This policy setting allows local users to be enumerated on domain-joined computers. If you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers. If you disable or do not configure this policy setting, the Logon UI will not enumerate local users on domain-joined computers. Vulnerability: A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods. Counter Measure: Disable this policy setting. Potential Impact: If you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers. If you disable or do not configure this policy setting, the Logon UI will not enumerate local users on domain-joined computers. Fix: (1) GPO: Computer ConfigurationAdministrative TemplatesSystemLogonEnumerate local users on domain-joined computers (2) REG: HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsSystem!EnumerateLocalUsers

[enable/disable]

(1) GPO: Computer Configuration\Administrative Templates\System\Logon\Enumerate local users on domain-joined computers (2) REG: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System!EnumerateLocalUsers