User successfully logs in as [email protected]
.
User is then mapped to [email protected]
via
altSecurityIdentities: Kerberos:[email protected]
When the user locks the screen, the lock screen is for [email protected]
, which the user does not have the (randomized) password for.
It is possible for the user return to their session by backing out to the main login screen, which where EXAMPLE.COM
is the default domain/realm, and logging in there.
Is there a way to force [email protected]
as lock screen user or, failing that, cause the lock screen to go immediately to the switch user screen.
I am primarily interested in Windows 7 and 8, but knowledge for other version would also be useful.
To have the lock screen be the effective equivalent of the switch user screen enable group policy (Functional Level 2012*):
Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Local Policies \ Security Options -> Interactive Login: Display user information when session is locked -> Do not display user Information
*This policy is not new in 2012 and shows up in much the same path in lower function levels.