I am trying to use ZCM 11 Group Policy management to do two things. 1). Turn off the Windows 7 switch user feature that exists in the start menu and at the initial logon screen, and 2). Add a policy statement graphic to the initial logon screen in Windows 7.

Feature 1 above is done by changing 'Hide entry points for 'Fast User Switching' in Computer Configuration=>Administrative Templates=>System=>Logon. But in order to get rid of the 'Switch User' button on the initial logon screen you also have to enable 'Interactive logon: Do not display last user name' in Computer Configuration=>Windows Settings=>Security Settings=>Local Policies=>Security Options and we only want this enabled for students. There are only two options for this setting - 'enabled' and 'disabled'.

Feature 2, adding a graphic to the initial logon screen, is turned on by enabling 'Always use custom logon background' in Computer Configuration=>Administrative Templates=>System=>Logon and creating a custom bmp file placed in C:\Windows\System32\oobe\info\.

Because the 'Interactive logon: Do not display last user name' setting only has enable/disable options (the default is disable) and because user associated settings overwrite workstation associations Im using two policies, one workstation and one user as inidcated below:

User GPO :

  • Enable 'Interactive logon: Do not display last user name' in Computer Configuration=>Windows Settings=>Security Settings=>Local Policies=>Security Options

NOTE: This allows me to differentiate between student and staff users.

Workstation GPO:

  • Enable 'Hide entry points for 'Fast User Switching' in Computer Configuration=>Administrative Templates=>System=>Logon


  • Enable 'Always use custom logon background' in Computer Configuration=>Administrative Templates=>System=>Logon


Bundle:

  • Deploys the bmp file to C:\Windows\System32\oobe\info\.


Unfortunately, this setup only works as intended when the user is set up with a volatile DLU policy. When the user associated DLU is non-volatile it doesnt display the graphic and it does not remove the switch user button on the main logon screen. If I logon/logoff as a non-volatile user I get the generic Windows 7 logon page with the switch user button visible, when I logon/logoff as a volatile user I get the custom graphic logon page without the switch user button. Whats even stranger is that when I go into gpedit.msc and look at the settings after I log in, theyre correct for each type of user.

Does anyone have any insight on why I might be seeing this problem?

Ive tried to be complete as possible describing the problem but if didnt describe something correctly or someone needs additional info, please let me know.

Thanks for any assistance.

Dan