I would appreciate anyone’s comments on this. I was having issues in increasing the security of logons without exposing an admin account, or hiding it entirely from myself.
If you are using an admin user account to logon to Win 7, and want to increase your security, try these steps:
1. First, add a COMMAND.COM shortcut to your Start Menu. You will be able to right click|“Run as Administrator” in later steps and for other tasks.
2. Go to this website (thanks, Windows Secrets!”) to turn Ctrl-Alt-Del at logon on or off. Turn it on to increase security:
http://support.microsoft.com/default.aspx?scid=kb;en-us;308226
3. Create a new user account with a new password having admin privileges. Give it a name such as your normal logon with “Admin” added to the end.
4. Reboot (a must) to implement this very basic, new admin account. It will include IE, and you need not bother with adding any other applications if you will use it mostly for computer management.
5. Your Logon screen will now have both your old admin account and your new admin account. Logon to the new account to make sure it is OK. This is important, because you are about to eliminate the admin privileges on your old user account and you could lock yourself out of your own computer if the new account has a glitch!
6. Go to Control Panel/Users and change your old account type from Administrative to Standard. Reboot.
7. Now you will have your original account (no longer with admin privileges) and your new admin account to choose from at logon. However, if you are like many people, you do not want everyone to see that this new admin account exists, let alone its name. You still want it available for UAC elevation, however, so you cannot go to Control Panel|Users and “hide” it. What to do?
8. For now, logon using your admin account, run regedit, and go EDIT|FIND, entering “dontdisplaylastusername”. When found, double click on it and change its value from “0” to “1”.
9. Reboot and logon using your regular account. Try to delete or change something requiring admin privileges – it should open a dialogue showing your admin username and require its password. So far so good, but…
10. If you try to change users or logoff and then logon to your admin user account, you will now get an “the user name or password is incorrect” message. What to do now?
11. When you need to do actual work as an admin (as opposed to simply elevating to admin for UAC purposes), then do the next step.
12. From your regular logon account, go to Start|Windows Command Processor (from Step 1) right click and “Run as an administrator”. Go EDIT|Find and enter “donotdisplaylastusername” . When found double click and change the value from “1” back to “0”’.
13. You can now logon to your admin account and resize partitions or other tasks requiring admin privileges.
14. When done reverse the value back again.
Note: This takes much longer to write up than it does to set up. By doing this, I now have the best of all worlds in Win 7 Home Premium 64 bit. I have the security of the old Windows NT CTRL-ALT-DEL logon; I no longer logon as an administrator to do non-administrative work, I still have UAC invoked and working as a Standard User, and I do not have my new admin user account visible at logon. The small price I pay for this is having to type in my user name and password at logon, having to make one small registry change at the outset, and then again only when I need to reverse it.
None of the above should be confused with Win 7’s built-in System Admin Account. Leave that untouched.
