When a new Windows user profile starts for the first time, OneDrive may sign in with a cached account instead of prompting for the correct corporate credentials. This happens because OneDrive stores a Windows credential for the previous user and reuses it when a new profile is created on the same device. The result is that the new user sees someone else’s files or gets a sync error because the cached account lacks permissions. This article provides a step-by-step admin checklist to force OneDrive to always prompt for credentials on new profiles and prevent cross-account contamination.
Key Takeaways: Prevent OneDrive from Using the Wrong Account on New Profiles
- Group Policy: Computer Configuration > Administrative Templates > Windows Components > OneDrive > Use OneDrive for automatic sign-in: Set to Disabled to block silent sign-in for new profiles.
- Windows Credential Manager: Windows Credentials > Generic Credentials: Delete the cached OneDrive credential entry to force a fresh sign-in prompt on the next launch.
- OneDrive admin center: Sync > Allow syncing only on devices joined to specific domains: Restrict sync to domain-joined devices to prevent account reuse on shared or non-domain machines.
Why OneDrive Uses the Wrong Account for New Windows Profiles
OneDrive for Business relies on Windows Credential Manager to store authentication tokens. When a user signs into OneDrive on a Windows device, the token is saved under the Windows Credentials section as a generic credential entry named OneDrive Cached Credential. This token does not automatically expire when a new Windows user profile is created on the same machine. When the new profile launches OneDrive — either manually or via the startup program — the installer reads the existing cached credential and attempts to sign in with it. If the credential belongs to a different Microsoft Entra ID account, OneDrive either signs in with that wrong account or fails with a sync error because the cached user has no license or permissions for the device.
The Role of Windows Credential Manager
Windows stores credentials per machine, not per user profile. A cached OneDrive credential stored under the SYSTEM account or the local machine context is accessible to any user who launches OneDrive on that device. This behavior is by design for single-user devices, but it causes problems on shared workstations, Remote Desktop Session Hosts, or lab machines where multiple users log in sequentially.
OneDrive Startup Behavior on New Profiles
OneDrive is configured to start automatically when a user signs into Windows. The startup entry is registered per user under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. On a new profile, this key does not exist yet, but OneDrive Setup runs during the first sign-in if the Run OneDrive setup on first sign-in Group Policy setting is not disabled. Setup checks for an existing cached credential before displaying the sign-in window. If a cached token is found, OneDrive skips the sign-in prompt and uses that token.
Admin Checklist to Force OneDrive to Prompt for Credentials on New Profiles
Use the following sequence of steps to ensure that every new Windows user profile sees the OneDrive sign-in prompt and does not reuse a cached account. Complete each step on a reference machine and then deploy the configuration via Group Policy or Microsoft Intune.
- Disable automatic OneDrive sign-in via Group Policy
Open the Group Policy Management Console. Navigate to Computer Configuration > Administrative Templates > Windows Components > OneDrive. Double-click Use OneDrive for automatic sign-in. Set it to Disabled. This prevents OneDrive from reading cached credentials and signing in silently. Click OK. Link the GPO to the organizational unit containing the affected devices. - Remove existing cached OneDrive credentials
On the reference machine, open Credential Manager by typing credential manager in the Start menu. Click Windows Credentials. Under Generic Credentials, locate entries that contain OneDrive or MicrosoftOffice. Expand each entry and click Remove. Confirm the deletion. This clears the token that OneDrive would otherwise reuse on a new profile. - Block OneDrive setup on first sign-in
In the same Group Policy console, navigate to Computer Configuration > Administrative Templates > Windows Components > OneDrive. Enable the policy Prevent OneDrive from running on first user sign-in. This stops the OneDrive Setup wizard from launching automatically when a new user logs in for the first time. Users can still start OneDrive manually from the Start menu. - Restrict sync to domain-joined devices
Sign into the Microsoft 365 admin center at admin.microsoft.com. Go to Settings > Org settings > OneDrive. Under Sync, check Allow syncing only on PCs joined to specific domains. Enter your domain name (e.g., contoso.com). Click Save. This prevents OneDrive from syncing on devices that are not joined to your domain, reducing the chance of cached credential reuse on non-domain machines. - Deploy the configuration via Intune (if using MDM)
In the Intune admin center, go to Devices > Configuration profiles. Create a new profile with platform Windows 10 and later and profile type Settings catalog. Search for OneDrive. Configure the following settings: Silently sign in users to the OneDrive sync app with their Windows credentials set to Block, and Use OneDrive for automatic sign-in set to Block. Assign the profile to the device group that contains shared or multi-user workstations. - Test on a clean Windows profile
Create a new local or domain user account on a test device. Sign in with that account. Open OneDrive from the Start menu. Verify that the sign-in window appears and does not auto-fill with a previous user’s email address. Complete the sign-in with the new user’s credentials. Confirm that sync starts correctly and no cached credential error appears.
If OneDrive Still Uses the Wrong Account After Applying the Checklist
OneDrive continues to auto-sign in with a cached account on new profiles
Check whether the OneDrive Group Policy ADMX files are missing or outdated. Download the latest OneDrive Group Policy administrative templates from Microsoft and copy them to the Central Store on your domain controller. Also verify that the GPO is applied to the correct OU and that no conflicting policy is enabling automatic sign-in at a higher priority. Run gpresult /h report.html on the test device to confirm the policy settings.
Old cached credential reappears after deletion
If a user signs into OneDrive on a device and then signs out, the credential is stored again. To prevent this, set the Group Policy Prevent OneDrive from running on first user sign-in to Enabled. Additionally, use a PowerShell script during user logoff to delete the cached credential. The script runs cmdkey /delete:OneDriveCachedCredential as the logged-off user. Deploy the script via Group Policy Logoff Script.
OneDrive does not start at all on new profiles
If you disabled automatic sign-in and also prevented OneDrive from running on first sign-in, users must launch OneDrive manually. To make this easier, pin OneDrive to the taskbar via Group Policy. Navigate to User Configuration > Preferences > Control Panel Settings > Taskbar. Add a pinned item for %localappdata%\Microsoft\OneDrive\OneDrive.exe. This gives users a visible shortcut without requiring the automatic startup.
OneDrive Sign-in Methods for New Profiles: Cached Credential vs Manual Sign-in
| Item | Cached Credential Sign-in | Manual Sign-in |
|---|---|---|
| Trigger | OneDrive startup reads stored Windows credential | User clicks Sign in and enters email and password |
| User experience | No prompt; user sees previous user’s OneDrive files or sync error | Full sign-in prompt; user enters correct corporate credentials |
| Credential storage | Machine-level generic credential in Windows Credential Manager | User-level token stored per profile after successful sign-in |
| Risk of wrong account | High on shared or multi-user devices | None; each user authenticates independently |
| Admin control | Disabled via Group Policy: Use OneDrive for automatic sign-in | Enabled by default when automatic sign-in is blocked |
| Best for | Single-user dedicated devices | Shared workstations, RDS hosts, lab computers |
After completing this checklist, each new Windows profile will be forced to sign in manually to OneDrive. The cached credential from a previous user will no longer be used. To further reduce credential reuse, configure a logoff script that deletes the OneDrive cached credential from Windows Credential Manager. This step ensures that even if a user signs into OneDrive and later signs out, the next user will still see a fresh sign-in prompt.