"User name" on Change Password dialogue

[Guest]

Is there a way to clear (set to a blank value) the "User name" field on the
"Change Password" dialogue window?

Specifically, when a user presses Ctrl-Alt-Del and clicks "Change Password",
the "User name" field is populated with the name of the currently logged on
user. I would like for the value to be blank instead, so that the user has
to type in his/her user name.

The reason that I want to do this is that we have workstations that are
shared by multiple users simultaneously and the workstations are logged into
Windows using AutoAdminLogin. The applications that the individual users use
on these workstations, however, require them to provide their Windows user
name / pw for authorization via security API calls such as LogonUser. In
order for them to change their passwords, they must press Ctrl-Alt-Del and
select Change Password. At this point, though, the autologin user name is
displayed. I would prefer this not to be displayed to avoid someone
acquiring the password to the auto login account and changing it (thus
locking out other AutoAdminLogin computers and probably causing the auto
login account to become locked out).

 

[Colin Nash [MVP]]

Is there a way to clear (set to a blank value) the "User name" field on
the
"Change Password" dialogue window?

Specifically, when a user presses Ctrl-Alt-Del and clicks "Change
Password",
the "User name" field is populated with the name of the currently logged
on
user. I would like for the value to be blank instead, so that the user
has
to type in his/her user name.

The reason that I want to do this is that we have workstations that are
shared by multiple users simultaneously and the workstations are logged
into
Windows using AutoAdminLogin. The applications that the individual users
use
on these workstations, however, require them to provide their Windows user
name / pw for authorization via security API calls such as LogonUser. In
order for them to change their passwords, they must press Ctrl-Alt-Del and
select Change Password. At this point, though, the autologin user name is
displayed. I would prefer this not to be displayed to avoid someone
acquiring the password to the auto login account and changing it (thus
locking out other AutoAdminLogin computers and probably causing the auto
login account to become locked out).

Why not just set "user cannot change password" flag on the autologin account
that everyone uses? The name and password for AutoAdminLogin is stored in
plain text in the registry, and can be output by several methods even if you
lock out access to regedit via policy, so as far as security goes you should
assume that the users know it.

 

[Guest]

Why not just set "user cannot change password" flag on the autologin account
that everyone uses? The name and password for AutoAdminLogin is stored in
plain text in the registry, and can be output by several methods even if you
lock out access to regedit via policy, so as far as security goes you should
assume that the users know it.

I want the users of the workstation to be able to get to the Change Password
dialogue so that they can change their individual passwords. If I set the
"user cannot change password" flag then the dialogue is not even accessible.
All I want to do is change the default value in the "User name" field so that
they don't carelessly keep banging on the auto login account when they are
really trying to change their own password.

For example, the way it works now is:
1) Workstation auto logs in as "Autouser"
2) "User1" starts App1 and provides his Windows user/password to App1 for
authorization.
3) "User2" signs "User1" out of App1 and provides his Windows user/password
to App1 for authorization.
4) "User1" decides to change his password, so he presses Ctrl-Alt-Del and
clicks the Change Password button. At that point, the Change Password
dialogue has the value "Autouser" in the "User name" field.
5) "User1" clicks on the "User name" field and replaces the value "Autouser"
with the value "User1", then proceeds to change his own password.

If "User1" does not do step 5 correctly, he is inadvertently trying to
change the "Autouser" password, or if he has obtained the password then he
can change the "Autouser" password. If I could simply clear the user field
we can avoid a lot of confusion.

 

[Colin Nash [MVP]]

If I set the

"user cannot change password" flag then the dialogue is not even
accessible.
All I want to do is change the default value in the "User name" field so
that
they don't carelessly keep banging on the auto login account when they are
really trying to change their own password.

For example, the way it works now is:
1) Workstation auto logs in as "Autouser"
2) "User1" starts App1 and provides his Windows user/password to App1 for
authorization.
3) "User2" signs "User1" out of App1 and provides his Windows
user/password
to App1 for authorization.
4) "User1" decides to change his password, so he presses Ctrl-Alt-Del and
clicks the Change Password button. At that point, the Change Password
dialogue has the value "Autouser" in the "User name" field.
5) "User1" clicks on the "User name" field and replaces the value
"Autouser"
with the value "User1", then proceeds to change his own password.

I understand what you are trying to do, but I don't know of a way to clear
that field (maybe someone else does??)

However, my experience with the "user cannot change password" flag is that
the dialog is still accessible. It gives the user an error when you he
tries to change the account's password, but it is still available. There
is a policy setting you can set that will grey this option out in the
CTRL-ALT-DEL screen, but that's not why I'm suggesting here. Anyway, I was
thinking that might be an OK workaround for you.

 

[Guest]

If I set the


I understand what you are trying to do, but I don't know of a way to clear
that field (maybe someone else does??)

However, my experience with the "user cannot change password" flag is that
the dialog is still accessible. It gives the user an error when you he
tries to change the account's password, but it is still available. There
is a policy setting you can set that will grey this option out in the
CTRL-ALT-DEL screen, but that's not why I'm suggesting here. Anyway, I was
thinking that might be an OK workaround for you.

You may be right on the user setting; I didn't remember it working that way
but what you're saying makes sense. I'll test to verify.

I'm pretty sure there's no way to do what I want but it would be a nice
feature.

Thanks for the feedback...