CA Client Automation

  • 1.  Logon Shield - Switch user disabled

    Posted 04-08-2016 01:27 PM
      |   view attached

    Hi All,


    My company is in the process of SAP GUI 7.40 distribution (upgrade from 7.30 to 7.40) and I’m experiencing problems with Logon Shield.

    Explaining better, this is the first time I use the option of “Prevent user from being logged-on while job executes (WinNT only)”, reasons:


    • Given the particular behavior of SAP GUI installation, if you have open transactions on current installed SAP GUI and the new version is deployed the installation gets corrupted.
    • The way I found to do that was first setting the “Boot level before execution” as “Restart machine” and after “Prevent user from being logged-on while job executes (WinNT only)” in order to ensure the application is closed during setup process and even after the reboot process the user cannot logon and start SAP GUI (common task being the SAP GUI the most used software on company).


    Despite my description about the whole scenario, my real problem is that the option “Prevent user from being logged-on while job executes (WinNT only)” changes the registry “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching” to value 1.


    So far nothing wrong, but the problem is even after the setup, multiples reboots and long time waiting the option “Switch user” continues grayed out on Windows meaning that the registry key was not changed to value 0 by ITCM.


  • 2.  Re: Logon Shield - Switch user disabled
    Best Answer

    Broadcom Employee
    Posted 04-12-2016 05:17 AM


    Please check if you have the logon shield configured to turn off fast user switching

    How to Use the Logon Shield Configuration View - CA Client Automation - 12.9 - CA Technologies Documentation

    details how to configure the logon shield


  • 3.  Re: Logon Shield - Switch user disabled

    Posted 04-18-2016 10:39 AM

    Hi Raphael

    I was wondering if the documentation Richard referred you to helped you to configure the login shield configuration  ?

    Does this continue to be an issue ?

    Please advise



  • 4.  Re: Logon Shield - Switch user disabled

    Posted 04-19-2016 06:57 AM

    I read the documentation but I'm still having problems. On begining I was thinking that I would have to let the "Hide fast user switching" option enabled and after read the documentation, I tryed to Disable  "Hide fast user switching" and set the "Maximum blocking time" to Centrally Managed" and with value of 120 minutes.


    I waited for more than 2 hours and the "Switch user" doesn't turned back.


    As you can see on image bellow I changed the "Maximum blocking time" to 10 minutes and worked as expected (The computer was rebboted, the logon was protected by Logon Shield and after the installation the Switch user was enabled again) waiting for about 10 minutes until press "Reboot Now"


    Default Policy


    Custom policy


    But the problem is if I wait for more than 10 minutes until "Reboot now" (30 minutes for example) the option "maximum bloking time" acts (in 10 minutes I guess), the Switch user is enabled again, however I lost the ability to doesn't allow user logon when the machine is rebooted.


    My last resource is change my package to a batch script and setting the registry key HideFastUserSwitching to 0 in the end of script execution, but I don't think that is a good solution.

  • 5.  Re: Logon Shield - Switch user disabled

    Broadcom Employee
    Posted 04-20-2016 05:51 AM



    Could you reduce the reboot prompt timeout from the default of 30 minutes? would this help?

  • 6.  Re: Logon Shield - Switch user disabled

    Posted 04-20-2016 09:21 AM

    I don't think that changing the reboot prompt will help, because the user can postpone the reboot action and I want users to have the chance to do this

  • 7.  Re: Logon Shield - Switch user disabled

    Broadcom Employee
    Posted 04-25-2016 06:34 AM

    can you raise this as a support case so we can take a look and see if there is a bug here.