Normally when a Windows workstation or server is locked, you’ll see something similar to the following Windows Security message:
This computer is in use and has been locked.
Only DOMAIN\USER (user name) or an administrator can unlock this computer.
To not show the name of the user who has locked a computer, the following can be defined in a workstation level GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Display user information when the session is locked.
There are three choices if you enable this policy:
- User display name, domain and user names (default setting)
- User display name only
- Do not display user information
Besides being able to apply this to Active Directory GPOs, this setting appears in the local security policy on my Windows XP SP3 VM. The setting is not available on my XP SP2 laptop, but I see from KB837022
there is a hotfix that corrects this problem in XP SP2.
Alternatively, the following DWORD can be created in the registry of XP SP2, Windows Vista, and Windows Server 2008 machine to accomplish the same thing:
User display name, domain and user names = 1
User display name only = 2
Do not display user information =3
You need to restart the machine for the change to take effect.
You may also be interested in the related Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Do not display last user name setting. This security setting determines whether the name of the last user to log on to the computer is displayed in the Windows logon screen.
If this policy is enabled, the name of the last user to successfully log on is not displayed in the Log On to Windows dialog box. If this policy is disabled, the name of the last user to log on is displayed.