Sunday, September 13, 2015

How to hide a userid from Windows login screen

With DB2 on my home PC[1] I have a service account for the DB2 instance, makes life a lot easier than trying to map it to you actual user(s).

However, regular Windows (Home) setup has 2 defaults that are annoying:
a. password and account expiry for this user.
b. the userid appears on the Windows login/lock screen, although nobody is supposed to sign in with it.

Create a maintenance free user
The first issue I fixed a couple of month ago, because that was really annoying. Because DB2 just would not start. And the first two times this happened I had to work through db2diag.log to find out what happened.
So, make sure the account actually never expires (that's separate from the password). With admin privileges run
  net user db2admin [2]
to check if the user account expires.
If it does, then run a
  net user db2admin /expires:never
to fix this.

The password expiration is trickier, since it cannot be done with the net user command.
To make the password everlasting, run
  WMIC USERACCOUNT WHERE "Name='db2admin'" SET PasswordExpires=FALSE

I found this thanks to the folks at StackExchange.

Hide the service account from the login screen
I wanted to do this on Windows 7 already, but never found the time or cared enough. Now with the move to Window 10 I thought of it again and fixed it.
So this can be done with group policies and stuff, but not on a standalone Windows Home edition.

Registry and Microsoft Technet to the rescue:

Create an entry under
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList and list the db2admin user with a dword (32) of 0 to hide it. Remove the entry or set it to 1 to show the user again.


[1] Ha, now that I no longer work for Oracle, I can again freely admit it... Not that I really held back on this in the past 5 years.
[2] replace db2admin with the userid you need this for

No comments: