Working on a Windows 10 Home installation recently, I noticed that the primary user was an administrator. For best security, I prefer to have users work as non-admins, then have a second admin user for use when necessary.
(I’m writing this up from memory, but I think this is the sequence of events.) I added a second user with admin privileges, then removed admin privileges from the first user, so something like this:
net user /add AdminUser * [and provide a password]
net localgroup Administrators AdminUser /add
net localgroup Administrators MainUser /delete
The strange this was that once I did this, the MainUser no longer showed up on the logon screen. Fortunately, I had access to another administrative user, so I was able to investigate some interesting registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"AutoLogonSID"="S-1-5-21-2610437612-784014273-582484255"
I thought it was interesting that the AutoLoginSID wasn’t actually a complete SID—it’s missing “-1001”. I thought at first that the user had auto-login set up, but she did not.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
"dontdisplaylastusername"=dword:00000000
This can be used to force the user to type a name, rather than choose from a list, but that’s not what we want.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2610437612-784014273-582484255-1001
"ProfileImagePath"="C:\Users\MainUser"
Okay that confirms the the SID ending in “-1001” belongs to the main user.
HKEY_USERS\.DEFAULT\Software\Microsoft\IdentityCRL\StoredIdentities\[email protected]
This is where you can find the linked Microsoft accounts. I’m not sure if this was used as the primary login at startup, but it is linked to the MainUser login.
I went through lots of permutations trying to get MainUser to re-appear on the login screen. In the end, I decided I’ll just have to re-add MainUser to the Administrators group, so I typed:
net localgroup Administrators MainUser /add
To my surprise and chagrin, that failed with the message, “The specified user does not exist”. What? I can type net user MainUser and see that it does exist.
Finally I came across the PowerShell commands for managing users. This command also failed:
Add-LocalGroupMember -Group "Administrators" –Member "MainUser"
Fortunately, adding by SID worked:
Add-LocalGroupMember -Group "Administrators" -Member "S-1-5-21-2610437612-784014273-582484255-1001"
After that, MainUser re-appeared on the list of users on the login screen.
Something is different about MainUser. Two questions as yet unanswered:
- Why won’t a non-admin user appear on the login screen?
- Why couldn’t I add the user back by name?