply > OK.
11. Now we have a much cleaner welcome screen.
Related Articles, References, Credits, or External Links