WinSecWiki > Security Settings > Local Policies > Security Options > Interactive Logon > Display user information when the session is locked

Interactive logon: Display user information when the session is locked

Normally, when someone is interactively logged (at the console) on to the computer but their session is locked, the computer will display their account logon name, account display name and domain name to anyone that attempts to access the console. Remember that user accounts have a logon name and a display name such as rsmith vs. Randy Smith. If you consider logon names confidential and wish to minimize their exposure to intruders trying to collect target logon names, you can configure this setting as well as “Interactive logon: Do not display last user name”. When defined this setting offers 3 options:

  • “User display name, domain, and user names”

This is the default. All information is displayed so that anyone physically present can determine who is currently logged on and has the console locked.

  • “User display name”

This allows the system to show the display name of the user but not the domain or account logon name. This setting strikes a compromise between giving away logon information but keeping it convenient for someone to determine who is currently logged on. Of course, depending on your naming conventions it may be easy to determine logon name from display name.

In testing, it appears that some versions of Windows do not display the user account display name effectively making this setting the same as “Do not display user information”

  • “Do not display user information”

This prevents the system from showing any information about the currently logged on user. While protecting logon information it will make it difficult for anyone who approaches the console to determine who has it locked.

Note: Like all “Interactive logon:” policies, this policy is a workstation level policy. This policy needs to be defined in a GPO that gets applied to workstations such as Default Domain Policy. If you only configure this policy on the domain controllers, such as with Default Domain Controllers Policy, you will only impact users logging on at the console of the domain controller. You should also configure this policy on Terminal Servers accessible to end-users. 

Bottom line

If you are worried about people with physical access to this computer gaining logon names for possible attacks, configure this setting as “User display name” or “Do not display user information”. If you figure people can probably figure out logon names anyway, don’t worry about configuring this setting – it just causes inconvenience for when the user returns to the computer and for others that need to determine who has it locked.

Back to top


Additional Resources