Fast User Switching with Windows Authclient

Fast User Switching with the RapidIdentity Windows Authentication Client

When enabled, Fast User Switching allows multiple users to share a single windows device, using their own unique Windows login credentials, and easily switch between them without logging an active user session out or closing any windows.

Fast User Switching makes it easy for Windows users to share a single device but, might not be appropriate for users with dedicated devices. As such, the RapidIdentity Windows Authentication Client now tolerates and respects both the Fast User Switching enabled and disabled states which can be set by adminstrators using the Hide entry points for Fast User Switching policy setting.

GPO Policies/Registry Settings to update:

1. Hide entry points for Fast User Switching: If this policy is enabled, the Switch User interface is hidden from the user attempting to log on or the lock screen for a logged-in user.

   Administrative users can choose one of the following two ways to adjust this setting :

   1. Using the GPO: in gpedit.msc navigate to Local Group Policy>Computer Configuration>Administrative Templates>System>Logon and set Hide entry points for Fast User Switching to Enabled or Disabled. Enabling this policy will disable Fast User Switching.

   2. Using the Registry Editor: navigate to
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] and set HideFastUserSwitching equal to dword:00000001

2. Don't display last signed-in: If this policy is enabled, the last logged-in user name is hidden from the lock screen.

   Administrative users can choose one of the following two ways to adjust this setting:

   1. Using GPO: in gpedit.msc navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options and set Interactive Logon:Don't display last signed-in to Enabled or Disabled

   2. Using the Registry Editor: navigate to [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] and set dontdisplaylastusername equal to dword:00000001

Fast User Switching behavior in the Windows Authclient

When FUS is Enabled:

If an Admin enables this setting and users lock their machines, the switching user option from logged-in window is disabled, and any other user attempting to log in through the Windows Authclient login process will be given an error message by Windows, which means only the locked user can unlock the machine and the session remains active.

Step 1 : Admin/ User Enable FUS.

Step 2 : Sign out from the machine.
Step 3 : User logs in using RI Client with any Authentication method (Example shown here with Password).

Step 4 : Once user logged in using WAC user will be redirected to RI Profile. User can work and locks the machine.
Step 5 : User will not see the switch user option on the logged-in window.

Step 6 : Other WAC user tries to login using any authentication method.

When other user tries to log in, Windows will display error message.

When FUS is Disabled:

When FUS is disabled and the machine is locked, any user can log in via with Windows Authclient. They also will be prompted with the Switch User option on Log in Screen.

Step 1 : Disable FUS

Step 2 : Login with a WAC user and lock the session.
Step 3 : Login with any other WAC user using any authentication method (Password, Duo, SMS etc).

Step 4 : User successfully logs in.
Step 5 : User locks the machine. Now any user can switch easily to their account by clicking on Switch user.

• When dontdisplaylastusername is enabled: This setting only affects the Windows Logged-in screen when FUS is enabled.

  • FUS and dontdisplaylastusername is enabled: When both of these settings are enabled, users can not see the last logged-in user name on the Log-on Screen.
    

  

  • FUS is enabled and dontdisplaylastusername is disabled: When FUS is enabled and dontdisplaylastusername is disabled then user can see the last logged-in user name (Domainname\username) on the Log-on Screen.