-1

I want to allow users to log onto Windows using stored credentials, not requiring them to type their login information.

I've read that the way to do this on a specific computer is to run "netplwiz" and uncheck "Users must enter a user name and password to use this computer" in the "User Accounts" dialog.

However, this option is not available on my computer so I assume it's part of group policy or something. Do I in fact need to change a setting on the server to allow this, or is there something I missed on the specific computer?

Jonathan Mee
  • 121
  • 1
  • 8
  • 1
    This isn't available or possible on domain joined machines. – joeqwerty Mar 18 '16 at 20:28
  • @joeqwerty All my domain computers except this one that I just added to the domain are already automatically logging. Notably all the users have a password as well. – Jonathan Mee Mar 18 '16 at 20:36
  • 1
    They may be using an automatic logon Registry hack. That isn't the same thing as what you're asking. Domain users **must** provide a username and password to logon to the domain. The Registry hack merely provides that information. It's not possible to logon to the domain without providing valid credentials. – joeqwerty Mar 18 '16 at 20:44
  • Yeah, I think that you're right. I just haven't been able to figure out how to set the registry thing up. – Jonathan Mee Mar 21 '16 at 10:59
  • @joeqwerty I dug around, and you were correct: The other machines were starting because of registry settings. It just took me a bit to find the necessary registry edits to start this up. – Jonathan Mee Mar 21 '16 at 16:30

2 Answers2

1

This can be accomplished but like any auto login it requires including a user name and password, unencrypted, in the Windows Registry.

  1. Open regedit: Press Windows + r and then enter "regedit" into the "Run" dialog
  2. Navigate to: "HKEY_LOCAL_MACHINE" > "SOFTWARE" > "Microsoft" > "Windows NT" > "CurrentVersion" > "Winlogon"
  3. Change AutoAdminLogon to 1
  4. Change DefaultUserName to the user name without domain to be logged onto
  5. Change DefaultPassword to this user's password
  6. Change DefaultDomainName to the domain this user should log onto

In general this is going to be an undesirable setting as it starts the system in an unlocked state and perhaps more importantly the default users password can be obtained using regedit.

Caution aside, it can be very useful to have domain machines who's restart can be automated, without requiring a user at the keyboard to log back in.

Jonathan Mee
  • 121
  • 1
  • 8
1

A slightly less bad way to do this is using the Sysinternals Autologon utility. Rather than storing the credentials in cleartext in a portion of the registry that is readable by all users by default, it stores them "encrypted" in the LSA Secrets portion of the registry.

"encrypted" is in quotes because the password can still be decrypted by anyone with Admin privs on the box. So again, not truly secure, but more secure than the more common Winlogon way.

More details on the how it uses LSA Secrets can be found in this blog post.

Ryan Bolger
  • 16,755
  • 4
  • 42
  • 64
  • Before I chase this, can you confirm that this is possible on domain joined machines? [@joeqwerty seemed to think this isn't possible](http://serverfault.com/questions/764683/password-logon-requirements/765147#comment962718_764683) – Jonathan Mee Mar 21 '16 at 18:22
  • It's working on the Windows 7 domain joined machine sitting next to me at the moment. Though it's likely possible to prevent it from working with a group policy setting if the domain admins choose to do so. Make sure to use the appropriate domain value in the UI (or the machine's netbios name if a local account). – Ryan Bolger Mar 21 '16 at 20:12
  • I like it. I'm not trying to circumvent group policy, I want to be able to automate startup, and this allows that, so it's a great solution for me. – Jonathan Mee Mar 22 '16 at 10:57
  • 1
    It should be noted that if the password changes on the account you're automatically logging in with, you'll need to run it again to update the stored password as well. – Ryan Bolger Mar 22 '16 at 17:38
  • Sure cause we're talking about storing the username and password in the registry, so it's intuitively obvious that that will also need to be updated. – Jonathan Mee Mar 22 '16 at 18:02