Most of us by now have become acquainted with Windows 7, either at home or the office and we are infinitely familiar with the logon procedure that Windows 7 provides. For some, it is a bit different, as there is a different logon screen, options, and overall feel. In reality the logon process for a corporate environment is still the same, however, the logon options have been altered slightly in Windows Vista/7. Since most of the world did not use Windows Vista, the change that Windows 7 provides is somewhat of a shock to our system. The main feature at logon for Windows 7 is called Fast User Switching. Fast User Switching is a feature that most organizations might want to disable due to local, network, and security issues that are occurring in the background.
What Occurs During Domain Logon
In order to understand fully why Fast User Switching should be disabled, let’s take a peek at what is actually occurring during logon of a Windows 7 computer which is joined to an Active Directory domain.
First, the Windows 7 computer must obtain an IP address from the DHCP server. (Yes, some clients might be statically coded with IP, but not in most corporations). The request for an IP address is a broadcast for a DHCP server on the network. When the DHCP server hears the request, it will send the Windows 7 computer IP information. Most of the time the information that is sent includes:
- IP address
- Subnet mask
- Default Gateway IP address (AKA router)
- DNS server(s) IP address/es
- WINS server IP address
- Domain name
Next, when the computer knows which network it can communicate with, it must find a domain controller. In order to find a domain controller in Active Directory, it uses DNS. Since it is using DNS and has the DNS server IP address, it sends a direct request to the DNS server. The request is for a list of domain controllers for the domain it is associated with. The request has a hierarchy, as the DNS server has the domain controllers organized by Active Directory Site. Since the Windows 7 computer knows its own IP address, the DNS server can give the list of domain controllers, known as the dclist, back to the Windows 7 computer with the domain controllers in the Windows 7 site at the top of the list. This will help with the network utilization and hopefully allow the Windows 7 computer to authenticate faster.
The next step for the Windows 7 computer is to contact the domain controller and authenticate. The authentication will occur on the domain controller by verifying the credentials that are sent to it from the Windows 7 computer. If the credentials verify successfully with the domain controller, an authentication token is sent to the Windows 7 computer for the user that has logged on.
Finally, on the Windows 7 computer, a session is created for the logged on user. This consists of the user profile, either cached or copied from the Default User Profile, registry entries created, as well as other operating system session information created for applications, services, etc.
Why Fast User Switching Might Not Be Desired
Now that we have the logon process and details covered, it might be clear as to why Fast User Switching is not desired. You might still be asking why? Consider that Fast User Switching does not actually log off any user, but it will keep the session of the last logged on user. So, if Fast User Switching occurs for more than 2, 3, 4, users… that means all of these sessions are still running on the computer.
For some organizations this might not meet security compliance regulations. For others, the fact that so many sessions are being kept alive might hurt performance. Still for other organizations, if a user has a process running in the background and another user logs on via Fast User Switching, the process might be taking up network bandwidth that it should not be taking.
How to Disable Fast User Switching
Fast User Switching is the default setting whether a computer is joined or not to the network. The settings to disable Fast User Switching are all the same, the key is how you want to accomplish it for your company. You can either modify the local computer, say on the gold desktop image, you can modify the Registry via a script, or you can use a Group Policy (as a Group Policy MVP, I suggest this option!).
Disabling Fast User Switching Using the GUI
The ability to control Fast User Switching on Windows 7 cannot be done via the GUI. Yes, in Windows XP and the Beta of Windows Vista allowed for this, but for some reason it is no longer a GUI option. You must do it via Group Policy or manually editing the registry.
Disable FUS in Registry
If you decide that hacking the registry is the ideal way to disable Fast User Switching, you can either do it via script, the Group Policy Registry extension, or manually. In all cases, you will need to alter the following Registry entry:
Then alter the HideFastUserSwitching entry. The default is a value of 0, a value of 1 will hide Fast User Switching (only Switch User in the interface) on Windows 7.
Disable FUS Using Group Policy
The most efficient way to alter all of your Windows 7 computers to not allow Fast User Switching is to use Group Policy. Of course, you can alter the local Group Policy, but using Active Directory based Group Policy is the most efficient way. In a Group Policy linked to Active Directory, you can go to the following link to modify Fast User Switching:
Computer Configuration\Policies\Administrative Templates\System\Logon\Hide Entry points for Fast User Switching
You will want to toggle this to Enabled, as shown in Figure 1.
Figure 1: Group Policy setting to disable Fast User Switching on Windows 7.
Turning off Fast User Switching will take the Switch User option away from the Logon UI, the Start menu, and the Task Manager.
If you allow remote connections to the computer, there can still be multiple sessions on the computer, one local and one using RDP.
Fast User Switching can be a useful feature, but it can also cause some issues depending on how your users and corporation use desktops. Controlling Fast User Switching is easy if you know where to go and how to do it. You can modify the registry to toggle its use, or you can use Group Policy. Regardless of the approach, you can now control how users logon, gain access to the desktop, and how desktops behave with one or multiple users logged on.