Section 23.5. Local Users and Groups: All Versions | Windows Vista: The Missing Manual

23.5. Local Users and Groups: All Versions

The control panels you've read about so far in this chapter are designed for simplicity and convenience, but not for power. Windows offers a second way to create, edit, and delete accounts: an alternative window that, depending on your taste for technical sophistication, is either intimidating and technicalor liberating and flexible.

It's called the Local Users and Groups console.

23.5.1. Opening the Console

You can open up the Local Users and Groups window in any of several ways:

Choose Start Control Panel Classic View Administrative Tools Computer Management. Authenticate yourself (page 191). Click the Local Users and Groups icon in the left pane of the window.
Choose Start Run, type Lusrmgr.msc , and click OK. Authenticate yourself.
Open the Start menu and type comput . The Search results list Computer Management. Double-click it, and then authenticate yourself. In the list at the left side, expand the Local Users and Groups flippy triangle; click the Users folder inside it.
Domain PCs only: Choose Start Control Panel. Click User Accounts User Accounts Manage User Accounts. Click the Advanced tab, then click the Advanced button.

In any case, the Local Users and Groups console appears, as shown in Figure 23-8.

Figure 23-8. Local Users and Groups is a Microsoft Management Console (MMC) snap-in. MMC is a shell program that lets you run most of Windows's system administration applications. An MMC snap-in typically has two panes. You select an item in the left (scope) pane to see information about it displayed in the right (detail) pane .

In this console, you have complete control over the local accounts (and groups, as described in a moment) on your computer. This is the real, raw, unshielded command center, intended for power users who aren't easily frightened.

The truth is, you probably won't use these controls much on a domain computer. After all, most people's accounts live on the domain computer, not the local machine. You might occasionally have to log in using the local Administrator account to perform system maintenance and upgrade tasks , but you'll rarely have to create new accounts.

Workgroup computers (on a small network) are another story. Remember that you'll have to create a new account for each person who might want to use this computeror even to access its files from across the network. If you use the Local Users and Groups console to create and edit these accounts, you have much more control over the new account holder's freedom than you do with the User Accounts control panel.

23.5.2. Creating a New Account

To create a new account in the Local Users and Groups console, start by double-clicking the Users folder in the middle of the window. It opens to show you a list of the accounts already on the machine. It includes not only the accounts you created during the Vista installation (and thereafter), but also the Guest and secret Administrator accounts described earlier in this chapter.

To create a new account, choose Action New User. In the New User dialog box (Figure 23-9), type a name for the account, the persons full name , and if you like, a description. (The description can be anything you like, although Microsoft no doubt has in mind "Shipping manager" rather than "Short and balding.")

Figure 23-9. When you first create a new user, the "User must change password at next logon" checkbox is turned on. It's telling you that no matter what password you make up when creating the account, your colleague will be asked to make up a new one the first time he logs in. This way, you can assign a simple password (or no password at all) to all new accounts, but your underlings will still be free to devise passwords of their own choosing, and the accounts won't go unprotected .

In the Password and Confirm Password text boxes, specify the password that your new colleague will need to access the account. Its complexity and length are up to your innate sense of paranoia .

Tip: If you can't create a new account, it's probably because you don't have the proper privileges yourself. You must have an Administrator account (page 669) or belong to the Administrators group (page 685).

If you turn off the "User must change password at next logon" checkbox, you can turn on options like these:

User cannot change password . This person won't be allowed to change the password that you've just made up. (Some system administrators like to maintain sole control over the account passwords on their computers.)
Password never expires . Using software rules called local security policies , an administrator can make account passwords expire after a specific time, periodically forcing employees to make up new ones. It's a security measure designed to foil intruders who somehow get hold of the existing passwords. But if you turn on this option, the person whose account you're now creating will be able to use the same password indefinitely, no matter what the local security policy says.
Account is disabled . When you turn on this box, this account holder won't be able to log on. You might use this option when, for example, somebody goes on sabbaticalit's not as drastic a step as deleting the account, because you can always reactivate the account by turning the checkbox off. You can also use this option to set up certain accounts in advance, which you then activate when the time comes by turning this checkbox off again.

Note: When an account is disabled, a circled down-arrow badge appears on its icon in the Local Users and Groups console. (You may have noticed that the Guest account appears this way when you first install Windows Vista.)

When you click the Create button, you add the new account to the console, and you make the dialog box blank again, ready for you to create another new account, if necessary. When you're finished creating accounts, click Close to return to the main console window.

23.5.3. Groups

As you may have guessed from its name, you can also use the Local Users and Groups window to create groups named collections of account holders.

Suppose you work for a small company that uses a workgroup network. You want to be able to share various files on your computer with certain other people on the network. You'd like to be able to permit them to access some folders, but not others. Smooth network operator that you are, you solve this problem by assigning permissions to the appropriate files and folders (page 692).

In fact, you can specify different access permissions to each file for each person . But if you had to set up these access privileges manually for every file on your hard drive, for every account holder on the network, you'd go out of your mindand never get any real work done.

That's where groups come in. You can create one groupcalled Trusted Comrades, for exampleand fill it with the names of every account holder who should be allowed to access your files. Thereafter, it's a piece of cake to give everybody in that group access to a certain folder, in one swift step. You end up having to create only one permission assignment for each file, instead of one for each person for each file.

Furthermore, if a new employee joins the company, you can simply add her to the group. Instantly, she has exactly the right access to the right files and folders, without your having to do any additional work.

23.5.3.1. Creating a group

To create a new group, click the Groups folder in the left side of the Local Users and Groups console (page 681). Choose Action New Group. Into the appropriate boxes (Figure 23-10), type a name for the group, and a description, if you like. Then click Add.

Figure 23-10. The New Group dialog box lets you specify the members of the group you are creating. A group can have any number of members , and a person can be a member of any number of groups .

A Select Users dialog box appears. Here, you can specify who should be members of your new group. Type each account-holder's name into the text box, separated by semicolons, and then click Check Names to make sure you spelled them right. (You can always add more members to the group, or remove them later.)

Finally, click OK to close the dialog box, and then click Create to add the group to the list in the console. The box appears empty again, ready for you to create another group.

23.5.3.2. Built-in groups

You may have noticed that even the first time you opened the Users and Groups window, a few group names appeared there already. That's because Windows comes with a canned list of ready-made groups that Microsoft hopes will save you some time.

For example, when you use the User Accounts control panel program to set up a new account, Windows automatically places that person into the Standard or Administrators group, depending on whether or not you made him an administrator (page 669). In fact, that's how Windows knows what powers and freedom this person is supposed to have.

Here are some of the built-in groups on a Vista computer:

Administrators . Members of the Administrators group have complete control over every aspect of the computer. They can modify any setting, create or delete accounts and groups, install or remove any software, and modify or delete any file.

But as Spiderman's uncle might say, with great power comes great responsibility. Administrator powers make it possible to screw up your operating system in thousands of major and minor ways, either on purpose or by accident . That's why it's a good idea to keep the number of Administrator accounts to a minimumand even to avoid using one for everyday purposes yourself.

NOSTALGIA CORNER
The Double-Thick Security Trick

If you use Windows Vista in a corporation, you may see the startup box shown here when you first turn on the machine. You don't proceed to the Classic logon box (Figure 23-12) until you first press Ctrl+Alt+Delete.

This somewhat inconvenient setup is intended as a security feature. By forcing you to press Ctrl+Alt+Delete to bypass the initial Welcome box, Windows rules out the possibility that some sneaky program (such as a Trojan-horse program), designed to look like the Classic logon box, is posing as the Classic logon boxin order to "capture" the name and password you type there.

This two-layer logon system is what you get when you add your PC to a network domain during the Windows Vista installation. If you want to use it on a workgroup machine, you can, but you have to do a little digging to find it. Press +R to open the Run dialog box; type control Userpasswords2 , and then press Enter. Authenticate yourself (page 191). You see the program shown on page 680the old-style User Accounts box. Click the Advanced tab.

At the bottom of the Advanced tab, turn on "Require users to press Ctrl+Alt+Delete," and then click OK. From now on, turning on the PC greets you not with a logon screen, but with the unfakeable Welcome box shown here.

Power Users . Members of this group were a big deal in Windows XPthey had fewer powers than Administrators, but still more than mere mortals in the Users group. But Microsoft felt that they added complexity and represented yet another potential security hole. In Vista, this group is essentially abandoned .
Users . Standard account holders (page 669) are members of this group. They can access their own Start menu and desktop settings, their own Documents folders, the Shared Documents folder, and whatever folders they create themselvesbut they can't change any computer-wide settings, Windows system files, or program files.

If you're a member of this group, you can install new programsbut you'll be the only one who can use them. That's by design; any problems introduced by that program (viruses, for example) are limited to your files and not spread to the whole system.

If you're the administrator, it's a good idea to put most new account holders into this group.
Guests . If you're in this group, you have pretty much the same privileges as members of the Users group. You lose only a few nonessential perks, like the ability to read the computer's system event log (a record of behind-the-scenes technical happenings).

In addition to these basic groups, there are some special-purpose groups like Backup Operators, Replicator, Cryptographic Operators, Event Log Readers, and so on. These are all groups with specialized privileges, designed for high-end network administration. You can double-click one (or widen its Description column) to read all about it.

Note: You can add an individual account to as many groups as you like. That person will have the accumulated rights and privileges of all of those groups.

23.5.4. Modifying Users and Groups

To edit an account or group, just double-click its name in the Local Users and Groups window. A Properties dialog box appears, as shown in Figure 23-11.

Figure 23-11. In the Properties dialog box for a user account, you can change the full name or description, modify the password options, and add this person to, or remove this person from, a group. The Properties dialog box for a group is simpler still, containing only a list of the group's members .

You can also change an account password by right-clicking the name and choosing Set Password from the shortcut menu. (But see page 676 earlier in this chapter for some cautions about this process.)