"Do not display last username" with Remote Desktop on Server 2008

I just deployed my first Server 2008 box in our internal environment for
testing. We do nearly all management via remote desktop. One of our
corporate security policies is to NOT show the last logged on user, to
prevent information disclosure of our admin usernames. We use a GPO in our
domain to control the "Interactive logon: Do not display last username"
setting to set it to ENABLED for all servers. This works on all Server 2003
boxes flawlessly. The Server 2008 box works when you are at the physical
console, but when you remote desktop, you are presented with the "logon
icons" where you can select the last user or "other user." This behavior
violates our corporate security policy.

I double checked the setting by running rsop.msc. The policy is being
applied and is set to "ENABLED." I also checked the Local Security Policy,
which shows it set to enabled as well, and the little "policy" icon is there
to show group policy governs this setting (so it is not changable).

Is there a new setting specific to terminal services? I went to the
Terminal Services administrative template and didn't see anything there that
might be helpful. I also went to the Terminal Services Configuration MMC,
nothing was helpful there either.

I'm thoroughly lost here, because from what I read, all you need to do is
set the "Do not display last user name" and all will be well. But it's not
working.

If you are fill in the mstsc/remote desktop window the username it will be
automatically saved on the local machine, so make sure that the username
is not set there if you close mstsc/remote desktop. Leave the username field
empty.

I am not filling in the username or password on my terminal service client
(I'm using RD Tabs, which you can turn off NLA and also elect to not supply a
username/password) but even on older mstsc.exe (RDP 5.x) I get the logon
screen and have a choice between two icons, the admin user and "other user."
I cannot get it to STOP showing the admin user after I connect.

Hi - you've posted a reply to a message that doesn't seem to be on the
server any longer, and you haven't quoted the original text in your message,
so it's unlikely that anyone will know what you're talking about.

I suggest you stop using the forum web interface you're using and try a news
client, such as Forte Agent, Thunderbird, or even Outlook Express, rather
than the pretty clunky web interface to the newsgroups. It's a lot easier to
do nearly everything that way. You can mark messages to be watched, filter
the views so you can see replies to your posts easily, and search.

The Microsoft public news server is msnews.microsoft.com and you can
subscribe to as many groups as you like; no authentication is required.

To what posting are you replying?

Hi guys I SOLVED THIS ...

please read point 2 of this article ... - God Luck !

Hi Elmoro,

I can't see your solution for the interactive logon in your post. What did you do to fix this.

Thanks!

Hey, I spent quite awhile to figure this one out.

The last username information is actually stored locally on the client side, not on the 2008 server. This information is held in the
\MyDouments\Default.rdp file and in the registry at
HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default. You will find a bunch of MRU keys that you should delete. You should also delete the keys in HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers.

Good news is the display of the last username can also be controlled on the server side.
Go to Start > Administrative Tools > Remote Desktop Services > Remote Desktop Session Host Configuration.

In the window that appears, right-click on the item in the "Connections window" and click properties. In the "Log on settings" tab, check the middle option, "Always use the following logon information" an leave every field blank. Click, apply, Ok. Logout and log back in. The last user name should be gone form the RDP screen.

You really have two choices in how to handle this:

1) Delete RDP file and registry items on the client every time it is used for RDP
OR
2) make the changes on the server to ignore the client's supplied logon info.