Why isn’t Fast User Switching enabled on domains?

Windows XP added a new feature called Fast User Switching which lets you switch between users without having to log off. But this feature is disabled if your computer is joined to a domain. Why?

There were several reasons, none of them individually insurmountable, but they added up to quite a lot of work for something IT administrators weren't even sure they wanted. (See a previous entry on retraining costs.)

  • How do you show all the users on the domain in the Welcome screen? You certainly don't want a list with 10,000 names in it. (Scroll scroll scroll.)
  • How do you check whether a user has a password? In Windows XP, the Welcome screen merely tries to log you on with a blank password. If it works, then poof! you're in. If it doesn't work, then it displays the password prompt. This works, but it also generates a failed password event into your security event log. Many IT administrators have a passwork lockout policy, where if you get your password wrong more than N times, your account is locked. Blank password probing would result in locked-out accounts all over the company.

Those of you who have gotten Longhorn can see that Fast User Switching is now enabled on domains. New infrastructure needed to be developed to enable the feature on domains without ruining the domain administrators' lives.

Comments (30)
  1. This total OT. Could you do something with your page? I mean make it HTML & CSS compilant? I think someone like you should be totally aware of negativie effects of not following standards…

  2. Dan Smith says:

    Yippie! One more reason not to run as "Administrator" (fast user switching make switching to an "Administrator" account to do things like install software easier).

  3. Anonymous says:

    It is one of the things I miss more at my dev machine at work from my devplay machine at home….

  4. Anonymous says:

    I was under the impression that it was because services running over SMB/NETBEUI had a one computer/one user assumption built-in.

  5. MilesArcher says:

    If only there was more granularity as to what a regular user and an administrator can do on XP home…

    Like the anon above, i too have XP pro at work and XP home at home. The fast switching is excellent. I haven’t seen much need for it at work though. People here typically use VMware rather than another account on the same box.

  6. Raymond Chen says:

    I don’t control the framing HTML the blog server generates. I just upload blog entries and it injects them into the frame. (Okay I also control the CSS file which is how I can set the goofy colors.) What noncompliance is causing problems? Maybe it’s something within my control (but I doubt it).

  7. Regarding the CSS, I can’t speak for Mr. Sznajder, but the div header and H3 entryTitle filters always get me an unwelcome ActiveX automation security question. However, after answering No, I always get a very readable page.

  8. Raymond Chen says:

    Ah that’s coming from the gradient effect. Apparently the IE folks now believe gradients to be a security risk so it prompts you. Should I remove the gradient, folks? I kind of like it.

  9. Tekumse says:

    there is no gradient in Mozilla and would have never known it is in the style until this dsicussion. Thus I don’t any warning either.

  10. Kevin Dente says:

    There’s something I don’t get. Why is fast user switching tied to the user list version of the welcome screen? When you’re running a domain, it doesn’t present the big friendly list, it just gives you a log-in dialog where you type in your user name and password. So why couldn’t the "Switch user" option just have taken you back to the login dialog, where you could enter a different domain user account and password?

    FUS could have been great for testing different locale settings, but since it’s not supported on domains I can’t use it at work.

  11. Raymond Chen says:

    As I noted in the entry itself, it was technically feasible but would have been a lot of work to get right [I listed only two of the problems]; it was a simple matter of not enough tim/resources. (Making changes to the classic logon UI is a particularly risky endeavour since winlogon is a super-critical system process.) And as I also noted, there *is* enough time/resources to do this for Longhorn.

  12. uh, this may be a stupid question but why does the xp welcome screen try to log you in? and is there no that it can be turned off?

  13. Raymond Chen says:

    Because it would be ugly to prompt the user for their password when they don’t have one!

  14. The other problem you face with FUS in a domain sitation is when someone FUSs away from their user (goes home for the day), and someone uses that machine, but when the user returns, they return to a differant machine (hot desking maybe) – how do you manage that? None of it’s simple.

  15. Serge Wautier says:

    My use of ‘Fast User Switching’ : Software translation help ! My XP Pro is in English but I installed French as well (MUI). When I need to update the translation of my app from English to French, I often come to wonder how a usual term is translated by MS. Quick switch to another user purposely set up with French UI and I have my answer in seconds !
    BTW: Yes, I’m a native french speaker. But we do develop UI in English first because of international audience. And since I’ve always used an English Windows, I’m not familiar with common computer terminology in my own language !

    I’m sure folks who designed the fast user switching didn’t think of that use ;-)

  16. Anonymous says:

    Not having the ability to use FUS on domains was a great bummer
    when I first saw XP.

    But another even worse bummer is that "offline folders" don’t work
    together with FUS (I would really like to use an admin account
    and an useraccount and switch between both without closing all
    open applications and browser windows, but I need offline folders,
    too). This was also the case with Windows Server 2000 (enabling
    Terminalservices silently removed the offline-folders tabs and
    menu entries from the GUI), where I once wondered why that feature
    was suddenly gone.

    I would really like to ignore whatever problems MS sees in enabling
    offline folders and FUS together and would use ANY hack to force
    it to be enabled, but I don’t know any.

    I guess that the feature was removed because it is not clear which
    user accesses the offline folders.

    On a expo someone from MS promised that offline folders and terminalservices
    would work together in Windows Server 2003, but they don’t.

    Glad to hear that in Longhorn this stupid limitations will finally be
    gone. It is really bad if XP has several great features, but you
    find out that you only can enable one of them, not all. Nothing can
    be more disappointing about an operation system!

    It would be cool if you could add more points/problems to the list in your
    post. This is the first time I read someonething about these limitation
    and more details would be great.

    Regarding the new logon-screen:
    Try this: Enter a wrong password in the new GUI. Then hit STRG+ALT+ENTF
    twice. Now look at the two input fields of the traditional GINA:
    They are filled out.

    Looks like the developers of XP were totally afraid of changing anything
    in GINA and they just glued some kind of decorating frontend over it.
    I think the logonui.exe can even crash without any problems.

    Kind of strange way to develop things. Of course it has its advantages,
    but it also feels "not right".
    Hearing that logonui will even try to log you in with an empty password
    is strange, too!

    I hope that longhorn will clean out a lot of the mess that is hidden
    inside Windows layers and layers of compatibilty. Many areas have a
    great design, but there is a lot of dirt hidden inside windows.

  17. Roland Kaufmann says:

    What I would like to see is something we could perhaps call "Slow User Switching"; that you could lock the workstation using Ctrl-Alt-Del, and when pressing the secure attention sequence again, you get the choice of unlocking one of the existing sessions or if you want to logon with a new session (including another session for the same user), i.e. the unlock and logon dialog that resides on the WinLogon desktop should be merged into one.

  18. James Day says:

    Please do disable anything which causes an ActiveX control request. I wouldn’t know whether you’re using a gradient or not. Site pops up an ActiveX control request, I say no. Or, if I really want something, I look at every piece of code on the site before saying yes, so I can be sure of which controls I’m granting permission to use. A pain even when the administrator kill bit is usually set for the most common ad engine, Flash. Usually, ActiveX requests are a quick way to the Restricted Sites zone. Such is life with a grossly untrustable interface.

  19. Damit says:

    Additionally, why is it that FUS has to be disabled when using a non-MS GINA? The drivers for my wireless LAN card (Cisco Aironet 350) install a GINA to support LEAP, which breaks (among other things) FUS.

    Of course, it doesn’t help that my laptop is joined to a domain either. =)

  20. "The drivers for my wireless LAN card (Cisco Aironet 350) install a GINA to support LEAP, which breaks (among other things) FUS."

    The Cisco 350 driver installs a replacement GINA, but it doesn’t need it unless your LEAP password is tied to your login password. Look in this registry key:

    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon

    and rename the GinaDLL value name with a different name. That did the trick for me!

  21. Damit says:

    Unfortunately, I think the last time I tried this I couldn’t authenticate with the network at all… so maybe it is needed.

    Thanks anyway!

  22. Charles says:

    "How do you show all the users on the domain in the Welcome screen? You certainly don’t want a list with 10,000 names in it. (Scroll scroll scroll.)"

    No, you simply have a system where you let the user enter their username. That is, the LOGIN: prompt. But prettier. Is this so impossible to contemplate? Has none of you guys seen a Unix box?

  23. Anonymous says:

    Charles, your point would be much better if you hadn’t chosen to focus on one particular piece of information to the exclusion of everything else. Raymond has said, twice, that those were not the only two problems, but just an example of the problems involved. See his comment from 11/21/2003 at 12:06 PM on this page. If you’re going to try and be glib and/or insulting, which is how I perceive that comment, you’ll have to do a better job.

  24. Todd says:

    Look in this registry key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon and rename the GinaDLL value name with a different name. That did the trick for me!

    Tried this but wasn’t able to log in to XP after. Had to boot up in safe mode go back into the registry and change the winlogin value back to CSGina.dll. Incidently it was a Cisco VPN client that disabled the FUS. Oh well to FUS no mess.

  25. Ryan McCauley says:

    I was really hoping that simultaneous console/remote usage would be a new feature of XP in SP2, but it looks like we’ll have to wait until Longhorn. I can understand why they wouldn’t want to alter the GINA, but it would be a *really* nice feature to have. Oh well – I guess I’ll hold on until 2007, or until somebody hacks the LOGONUI.EXE process. :)

  26. Rajiv says:

    Or buy a nice copy of Windows 2003 Server….

  27. Jay says:

    Considering he only gave two reasons, both of which are pretty vague, I think this entry was totally useless. Someone above said "Charles, your point would be much better if you hadn’t chosen to focus on one particular piece of information to the exclusion of everything else". That’s laughable, considering "everything else" was "it was too hard for us to do." How is this actually useful?

  28. Raymond Chen says:

    This was not meant to be a comprehensive list. The primary reason was the last sentence: To get Fast User Switching to work on domains would have required more infrastructure than there was time to implement.

    I’m going to close commenting on this entry now that it’s over six months old.

Comments are closed.

Skip to main content