A proper way to create non-interactive accounts?

In order to use password-protected file sharing in a basic home network I want to create a number of non-interactive user accounts on a Windows 8 Pro machine in addition to the existing set of interactive accounts. The users that corresponds to those extra accounts will not use this machine interactively, so I don't want their accounts to be available for logon and I don't want their names to appear on welcome screen.

In older versions of Windows Pro (up to Windows 7) I did this by first creating the accounts as members of "Users" group, and then including them into "Deny logon locally" list in Local Security Policy settings. This always had the desired effect. However, my question is whether this is the right/best way to do it.

The reason I'm asking is that even though this method works in Windows 8 Pro as well, it has one little quirk: interactive users from "User" group are still able to see these extra user names when they go to the Metro screen and hit their own user name in the top-right corner (i.e. open "Sign out/Lock" menu). The command list that drops out contains "Sign out" and "Lock" commands as well as the names of other users (for "switch user" functionality). For some reason that list includes the extra users from "Deny logon locally" list. It is interesting to note that this happens when the current user belongs to "Users" group, but it does not happen when the current user is from "Administrators".

For example, let's say I have three accounts on the machine: "Administrator" (from "Administrators", can logon locally), "A" (from "Users", can logon locally), "B" (from "Users", denied logon locally). When "Administrator" is logged in, he can only see user "A" listed in his Metro "Sign out/Lock" menu, i.e. all works as it should. But when user "A" is logged in, he can see both "Administrator" and user "B" in his "Sign out/Lock" menu.

Expectedly, in the above example trying to switch from user "A" to user "B" by hitting "B" in the menu does not work: Windows jumps to welcome screen that lists only "Administrator" and "A".

Anyway, on the surface this appears to be an interface-level bug in Windows 8. However, I'm wondering if going through "Deny logon locally" setting is the right way to do it in Windows 8. Is there any other way to create a hidden non-interactive user account?


Solution 1:

You need Resource Kit 2003 and this command:

ntrights -u "username" +r SeDenyInteractiveLogonRight

User rights explanation:

SeNetworkLogonRight               Access this computer from the network 
SeInteractiveLogonRight           Log on locally 
SeBatchLogonRight                 Log on as a batch job 
SeServiceLogonRight               Log on as a service 
SeDenyNetworkLogonRight           Deny access this computer from the network 
SeDenyInteractiveLogonRight       Deny log on locally 
SeDenyBatchLogonRight             Deny log on as a batch job 
SeDenyServiceLogonRight           Deny log on as a service 
SeCreateGlobalPrivilege           Create global objects 
SeDebugPrivilege                  Debug programs 
SeDenyRemoteInteractiveLogonRight Deny log on through Terminal Services 
SeEnableDelegationPrivilege       Enable computer and user accounts to be trusted for delegation 
SeImpersonatePrivilege            Impersonate a client after authentication 
SeManageVolumePrivilege           Perform volume maintenance tasks  
SeRemoteInteractiveLogonRight     Allow log on through Terminal Services  
SeSyncAgentPrivilege              Synchronize directory service data 
SeUndockPrivilege                 Remove computer from docking station 

Add new user in Windows 8:

Add new user at Windows 8

Install Resourse Kit 2003:

Run Install Resourse Kit 2003

Set installation path:

Set path Resourse Kit 2003

Run in CMD with administrative priveleges: Disable interactive user logon. OS version info.

Disable interactive logon user

How to rus CMD with administrative priveleges:

How to rus CMD with administrative priveleges

Logoff:

 shutdown /l

Logoff

Don't log in to user without interactive logon priveleges - don't view the new user.

Enable, disable interactive logon priveleges. Add user to list:

add user at list

Select user without interactive logon priveleges:

Select user without interactive logon priveleges

Not login, return at logon screen.

Not login, return at logon screen

All works. Good luck!

Note: Go to this registry key:

"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" 

AndreyT 0 DWORD - may be hidden, needs test and restart.