When a shared Windows device starts up, OneDrive sometimes signs in with a personal Microsoft account instead of the assigned work or school account. This happens because OneDrive’s automatic sign-in behavior relies on cached credentials from previous sessions, and on shared devices, multiple user profiles can leave conflicting tokens. This article walks you through a structured admin checklist to enforce the correct OneDrive account on every startup for shared computers.
The root cause is that OneDrive for Business uses Windows Credential Manager and registry settings that persist across reboots. On a device used by multiple people, the last signed-in account can become the default for automatic startup. Without group policy or registry controls, OneDrive will attempt to sign in with whatever account it finds first in the credential cache.
This checklist covers group policy configuration, registry edits, and Known Folder Move settings to ensure that OneDrive always launches with the correct organizational account on shared Windows 10 and Windows 11 devices.
Key Takeaways: Enforce the Correct OneDrive Account on Shared Devices
- Group Policy > Computer Configuration > Administrative Templates > OneDrive > Prevent OneDrive from signing in with a personal account: Blocks personal Microsoft accounts from signing into OneDrive on domain-joined devices.
- Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\OneDrive\DisablePersonalSync: Set to 1 to enforce the same restriction on devices without group policy.
- OneDrive admin center > Sync > Allow syncing only on PCs joined to specific domains: Restricts OneDrive sync to devices that are Azure AD-joined or hybrid-joined.
Why OneDrive Picks the Wrong Account at Startup on Shared Devices
OneDrive for Business stores authentication tokens in the Windows Credential Manager under the Windows Live ID and MicrosoftOffice16 entries. On a shared device, each user who signs in leaves behind their own set of tokens. When Windows starts and OneDrive runs automatically, it reads the most recent or default token from Credential Manager. If the last interactive sign-in was a personal Microsoft account, OneDrive will attempt to use that account instead of the work or school account assigned to the current user.
This behavior is by design for single-user devices, but on shared workstations or lab computers, it creates confusion and potential data access issues. Users see the wrong OneDrive folder structure, get prompted for credentials repeatedly, or cannot sync files because the personal account lacks access to the organization’s SharePoint sites.
The fix requires a combination of administrative controls that prevent personal account sign-in, enforce domain-based sync restrictions, and clear stale tokens at logoff or startup.
Admin Checklist to Force the Correct OneDrive Account
Step 1: Block Personal Microsoft Accounts via Group Policy
- Open Group Policy Management Console
On a domain controller or management workstation, run gpmc.msc. Create or edit a Group Policy Object (GPO) linked to the organizational unit containing the shared devices. - Navigate to the OneDrive policy template
Go to Computer Configuration > Administrative Templates > OneDrive. If you do not see the OneDrive folder, download and add the OneDrive administrative template (OneDrive.admx) from Microsoft’s download center. - Enable the policy to block personal accounts
Double-click Prevent OneDrive from signing in with a personal account. Select Enabled, then click OK. This policy sets the registry value DisablePersonalSync to 1 under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\OneDrive. - Force a policy update on the shared devices
On each target machine, run gpupdate /force from an elevated command prompt. Restart the device to apply the policy.
Step 2: Restrict Sync to Domain-Joined Devices Only
- Sign in to the Microsoft 365 admin center
Go to admin.microsoft.com and navigate to Settings > Org settings > OneDrive. - Enable domain-based sync restrictions
Under the Sync tab, check Allow syncing only on PCs joined to specific domains. Enter your organization’s domain name (e.g., contoso.com). Save the setting. - Verify the registry key is set
On a shared device, open Registry Editor and confirm that HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\OneDrive\AllowTenantList contains your tenant ID or domain. If missing, the policy may not have applied correctly.
Step 3: Clear Stale Credentials at Logoff Using a Script
- Create a logoff script
Open Notepad and paste the following commands:cmdkey /delete:MicrosoftOffice16_Data:ADAL:<YourTenantID>
cmdkey /delete:MicrosoftOffice16_Data:ADAL:<PersonalAccountGUID>
cmdkey /delete:WindowsLiveID:<PersonalEmail>Replace placeholders with actual values. Save the file as ClearOneDriveCreds.bat.
- Assign the script via Group Policy
In the same GPO used in Step 1, go to User Configuration > Windows Settings > Scripts > Logoff. Click Add, browse to the batch file, and click OK. This will run the script every time a user signs out. - Test the script on a single device
Sign in with a personal account, sign out, then sign in with a work account. OneDrive should prompt for the work credentials instead of reusing the personal token.
Step 4: Configure OneDrive to Start Only for the Current User
- Disable per-machine OneDrive startup
OneDrive installs a startup entry in the current user’s registry at HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. On shared devices, ensure OneDrive is not set to run for all users under HKEY_LOCAL_MACHINE. Delete any OneDrive value under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. - Use a startup script to force the correct account
Create a PowerShell script that runs at user logon:Start-Process "$env:LOCALAPPDATA\Microsoft\OneDrive\OneDrive.exe" -ArgumentList "/background"Deploy this script via Group Policy under User Configuration > Windows Settings > Scripts > Logon.
If OneDrive Still Shows the Wrong Account After Configuration
OneDrive Keeps Prompting for Credentials After Policy Application
If users still see a sign-in prompt for a personal account, the DisablePersonalSync registry key may not be applied correctly. Open Registry Editor on the affected device and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\OneDrive. Verify that DisablePersonalSync exists and is set to 1. If the key is missing, run gpupdate /force again and restart. If it still does not appear, manually add the DWORD value and set it to 1.
OneDrive Syncs to the Wrong Tenant After Reboot
This occurs when the device is Azure AD-joined but the user signs in with a personal account that was previously cached. The fix is to unlink the personal OneDrive entirely. Go to OneDrive Settings > Account > Unlink this PC. Then sign in again using the work or school account. To prevent recurrence, enforce the Allow syncing only on PCs joined to specific domains policy in the admin center.
Group Policy vs Registry Edit: Comparison for Shared Device Account Control
| Item | Group Policy Method | Registry Edit Method |
|---|---|---|
| Deployment scope | Applies to all devices in an OU | Applies only to the local machine |
| Requires domain join | Yes, devices must be domain-joined | No, works on workgroup devices |
| Key or setting name | Prevent OneDrive from signing in with a personal account | DisablePersonalSync (DWORD, value 1) |
| Location | Computer Configuration > Administrative Templates > OneDrive | HKLM\SOFTWARE\Policies\Microsoft\OneDrive |
| Override by user | Cannot be changed by standard user | Cannot be changed by standard user if ACL-protected |
| Update method | gpupdate /force | Manual or scripted registry import |
After completing this checklist, OneDrive on your shared devices will launch with the correct organizational account at every startup. Next, review your Known Folder Move settings in the OneDrive admin center to ensure that Desktop, Documents, and Pictures redirect to the correct tenant. For advanced environments, consider deploying Windows Autopilot with a device preparation policy that preconfigures OneDrive before first sign-in.