Usernames: How do I disable option to change login usernames

Hi. I took over support at a campus computer lab recently. As a risk of viruses any give day, computers are Windows 10 'Workgroup' (local) clients. Absolutely can't be added to a domain; as result, can't push any policies. No cameras. Generic Student logins only. Sign-in sheet at door isn't signed by all students. So known campus students slip, yes. But with anonymous non-campus friends just to browse the Internet, while student does school work. Computer accounts are left 'Administrator' status because of professor complaints from students that programs in use stalled back in the day because of limited 'User' status (no Administrator accounts) of accounts I originally used to "lock-down" the computers. I've had success locking down certain areas of the OS on lab PCs using regedit and gpedit...local rules under current Administrator accounts. But there's one that alludes me. Does anyone know how to disable the user's ability to change local account usernames? For example, in one instance, a prankster changed the generic 'Student' login name I created...to "Stutterer". On a couple other occasions, discriminatory names. So you can imagine, the next person who sits down trying to login to PC...what's staring them in the face. Does anyone know how to disable the user's ability to change local account usernames of accounts with Administrator-status?

This policy of allowing student accounts in the Administrators group is self-defeating. Any GPO or registry-based restriction can be undone by the users, and you're exposing every machine to malware.

If your instructors can show a legitimate need to run apps as Administrator, then create an elevated task to launch those specific apps and nothing else. Write a shell wrapper or a create desktop shortcut for your users..

After you've done that, every PC can be domain-joined.

Thanks so much for your feedback. Regrettably, management has a hard NO response on my locking down 'Student' accounts on those "workgroup" lab standalone local PCs which runs in "local" Admin group. Why? Professors' complaints that inflexible filters prevent them from using computers in creative and innovative ways in our college PC labs/classrooms. For instance, YouTube videos of famous speeches, Skype conversations with experts outside the school, collaborative tools to download that would allow students to annotate a shared text: access to such resources and downloads from Internet, is cut off, teachers lament, by locking 'Student' account so." I'm absolutely not authorized to upgrade lab PCs to our domain, either. Only staff PCs, in same office space (and college-wide) may be joined to the campus domain. My bosses are content on my reimaging once or twice a week...onsy-twosy, if it comes to that. No more headaches for them from 20+ professors. Yeah, but it's tedious work for me! SMH. That's why I turned to 'tenforums'.

That being said, are there "local" rules on these Windows 10 Workgroup computers while logged into local Admin 'Student' account's regedit, gpedit or directly in the registry that will allow me to tweak 'Student' profile to disable changing any lab PCs 'Student' account login name? Yeah, if someone really wanted to. They could go the extra mile of undoing my lockdown settings change(s) since 'Student' account is in standalone PCs local Admin group. Moreover, if not, do you have a YouTube tutorial video you favor that you can point me to about how to "...write a shell wrapper"?

I don't follow this argument about "creativity". If pre-installed apps can be run without Admin privileges, why do they get a say in your department's policies? If they want to play that game, ask how they will protect the students' rights to a "safe learning environment" since you can't limit user actions. The one thing that motivates orgs the most is legal exposure.

There is no policy to restrict users from changing their account names, because you have to be an Admin in the first place.

If there's a legitimate app which requires elevation make a scheduled task to launch it. Many don't realize you can run tasks on-demand and not necessarily schedule them.

Follow option #2 in Brink's tutorial, except replace CMD with a specific app.
Create Elevated Shortcut without UAC prompt in Windows 10

Run your task on-demand: schtasks /run /tn "My Task Name"

In the end if your IT group is doomed to lose any sane policy argument, then automate the wipe and reload process with an install image that pre-loads all their desired software and bookmarked links.

Thanks for sharing your thoughts and resources, Garlin.

Denis and Garlin: Found this. I thought this was left in Windows XP and earlier. And all you could choose was 2: Administrator and Standard 'rights', for any new local account created. In other words, I discovered that 'Power User' still exists and 'hidden' on Windows 10 OS. As a matter of fact, all of this listed in the following link. Thought I'd share/share-progress. Power User doesn't allow 'Student' accounts to change username. But the jury's out if it will or will not allow students to download assignments from webpages to computer lab PCs desktop.
https://social.technet.microsoft.com...nd-groups.aspx

Power Users lack admin rights since W7, because most tasks delegated to them can now be managed by Settings. This group can't change user names, but you're back to square one on permissions for installing software.