"User name" on Change Password dialogue

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Is there a way to clear (set to a blank value) the "User name" field on the
"Change Password" dialogue window?

Specifically, when a user presses Ctrl-Alt-Del and clicks "Change Password",
the "User name" field is populated with the name of the currently logged on
user. I would like for the value to be blank instead, so that the user has
to type in his/her user name.

The reason that I want to do this is that we have workstations that are
shared by multiple users simultaneously and the workstations are logged into
Windows using AutoAdminLogin. The applications that the individual users use
on these workstations, however, require them to provide their Windows user
name / pw for authorization via security API calls such as LogonUser. In
order for them to change their passwords, they must press Ctrl-Alt-Del and
select Change Password. At this point, though, the autologin user name is
displayed. I would prefer this not to be displayed to avoid someone
acquiring the password to the auto login account and changing it (thus
locking out other AutoAdminLogin computers and probably causing the auto
login account to become locked out).

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"CarolinaKB" <CarolinaKB@discussions.microsoft.com> wrote in message
news:46939309-C1C1-4D9F-B0F8-D9633ED02769@microsoft.com...
> Is there a way to clear (set to a blank value) the "User name" field on
> the
> "Change Password" dialogue window?
>
> Specifically, when a user presses Ctrl-Alt-Del and clicks "Change
> Password",
> the "User name" field is populated with the name of the currently logged
> on
> user. I would like for the value to be blank instead, so that the user
> has
> to type in his/her user name.
>
> The reason that I want to do this is that we have workstations that are
> shared by multiple users simultaneously and the workstations are logged
> into
> Windows using AutoAdminLogin. The applications that the individual users
> use
> on these workstations, however, require them to provide their Windows user
> name / pw for authorization via security API calls such as LogonUser. In
> order for them to change their passwords, they must press Ctrl-Alt-Del and
> select Change Password. At this point, though, the autologin user name is
> displayed. I would prefer this not to be displayed to avoid someone
> acquiring the password to the auto login account and changing it (thus
> locking out other AutoAdminLogin computers and probably causing the auto
> login account to become locked out).

Why not just set "user cannot change password" flag on the autologin account
that everyone uses? The name and password for AutoAdminLogin is stored in
plain text in the registry, and can be output by several methods even if you
lock out access to regedit via policy, so as far as security goes you should
assume that the users know it.


--
Colin Nash
Microsoft MVP
Windows Shell/User

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"Colin Nash [MVP]" wrote:

>
> "CarolinaKB" <CarolinaKB@discussions.microsoft.com> wrote in message
> news:46939309-C1C1-4D9F-B0F8-D9633ED02769@microsoft.com...
> > Is there a way to clear (set to a blank value) the "User name" field on
> > the
> > "Change Password" dialogue window?
> >
> > Specifically, when a user presses Ctrl-Alt-Del and clicks "Change
> > Password",
> > the "User name" field is populated with the name of the currently logged
> > on
> > user. I would like for the value to be blank instead, so that the user
> > has
> > to type in his/her user name.
> >
> > The reason that I want to do this is that we have workstations that are
> > shared by multiple users simultaneously and the workstations are logged
> > into
> > Windows using AutoAdminLogin. The applications that the individual users
> > use
> > on these workstations, however, require them to provide their Windows user
> > name / pw for authorization via security API calls such as LogonUser. In
> > order for them to change their passwords, they must press Ctrl-Alt-Del and
> > select Change Password. At this point, though, the autologin user name is
> > displayed. I would prefer this not to be displayed to avoid someone
> > acquiring the password to the auto login account and changing it (thus
> > locking out other AutoAdminLogin computers and probably causing the auto
> > login account to become locked out).
>
> Why not just set "user cannot change password" flag on the autologin account
> that everyone uses? The name and password for AutoAdminLogin is stored in
> plain text in the registry, and can be output by several methods even if you
> lock out access to regedit via policy, so as far as security goes you should
> assume that the users know it.
>
>
> --
> Colin Nash
> Microsoft MVP
> Windows Shell/User
>
>

I want the users of the workstation to be able to get to the Change Password
dialogue so that they can change their individual passwords. If I set the
"user cannot change password" flag then the dialogue is not even accessible.
All I want to do is change the default value in the "User name" field so that
they don't carelessly keep banging on the auto login account when they are
really trying to change their own password.

For example, the way it works now is:
1) Workstation auto logs in as "Autouser"
2) "User1" starts App1 and provides his Windows user/password to App1 for
authorization.
3) "User2" signs "User1" out of App1 and provides his Windows user/password
to App1 for authorization.
4) "User1" decides to change his password, so he presses Ctrl-Alt-Del and
clicks the Change Password button. At that point, the Change Password
dialogue has the value "Autouser" in the "User name" field.
5) "User1" clicks on the "User name" field and replaces the value "Autouser"
with the value "User1", then proceeds to change his own password.

If "User1" does not do step 5 correctly, he is inadvertently trying to
change the "Autouser" password, or if he has obtained the password then he
can change the "Autouser" password. If I could simply clear the user field
we can avoid a lot of confusion.

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

If I set the
> "user cannot change password" flag then the dialogue is not even
> accessible.
> All I want to do is change the default value in the "User name" field so
> that
> they don't carelessly keep banging on the auto login account when they are
> really trying to change their own password.
>
> For example, the way it works now is:
> 1) Workstation auto logs in as "Autouser"
> 2) "User1" starts App1 and provides his Windows user/password to App1 for
> authorization.
> 3) "User2" signs "User1" out of App1 and provides his Windows
> user/password
> to App1 for authorization.
> 4) "User1" decides to change his password, so he presses Ctrl-Alt-Del and
> clicks the Change Password button. At that point, the Change Password
> dialogue has the value "Autouser" in the "User name" field.
> 5) "User1" clicks on the "User name" field and replaces the value
> "Autouser"
> with the value "User1", then proceeds to change his own password.
>


I understand what you are trying to do, but I don't know of a way to clear
that field (maybe someone else does??)

However, my experience with the "user cannot change password" flag is that
the dialog is still accessible. It gives the user an error when you he
tries to change the account's password, but it is still available. There
is a policy setting you can set that will grey this option out in the
CTRL-ALT-DEL screen, but that's not why I'm suggesting here. Anyway, I was
thinking that might be an OK workaround for you.


--
Colin Nash
Microsoft MVP
Windows Shell/User

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"Colin Nash [MVP]" wrote:

> If I set the
> > "user cannot change password" flag then the dialogue is not even
> > accessible.
> > All I want to do is change the default value in the "User name" field so
> > that
> > they don't carelessly keep banging on the auto login account when they are
> > really trying to change their own password.
> >
> > For example, the way it works now is:
> > 1) Workstation auto logs in as "Autouser"
> > 2) "User1" starts App1 and provides his Windows user/password to App1 for
> > authorization.
> > 3) "User2" signs "User1" out of App1 and provides his Windows
> > user/password
> > to App1 for authorization.
> > 4) "User1" decides to change his password, so he presses Ctrl-Alt-Del and
> > clicks the Change Password button. At that point, the Change Password
> > dialogue has the value "Autouser" in the "User name" field.
> > 5) "User1" clicks on the "User name" field and replaces the value
> > "Autouser"
> > with the value "User1", then proceeds to change his own password.
> >
>
>
> I understand what you are trying to do, but I don't know of a way to clear
> that field (maybe someone else does??)
>
> However, my experience with the "user cannot change password" flag is that
> the dialog is still accessible. It gives the user an error when you he
> tries to change the account's password, but it is still available. There
> is a policy setting you can set that will grey this option out in the
> CTRL-ALT-DEL screen, but that's not why I'm suggesting here. Anyway, I was
> thinking that might be an OK workaround for you.
>
>
> --
> Colin Nash
> Microsoft MVP
> Windows Shell/User
>
>
>

You may be right on the user setting; I didn't remember it working that way
but what you're saying makes sense. I'll test to verify.

I'm pretty sure there's no way to do what I want but it would be a nice
feature.

Thanks for the feedback...