Keep a User From Showing Up on Windows 2008 Login Screen

This is one of those things I’ve done a few times but infrequently enough that I can never remember how to do it. I have some users set up to run local services, like a web server. I don’t want those users to be able to log in to the machine at all. Not locally from the keyboard, or over the network, or by remote desktop.

There are some sites offering really bad advice to add an entry to the registry to accomplish this. To be fair most people are asking the question in the form of, “How do I keep a user from showing up on the login/welcome screen.” Even there though there is a better, less hacky, answer. Local Security Policy.

  1.  Start Menu >> Administrative Tools >> Local Security Policy.
  2. In the left pane click on Local Policies >> User Rights Assignment.
  3. Find the policy in the right pane called “Deny log on locally.”
  4. Double click it and add the user in question to the dialog box.
  5. If you only want this user to “log on” when NT Services launches the service you created it for, do the same for the policies “Deny log on through Remote Desktop Service” (it might say Terminal Services) and “Deny access to this computer from the network.”



Leave a Reply

Your email address will not be published. Required fields are marked *