WinSecWiki > Security Settings > Local Policies > Security Options > Interactive Logon > Don't display last signed-in

Interactive logon: Don't display last signed-in

Normally, when you attempt to logon, Windows fills in the user name field with the logon name of the last user to logon to the system as a convenience. If you consider logon names confidential and wish to minimize their exposure to intruders trying to collect target logon names, you can enable this setting as well as “Interactive logon: Display user information when the session is locked”.

Note: Like all “Interactive logon:” policies, this policy is a workstation level policy. This policy needs to be defined in a GPO that gets applied to workstations such as Default Domain Policy. If you only configure this policy on the domain controllers, such as with Default Domain Controllers Policy, you will only impact users logging on at the console of the domain controller. You should also configure this policy on Terminal Servers accessible to end-users.

Bottom line

If you are worried about people with physical access to this computer gaining logon names for possible attacks, enable this setting. If you figure people can probably figure out logon names anyway, don’t worry about configuring this setting – it just causes inconvenience for the user that owns the computer.

Back to top

 

Additional Resources