Managing Users | Upgrading and Repairing Microsoft Windows (2nd Edition)

Modern versions of Windows, the branch of the family tree that includes Windows NT, Windows 2000, and Windows XP, incorporate the distinct concept of a " user ." Given your username and password, besides applying your preferences for the desktop and applications, Windows can track which of several dozen privileges you should be allowed to exercise, including the right to install new software, change other users' passwords, access the computer remotely via a network, orwhen your disk is formatted appropriatelyaccess any given file. Here are the elements of the Windows environment that are or can be user-specific :

Your User Profile, a folder under \Documents and Settings in which your personal files are stored. This includes your My Documents folder, your Desktop folder, personal Start menu additions, the Outlook or Outlook Express mailbox and address book files, Favorites (bookmarks), temporary files, and the files that contain personal Registry entries
Registry entries under the HKEY_CURRENT_USER branch and custom additions to HKEY_CLASSES_ROOT , which are used to store your software preferences
Environment variables such as PATH and TEMP, which control the behavior of many programs (the information for these are stored in the Registry, but are set through the System Properties control panel; Chapter 9, "Windows Commands and Scripting," discusses environment variables in more detail.)
File and folder access permissions, for files stored on disks with NTFS formatting
Shared network printer, file, and folder access permissions
Windows management and configuration permissions, such as the ability to change the clock, install hardware, or back up the hard disk
On a corporate network with Active Directory, automatic installation of application software

This is a huge improvement over Windows 9x, where anyone could use the computer with or without a password, and do anything he wanted with it. And, although you certainly can configure Windows 2000/XP to be just as indiscriminate, it's in your own best interest to take full advantage of Windows' security features. In this section I'll give you a bit of background on the Windows security system, and then we'll go over how to set up and manage user accounts. If you want to get right to it, skip ahead to "Adding and Deleting User Accounts from the Control Panel" later in this chapter.

Note

The use of the word account in computers goes back to the days of mainframe and time-shared computers that were so expensive that you were charged by the houror maybe even the secondof computer use. Your username told the company or university whom to charge. In Windows, an account is a collection of files and security settings identified by a username and optionally secured a password.

Domain and Workgroup Environments

Windows was designed to work in both the home/small office environment and the corporate environment, and these two worlds have distinctly different security needs and management techniques. For home and small office use, convenience and minimal cost are the key parameters. In the corporate world, centralized management, delegation, and fine-grained control are the key concerns. I'll briefly describe how Windows addresses these two distinctly different sets of needs.

Windows uses two different security models, called the Workgroup model and the Domain model, respectively. The difference is illustrated in Figure 5.1.

Figure 5.1. In the Workgroup model, user accounts are maintained separately on each computer. In the Domain model, user accounts are centralized.

In the Workgroup model , each computer maintains its own list of user accounts. You can see in the figure that user Mary has accounts on all three computers. Spiff has accounts on just two. Norm has accounts on all three, but on one computer, the password is different. This illustrates the important features of Workgroup security:

User accounts and passwords, called local accounts in this model, have to be entered on each computer separately. This is fine if you have only a few computers, or if each person uses just one computer. If you want any person to be able to use any of your computers, though, you have to create a user account on each one.
If a user changes her password, the change has to be made at each computer separately. (This is discussed further in Chapter 7, "Networking Windows.")
Although this form of security is a bit more difficult to administer, it's less expensive because you don't need an additional central server or expensive Server operating system.
Anyone knowing the password to a "Computer Administrator" account on a given computer can do anything at that computer: change user accounts, view files, or reconfigure anything.
Additional entries, called local groups , can be created (although on XP Home Edition, it's not easy). These consist of lists of users, and you can grant file privileges to groups as well as users. If you're protecting sensitive files, for example, it's easier to make one group for, say, all managers, and use that to control access to folders, than to have to add each manager's name to each folder.

With the Domain model , each computer is connected to a network, and when a user attempts to sign on, the computer refers to a computer running Windows NT Server, Windows 2000 Server, or Windows Server 2003 to see whether the name and password are recognized. The important points are as follows :

The centralized list of usernames and passwords ensures that nobody has to visit each and every computer to add or remove user accounts.
A user has only one password to remember; it's recognized at every computer in the organization.
In a large organization, the added cost of a central server (or servers) and the more expensive Server operating system is more than offset by the savings in maintenance and the increased security.
With Microsoft's Active Directory software, assignment of security privileges and delegation of management rights can be extremely well controlled. Although a master network manager can indeed "do anything," the ability to add users and computers, control file security, or access files and folders can be delegated along the company's organizational lines at any level of detail; for instance, department managers might be given the ability to change just their direct subordinates ' passwords, and not to make any changes in network configuration at all.
Large organizations usually have more than one domain server, as insurance against failure and for speedier access at distant worksites. Management updates (like password changes) entered into any one server automatically propagate to the others.
Accounts created in the domain server are called global accounts because they're recognized by every computer, and computers on the network are called domain members . Likewise, global groups can be created and used to manage security on files and folders.
Computers on a domain network can also have local accounts and groups, which apply just to the one individual computer. There is usually a local Administrator account that can be used, for example, to install hardware drivers, but this local Administrator logon can't manage the domain server.

What this boils down to is this: If you use your computer on a corporate domain network, you probably can't make any changes to the computer's security setupnot if your organization's network manager did his job correctly. You can skim this section, though, to get an idea of what is going on behind the scenes. However, if you are setting up your own computer for your personal use, or for a small office, read on. You'll see how to use the workgroup model to create individual local accounts, and how to take best advantage of the limited but important security features available to you.

Tip

How do you tell whether your computer is set up for domain or workgroup-type security? Click Start, right-click My Computer, select Properties, and select the Computer Name tab. Under Full Computer Name, the dialog will have the word Workgroup or Domain.

Note

Windows XP Home Edition, by the way, can't be part of a domain network; it uses the Workgroup model only.

Account Types

When you log on, Windows consults a database that it keeps hidden away on your hard disk (for local accounts), or on a networked domain server (for domain accounts). Along with your password, this database contains settings that determine exactly what you are allowed to do to with the computer, such as change other users' passwords. Some of these permission settings are associated directly with your account, but most are inherited through a system called User Groups , which contain lists of one or more usernames. Permissions to read files and change Windows settings are usually assigned to groups, and you inherit any privileges assigned to the groups of which you're a member.

User accounts can be customized to some extent, but basically fall into one of four categories, which are, in increasing order of privilege,

Guests
Limited Users
Power Users
Computer Administrators

I'll briefly discuss each of these in turn .

Guest Accounts

Guest accounts have minimal access rights; they can run programs but generally cannot make any changes to the system, nor save any files in shared folders. In addition, the account's User Profile (a folder created under \Documents and Settings that contains the Registry settings, preferences, application-specific files, and the My Documents folder) is automatically deleted after the user logs out, and created afresh when the next person uses the account.

Guest accounts are fine for public settings, but probably are not a good idea for a houseguest who'll be staying for a few days, and who might be irked if she creates a document that disappears as soon as she logs off.

By default, a single Guest-type account is set up when you install Windows XP. The account name is (big surprise) Guest . It has no password assigned, and it is also disabled by default, so that it can't be used unless you take steps to enable it. We'll talk more about that later in this chapter.

Computer Administrators

With a Computer Administrator account you can make any change, read or write any file, or, well, do anything that a Windows user can do. In addition, while logged on with a Computer Administrator account, any software you run has full access to the computer. This is, of course, a good thing when you're installing a new device or a new application, but it's a terrible risk for day-to-day use, as any virus or other bad software that you might run inadvertently will also have full access to your computer.

Note

You might be tempted to configure a file's permissions to prevent even Computer Administrator users from reading it. You can do this. But, Computer Administrators have a privilege that lets them take ownership of any file, and as owner, they can change the file's read/write permissions so that they can read the file. So, don't assume that you can outsmart the Administrator!

Power Users

A Power User can change some settings, for instance, screensaver and Power Management, and can install minor application programs as long as they don't replace any Windows components . Serious changes to Windows, such as networking configuration, Windows configuration, and device driver management, are not allowed. This is the type of account to create for yourself for day-to-day use of the computer. However, for reasons that I can't fathom, the Power User category is available only in Windows 2000 Professional and Windows XP Professional, and is not available on Windows XP Home Edition.

Limited Users

Limited Users can log on, save files, and run most programs, but cannot install software, configure Windows, change security settings, or do much else that doesn't involve the user's own personal data. Limited User accounts are ideal for home systems, and are meant for kids , houseguests, and relativesin general, anyone whom you want to let use your computer, but whom you're worried might accidentally cause a problem.

Limited User accounts can also be annoying for this same reason, as users can't even change the screensaver or the fonts Windows uses.

Windows XP Home Edition offers only two choices, Limited or Computer Administrator accounts, which I find problematicLimited accounts are too limited, and for day-to-day use, Computer Administrator accounts are too powerful. Personally , I prefer to use Windows XP Professional so that I can have a Power User-type account. I use the Administrator logon only when I need to make a serious change or install an application (and then, I usually use runas rather than logging off and back on. We'll discuss runas later in this chapter).

Default Accounts and Groups

When you install Windows 2000 or XP, several standard local user accounts and user groups are created as part of the installation process. Some of these are used for maintenance, and some Windows uses internally. You can, and should, add additional personal accounts for your own use. We'll cover that shortly. Here, though, are the default entries that you'll encounter when you go to add your own.

Table 5.1 lists the local user accounts installed with Windows XP. Some additional user accounts are created if you install Internet Information Services on Windows XP Professional. In addition, several local groups are created, as listed in Table 5.2.

Table 5.1. Default Local Users

Username	Description
`Administrator`	System Administrator, primary member of Administrators group, can make any change via the account's membership in the Administrators group.
`ASPNET` ^[*]	Account under which ASP.NET web server applications are run; it has just enough privilege and file access rights to perform the job but is restricted from accessing the rest of the computer.
`Guest`	Account that can be used to let unknown users log on with no password. Can be disabled for logon, but is used as the account whose permissions are checked for file access over the network when Simple File Sharing is enabled.
`HelpAssistant` ^{[ ]}	This account is created when you issue a Remote Assistance request. It is the account used to control access by the person from whom you've requested assistance.
`IUSR_` `xxx` ^[*]	This account is used for anonymous access via the IIS web server; `xxx` is the name of your computer. In other words, the general public will only be able to view web pages that are readable by `IUSR_` `xxx` (or Everyone).
`IWAM_` `xxx` ^[*]	This account is used as the user associated with "out-of-process" (CGI and ASP) web applications run by the IIS web server.
`SUPPORT_` `nnnnnnnn`	This is the logon account used by the Remote Assistance system; nnnnnnnn is an eight-digit hexadecimal number.

^[*] Only on Windows 2000 Professional and Windows XP Professional with Internet Information Services installed.

^{[ ]} Windows XP only

Table 5.2. Default Local Groups

Group	Description
`Administrators`	Members of this group have Computer Administrator privileges, by virtue of the long list of User Rights Assignments granted to this group by default (see Table 5.5).
`Backup Operators`	Members of this group have permission to back up and restore any file on the computer. This group is generally created also as a Domain group and used for access by remote network-based backup services.
`Guests`	By default, contains only the Guest user account, which is disabled by default, and which has an absolute minimum of privileges. Guest accounts were discussed earlier in the chapter.
`HelpServicesGroup`	This group is used for special accounts associated with support applications such as Remote Assistance, and is not meant for normal user accounts. The group exists so that permissions and privileges can be assigned for all support applications collectively.
`Network Configuration Operators`	Members of this group can change network TCP/IP settings, and force the release and renewal (repair) of DHCP addresses.
`Power Users` ^[*]	Power Users have limited management ability; for example, they can configure the screensaver and install some software, but not modify Windows itself. Power Users can share printers and folders, but not install new hardware.
`Remote Desktop Users` ^{[ ]}	Members of this group are allowed to log on via Remote Desktop. Membership can be edited directly or via the Remote tab on the System Properties dialog. (In addition, accounts must have a password set in order to connect via Remote Desktop.)
`Replicator`	The Replicator account is used on domain networks to copy files from a domain server to the local computer, automatically. This group should not be modified in any way.
`TelnetClients` ^[*]	Members of this group are allowed to log on via the Telnet service.
`Users`	By default, all local user accounts are listed in this group; it's meant to assign basic access rights for anyone who has a valid, normal logon account.

^[*] Windows 2000 Professional and Windows XP Professional only

^{[ ]} Windows XP Professional Only

Security Principals

User and group names can be used when you're assigning permissions to files and folders. There is an additional set of names called security principals that are like groups in that you can specify them as having access to files, folders, or other objects. However, their "membership" is contextual. When Windows encounters one of these names in an access control list, it evaluates whether the current user or program has a designated characteristic. For example, if I designate that the "SERVICE" entity is to be granted access to a certain folder, any Windows Service will be able to access the folder, no matter what user account the service is using. These entities can also be used to deny access; for example, a Deny entry for entity NETWORK would mean that a user could access a file while logged on locally, but would not be able to access the file over the network. Table 5.3 lists the built-in security principals.

Table 5.3. Built-in Security Principals

Name	Associated With...
ANONYMOUS LOGON	Network access with no username or password supplied (used, for instance, to confirm that Windows can let an unknown network user see the list of shared folders, but not have access to any files).
Authenticated Users	Any user using a recognized account name and if required, password. Exception: The Guest account is never considered an Authenticated User.
BATCH	A program that is not attached to the keyboard and mouse; for example, a program run by the Task Scheduler.
CREATOR GROUP	In an access control list, represents the primary group of the owner.
CREATOR OWNER	The user who created and thus owns the object (for example, file or folder).
DIALUP	Users who are attempting file access via a dial-up modem or Virtual Private Network (VPN) connection.
Everyone	Any user using any means of connection, including Guests but not anonymous network connections.
Enterprise Domain Controllers	Access by a computer that is a domain controller.
INTERACTIVE	A user who is logged in via the keyboard and video display.
LOCAL SERVICE	A program that is running as a Windows Service without authenticated access to the network.
NETWORK	A user who is accessing the computer over the network via file sharing.
NETWORK SERVICE	A program that is running as a Windows Service with access to the ne work; this service cannot interact with the desktop.
REMOTE INTERACTIVE LOGON	A user who has logged in via Remote Desktop.
Restricted	A program that is running in a domain-member computer under a restricted security context.
Self	The user, security, or computer object in which this entry appears (in Active Directory only); used, for instance, in permission lists to let users change their own passwords.
SERVICE	Any program that is running as a Windows Service.
SYSTEM	A part of the Windows operating system itself.
TERMINAL SERVER USER	A user who has logged in via Remote Desktop or, on Windows Server versions, a Terminal Services session.

Account Permissions

Computer Administrator users gain most of their powers by virtue of membership in the Administrators group, which is created by Windows, cannot be deleted, and is recognized by Windows as a special entity. Windows management software and the operating system itself check to see whether you are a member of the Administrators group before deciding whether to let you make certain changes; and at deeper levels, Windows knows to let Administrators bypass the normal security mechanisms that protect files and folders.

There are a number of User Rights , such as the ability to change the system clock, that can be individually assigned to users or groups. They serve as the means by which Windows restricts or grants the ability for users or programs to change the way Windows works and, when necessary, to circumvent security features. Not surprisingly, the Administrators group is listed for nearly all of them. On Windows XP Home Edition, these permission settings cannot be changed. However, on Windows XP Professional, Windows 2000, and earlier versions of Windows NT, other accounts can be given these permissions as well.

For example, if you've set up Remote Desktop access to your computer, you know that you have to list the users who are able to log on remotely, using the Remote tab on the System Properties dialog. That dialog actually makes the listed user a member of the Remote Desktop Users group. That group has the "Allow logon through Terminal Services" user right. Thus, the listed users can log on through Remote Desktop.

Although you probably don't want to change their assignment, the settings can be seen in the Local Security Policy management tool, from the Administrative Tools menu or control panel icon. (You must be logged on as a Computer Administrator, or you can right-click the entry and select Run As, and then follow the dialog to run the program as an Administrator.) In the left pane, select Local Policies, User Rights Assignment. The Policy column lists the various user rights, and the Security Setting column lists the users and groups that are granted the rights, as shown in Figure 5.2.

Figure 5.2. User Rights Assignments lists the accounts and security principals that are to be granted each privilege.

Table 5.4 lists the standard User Rights used by Windows XP and Windows Server 2003. In the description column, most entries refer to "users." Here, "users" means any user who is either explicitly listed in the policy entry, is a member of a group that is listed, or has an associated security principal that is granted the associated right. When the description refers to the rights of programs, remember that programs are associated with a specific user, so the program's privileges are the same as the associated user's privileges.

Table 5.4. User Rights

Policy	Description
Access this computer from the network	Allows user to access the computer via file and printer sharing.
Act as part of the operating system	Allows a program to impersonate any user, thus having access to any user's resources.
Add workstations to domain	Allows user to add a computer to the domain (Domain controller only).
Adjust memory quotas for a process	Allows user to increase memory usage limits on another running program.
Allow logon through Terminal Services	Allows user to log on via Terminal Services or Remote Desktop Connection.
Back up files and directories	Allows user to read any file, folder, or Registry entry in the context of performing a system backup.
Bypass traverse checking	Allows user to use a subdirectory (folder) to which he or she has permission, even though he or she does not have permission to read the parent folder. This is normally granted to Everyone and should not be disabled.
Change the system time	Allows user to set the clock and date
Create a pagefile	Allows user to modify the virtual memory Page File settings.
Create a token object	Allows a program to create a Security Token, which could be given to other programs to grant them special access rights.
Create global objects	Allows a program running under a Terminal Service session to create Windows software objects such as semaphores and mutexes that are visible by other sessions.
Create permanent shared objects	Allows a program to create an Active Directory object, or a kernel-mode name object inside Windows.
Debug programs	Allows a program to halt, start, breakpoint, or read the contents of other programs.
Deny access to this computer from the network	Any user who ends up with this policy, by virtue of direct listing, group membership, or security principals, is prohibited from accessing shared files and printers on the computer, as well as other network resources such as Remote Procedure Calls. This policy supercedes and negates "Access This Computer from the Network."
Deny logon as a batch job	In a similar fashion, this policy invalidates "Log On as a Batch Job."
Deny logon as a service	Invalidates "Log On as a Service."
Deny logon locally	Invalidates "Log On Locally."
Deny logon through Terminal Services	Invalidates "Allow Logon through Terminal Services."
Enable computer and user accounts to be trusted for delegation	Allows user to set the Trusted For Delegation setting on a user or computer Group Policy object.
Force shutdown from a remote system	Allows user to shut down or restart Windows remotely through network services.
Generate security audits	Allows a program to write audit entries to the Security log.
Impersonate a client after authentication	Allows a program to impersonate a client using a token received from Windows, usually via networking, without explicitly having provided the username and password. Component Object Model (COM) servers often require this privilege and gain it by virtue of being assigned the SERVICE security principal, which is listed for this policy.
Increase scheduling priority	Allows a program to increase another program's execution priority. If a user has this right, for example, he can modify program permissions using the Task Manager.
Load and unload device drivers	Allows user to force Windows to load or unload device drivers.
Lock pages in memory	Allows program to force Windows to keep specific blocks of memory fixed in place; used by some device drivers.
Log on as a batch job	Allows a user to have programs started by the Task Scheduler, or, in some cases, by certain services.
Log on as a service	Allows user account to be used to run Windows Services.
Log on locally	Allows user to log on directly using the keyboard and display. On domain servers, generally only Administrators are given this privilege.
Manage auditing and security log	Allows user to enable auditing on specific files, folders, and other objects. Auditing as a whole must be enabled separately.
Modify firmware environment values	Allows user to set systemwide Environment variables.
Perform volume maintenance tasks	Allows user to perform disk cleanup and defragmentation.
Profile single process	Allows user to use system tools to measure detailed behavior and performance of application programs.
Profile system performance	Allows user to use system tools to measure detailed behavior and performance of Windows itself.
Remove computer from docking station	Allows user to undock a laptop computer. (The policy can be disabled entirely to let anyone undock the computer without having to log on).
Replace a process-level token	Allows a program to replace the default token (user identity) of another program that it has started itself.
Restore files and directories	Allows user to write to and change security settings of any file, folder, or Registry entry in the context of performing a system restore.
Shut down the system	Allows user to shut down or restart Windows. On a domain controller, generally only Administrators are granted this privilege.
Synchronize directory service data	Allows user to perform Active Directory synchronization.
Take ownership of files or other objects	Allows user to take over ownership of any file, folder, or other system object. Having taken ownership, the user can then change the object's access permissions at will.

In the Local Security Settings tool, each policy is listed along with the groups or principals that are granted the associated privilege. Table 5.5 lists the default assignments for Windows XP Professional in a different way, showing all the privileges granted to each group and security principal. Remember that a given user will likely be a member of several of these groups or principals, so that user gains the combined privileges from each. To maintain tighter security, on a server fewer rights are usually granted to interactive users. Usually only the Administrator logs on directly, and regular users access the computer only over the network.

Table 5.5. Default User Rights Assignments

User, Group, or Principal	Privilege
Administrators	Access this computer from the network Adjust memory quotas for a process Allow logon through Terminal Services Back up files and directories Bypass traverse checking Change the system time Create a pagefile Create global objects Debug programs Force shutdown from a remote system Impersonate a client after authentication Increase scheduling priority Load and unload device drivers Log on locally Manage auditing and security log Modify firmware environment values Perform volume maintenance tasks Profile single process Profile system performance Remove computer from docking station Restore files and directories Shut down the system Take ownership of files or other objects
ASPNET	Access this computer from the network Deny logon locally Deny logon through Terminal Services Impersonate a client after authentication Log on as a batch job Log on as a service
Backup Operators	Access this computer from the network Back up files and directories Bypass traverse checking Log on locally Restore files and directories Shut down the system
Everyone	Access this computer from the network Bypass traverse checking
Guest	Deny access to this computer from the network Deny logon locally (when Guest is disabled from the Users control panel) Log on locally
INTERACTIVE	Create global objects
IUSR_ xxx	Access this computer from the network Log on as a batch job Log on locally
IWAM_ xxx	Access this computer from the network Adjust memory quotas for a process Log on as a batch job Replace a process-level token
LOCAL SERVICE	Adjust memory quotas for a process Generate security audits Replace a process-level token
NETWORK SERVICE	Adjust memory quotas for a process Generate security audits Log on as a service Replace a process-level token
Power Users	Access this computer from the network Bypass traverse checking Change the system time Log on locally Profile single process Remove computer from docking station Shut down the system
Remote Desktop Users	Allow logon through Terminal Services
SERVICE	Adjust memory quotas for a process Create global objects Generate security audits Impersonate a client after authentication Log on as a service Replace a process-level token
SUPPORT_ nnnnnnnn	Deny access to this computer from the network Deny logon locally Log on as a batch job
Users	Access this computer from the network Allow logon through Terminal Services Bypass traverse checking Change the system time Log on locally Profile single process Remove computer from docking station Shut down the system

Although you can change these assignments, it's somewhat risky (you might find that you can no longer log on, use, or manage your own computer), so you should have a very good reason for doing so. One need for adding additional privileges occurs when you install and run a Windows Service using a special user account. You will need to add that account to the Log On as a Service policy entry.

As another example, I use an email system that requires recipients to have a user account, and the accounts must have the Log On as a Batch Job privilege. I don't want most of these email users to have access to the server computer, so I've rounded up the mail users into a group called "Email Users," and have added that group to Log On as a Batch Job. I also deleted most of them from the Users group, because they only need to pick up mail, and never log on.

Adding and Deleting User Accounts from the Control Panel

Unless your computer is a member of a domain network, the most straightforward way to create and manage user accounts on Windows XP is with the User Accounts applet in the Control Panel. Here, you can create user accounts, change passwords (your own, or if you are a Computer Administrator, other peoples'), change the Welcome Screen picture associated with the account, and make a "password reset" disk to have on hand in case you forget your password.

Note

If you are using Windows XP Professional, one thing the Control Panel tool won't let you do is to put user accounts into the Power Users category. What I suggest is that when you create new user accounts, create them as Limited Users, and then use the Management Console tool that I'll describe under "Managing Users from the Management Console" to turn them into Power User accounts. You only have to do that once, after creating the account. If you have to make changes in the future, you can still use the Control Panel tool to change the password, picture, and so on.

Select Start, Control Panel, User Accounts to open the User Management applet. You should see something similar to Figure 5.3.

Figure 5.3. The Windows XP User Accounts control panel applet lets you create and manage user accounts.

The links on the left side under Learn About open help documentation for the listed tasks. On the top of the main panel is a list of basic tasks. I'll explain how to create new user accounts shortly.

The bottom section of the main panel lists the local user accounts on this system. You can see details about each of the user accounts, including whether the user has administrative rights and whether the account is password protected. You might also notice that the guest account in Figure 5.3 is enabled. By clicking on it here, you can change the enabled or disabled status of the account. Holding the mouse pointer over one of the accounts opens a pop-up with additional information about what you can change by going into the account. You must be a Computer Administrator to create or modify another user's account.

Tip

To run the User Accounts control panel as a Computer Administrator when you're not currently logged on as one, open a Command Prompt window and type

 runas /user:Administrator "control nusrmgr.cpl"

On XP Home Edition, substitute the name of a Computer Administrator account instead of "Administrator."

If you click on a user account to manage it, the screen like the one shown in Figure 5.4 will appear.

Figure 5.4. Modifying a user account with the User Accounts control panel applet.

In the User Accounts Control Panel applet, there are quick-click actions to do the following:

Change the Name This option changes the user's "display" name that appears on the Welcome Screen and Start menu. (It does not change the actual account logon name; for that, you have to use the Management Console, described under "Managing Users from the Management Console.")
[Create or Change] a Password This option changes depending on whether an account already has an assigned password. If the password is blank, you have the option to create a password. If the password is not blank, you have the option to change it.
Remove the Password This option only shows up if a password is currently assigned to the account. If the account has no password, this action is not displayed.
Change the Picture This option changes the 48x48 pixel graphic associated with the user's account. You can select from a variety of included icons or browse to any other graphic. If the selected graphic is too large to fit in the 48x48 pixels, it will be scaled down to fit. Full- sized , full- color , high-detail photos are, therefore, not recommended. I thought this business with the little pictures was silly at first, but it grew on me, and now I have a favorite cartoon character that I scanned in and have copied to every computer I use. Go figure. By the way, Windows stores these images in folder \Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\User Account Pictures .
Change the Account Type This option allows you to change the account from a Limited account to an Administrative account or vice versa. This is equivalent to adding or removing the user account from the local Administrators group. To assign a user to other groups (Power Users, for instance), use the method that I'll describe under "Managing Users from the Management Console."

If you've customized an account's group membership, its type will display as "Unknown account type" in the User Accounts window.
Delete the Account This option deletes the account, including the user's profile folder. Don't delete an account unless you're sure you don't need the associated settings. It is safer to disable an account until you're sure you don't need it, using the management console interface described shortly.

In Figure 5.4, I am modifying the account that I am logged in with. This not only modifies the voice of the quick-click actions to the first person (for example, "Change my password" rather than "change the password"), but an additional action also appears:

Set Up My Account to Use a .NET Passport This option associates a Microsoft .NET Passport account to your local user account, relieving you from manually entering the Passport username and password for .NET services that require authentication through the Passport service. Clicking this option starts a wizard. If you do not currently have a passport, the wizard allows you to create one on the spot, though you must have an active connection to the Internet for this wizard to complete successfully.

Note

Carefully consider the privacy implications before you configure your account to use the Passport feature. If you do, then anyone using your account will automatically have access to any websites or services that use Passport as the logon mechanism. Essentially, you're giving Windows and Microsoft permission to validate web transactions in your name.

Adding Users to Your Computer

Here is my recommendation for the best way to add new user accounts to your computer:

1.	Make a list of the accounts you want to create, and the passwords you want to assign to each.
2.	Log on as a Computer Administrator and open the User Accounts control panel.
3.	Click Create a New Account. Enter a logon name for this user. I have a habit of using the person's first initial and last name, but you can choose any sort of names you want to use.
4.	Select the account type, Computer Administrator or Limited User. If you are using Windows XP Professional, for regular day-to-day user accounts, I recommend that you create Limited Users here, and then turn them into Power Users by following the instructions in under "Managing Users from the Management Console" or "The Windows 2000 User Manager, for XP, Too." On Windows XP Home Edition, you must have at least one Computer Administrator account (in addition to the main "Administrator" account that remains hidden until you log on in Safe mode).
5.	Click on the icon for the new account below the Pick an Account to Change option.
6.	Click Create a Password, and enter the password twice as indicated. We recommend that you do create passwords for all of your user accounts, even if just you or your family uses the computer. This helps limit access to any personal information on your computer should it get stolen or should someone come snooping. It's only a small help but it's worthwhile. You can also add a password hint, but remember that anyone can see this hint, so if security is an issue, it's best to leave this blank.
7.	If you want, change the user's picture.
8.	If you need to create other new accounts, click Change Another Account under Related Tasks and repeat steps 3 through 7.

If you are using Windows XP Professional, you can then use the Local Users and Groups tool to turn the new user accounts into Power User accounts, as described under "Managing Users from the Management Console." There, you can also create new security groups to simplify the job of file security. (On XP Home Edition, you cannot create or use security groups.)

Before any of these users log on for the first time, you might also want to prepare a customized Default User Profile, as described later in this chapter in the section "Managing User Profiles."

Setting Local Security Policy

In a business setting, you might also want to set your computer's local security policy to require good passwords. To do this, log on as a Computer Administrator and open the Administrative Tools control panel applet, which you'll find in the Control Panel's Performance and Maintenance category. Open the Local Security Policy item, or, if you're not logged on as a Computer Administrator, right-click Local Security Policy and select Run As.

In the left-hand pane, select Account Lockout Policy. In the right-hand pane, double-click the following entries and make the following settings, in this order, as illustrated in Figure 5.5:

Account lockout threshold: 5 invalid logon attempts
Account lockout duration: 5 minutes
Reset account lockout counter after: 5 minutes

Figure 5.5. Account Lockout Policy lets you block attempts to guess your password.

Then, in the left-hand pane, select Password Policies, and make the following settings:

Minimum password length: 8 characters

Password must meet complexity requirements: enabled

You may also want to enable the settings that require employees to change passwords every so many days.

Local Accounts and Password Reset Disks

Administrators can reset the password for any user account, meaning they could potentially change a password, log on as a user, and see all the user's preferences and files. In addition, before Windows XP, resetting a password would give a user carte blanche access to everything in the user's profile, including stored passwords, encrypted files, and more. Windows XP changes things a bit. If a local administrator forces a password change of a local user account, Windows XP erases all other passwords associated with the user account, including the security key required to decrypt files encrypted using the included Encrypting File System (EFS). This means that a local administrator can't see your encrypted files, but if you lose your password and need to have your password reset, you'll lose your encrypted files, too.

For local accounts, Windows XP provides a mechanism so that you can protect yourself from this consequence of a forgotten password by creating a password reset disk . This floppy disk lets you log on to your user account without the password and without losing any other associated passwords or EFS keys. Think of it as a physical "key" to your computer account.

You can only create a password disk for your own account, by following these steps:

1.	Insert a blank, formatted floppy into your A: drive.
2.	Click Start, Control Panel, User Accounts.
3.	Select your user account and click Prevent a Forgotten Password from the Related Tasks list.
4.	Follow along with the wizard.
5.	Store the completed password reset disk in a secure location.

Remember: Someone who gets hold of this disk has access to your account, so keep it somewhere safe and secure. Each user must create her own password reset disk. However, you will not need to re-create this disk if you change your password.

If you have forgotten your password, you can sign on from the Windows XP Welcome screen using these steps:

1.	Attempt to sign on using the Windows XP Welcome Screen.
2.	After the unsuccessful attempt, click the link marked Did You Forget Your Password?
3.	Click Use Your Password Reset Disk.
4.	Follow the wizard to reset your password.

Then, put reset disk away in case you need it again in the future.

If you are a domain network user, you still contact a domain user administrator to reset your password or unlock your account. On domain accounts, EFS keys are not destroyed when the account is reset, so the password reset disk mechanism is not needed.

Managing Users from the Management Console

On Windows XP Professional and on Windows 2000, there is an additional tool for user maintenance called the Local Users and Groups Management Console. You can get there in any of four ways:

Click Start, All Programs, Administrative Tools, if you've enabled Administrative Tools on your Start menu.
Open Control Panel, Performance and Maintenance, Administrative Tools, Local Users and Groups.
Right-click My Computer, select Manage, and then select Local Users and Groups.
At the Command Prompt, type start lusrmgr.msc .

Do you think four ways are enough? There are actually more, but let's let it pass for now.

Note

If Administrative Tools doesn't show up under your Start menu, you can add the link. Right-click on Start, and then select Properties, Start Menus, Customize, Advanced, Display.

However you get there, the display will look something like that shown in Figure 5.6.

Figure 5.6. The Local Users and Groups Management Console gives you fine-grained control over security group membership.

When you're in the MMC, you can right-click on either the Users or Groups folders in the left-hand pane to create new users and groups. You can double-click an individual user or group to manage properties related to that object, and you can right-click a user or group to rename or delete the object.

For instance, in a home or small office environment, you might find it easiest to create most of your local user accounts as Limited Users with the Control Panel user management tool, and then assign most of your users to the Power Users group. There are two ways to do this. One method is described shortly under "The Windows 2000 User Manager, for XP, Too." The other method uses the Local Users and Groups tool. You must be logged on as a Computer Administrator user. Follow these steps:

1.	Open the Groups list and double-click the Power Users entry.
2.	Click Add, and under Enter the Object Names to Select, enter the desired usernames separated by semicolons. Alternatively, you can click Advanced and Find Now to get a list of names. Right-click any you want to add, and then click OK.
3.	Click OK, and then click OK again to save the changes.
4.	Open the Administrators group, and ensure that the accounts you selected are not also in the Administrators group. If any are there, you can select them and click Remove to remove them. Be absolutely sure that the Administrator account remains a member!
5.	Open the Users group, and ensure that all of your regular user accounts are listed. If any are missing, add them.

You can also use this tool to create new local security groups. If, for instance, you want only certain employees to have access to your accounting files, you might create a group named Accounting. Add the appropriate users to this new group. Then, edit the file security settings for the folders that hold your accounting files and other sensitive financial files, and be sure that only groups Accounting and Administrators have access.

This will be easier to maintain than adding each individual user to several folders' access lists. In the future, you need only add or remove users from the Accounting group, rather than needing to add or remove names from several different folders.

Managing Users on Another Computer

If you want to connect to a different computer to manage local users and groups, simply right-click Computer Management on the screen depicted in Figure 5.6, select Connect to Another Computer, and enter the computer name. Now all options in the Computer Management MMC reflect the configuration of the remote system, and you can manage the users and groups in the same way as on the local system; however, to do this, your Computer Administrator login name and password must be valid on the other computer.

The Windows 2000 User Manager, for XP, Too

If you are using Windows 2000 Professional, your Users control panel dialog looks like the one shown in Figure 5.7.

Figure 5.7. The Windows 2000 User Manager control panel applet.

It's also available on Windows XP, though you have to perform the trick that brings it up. It has two very important uses: You can use it to make Windows log on automatically, and on XP Professional, you can use it to easily create Power User accounts. To start it up, open a command prompt window with Start, All Programs, Accessories, Command Prompt, and type

  control userpasswords2

If you are not currently logged on as a Computer Administrator, you will be prompted to enter an Administrator account name and password.

This small user manager program can do two very useful things: It can make Windows log on automatically on startup, and it can create Power User accounts.

Power User accounts are very useful, but are only available on Windows 2000 and Windows XP Professional. To change an existing account, select the name from the user list and click Properties. Select the Group Membership tab, and select one of the following categories:

Standard User Select this category to make the account a Power User account. This is the best account type for day-to-day use.
Restricted User This is what Windows XP calls a Limited User. Select this account type for guests, kids, or other people whom you want to let use your computer, but not make configuration changes.
Other You can select this item and select a group from the list to create alternative account types. Administrators is the only useful selection here.

Click OK to save your settings. If you modify your own account, the change won't take effect until you log off and back on again.

On Windows XP Professional, you can create new accounts from this dialog; just click Add and enter the account name, and then select Group Membership and assign the desired account type.

You can also use this tool to assign a password to the Administrator account on Windows XP Home Edition. On Home Edition, there is an account with the name Administrator, which is only available when you boot Windows in Safe mode. By default, it has no password.

Microsoft did this so that even if you forget the password of the Computer Administrator account(s) you've set up yourself, you can still get into your computer. The downside is that anyone can boot your computer in Safe mode, select this Administrator account, and gain access to every file on your computer. If this concerns you, you can use the Windows 2000 User Manager to assign a password to the Administrator account: Select Administrator from the list of users, and click Reset Password.

Remember that if you forget the password to this account as well, you will not be able to log on to Windows. To be safe, you should create password reset disks for your other accounts, as discussed earlier.

Another important use for this dialog is to instruct Windows to log on automatically when it's turned on and started up. This works on Windows XP Home Edition, XP Professional, and 2000 Professional. To set this up, uncheck Users Must Enter a User Name and Password to Use This Computer. Click Apply, and Windows will prompt you for a username and password. This account will sign on automatically when Windows starts up.

Managing Users from the Command Prompt

You can manage user accounts from the Command Prompt as well as from the GUI. I tend to use this method when doing quick, simple changes to user accounts, or when creating a large number of accounts for, say, a classroom computer. Here are some commands that you might find handy:

To list all local users:
 net user 
To list all local security groups:
 net localgroup 
To show all members of a local group:
 net localgroup  groupname  
To create a local user account (it's automatically added to the Users local group):
 net user  userid password  /add 
To add a local user to a local group:
 net localgroup  groupname userid  /add 
To modify an existing local user's password:
 net user  userid newpassword  
To delete a local user account (but not the profile folder):
 net user  userid  /del 

Of course, you have to be logged on as a Computer Administrator to create or modify other users' accounts.

Putting them together, you might use these commands to create a new Power User account:

 net user bknittel secretpassword /add net localgroup "Power Users" bknittel /add

Or use these commands to delete one:

 net user bknittel /del rd "c:\Documents and Settings\bknittel*" /s

That last command is "iffy"if a folder with your username already exists in the Documents and Settings folder when you create your account, or if you log on to a Windows domain network, Windows sometimes adds .XXX to the user profile folder name, where XXX is the computer or domain name; you can't always be sure what the exact folder name will be.

Automating User Management

When you have many user accounts to create or modify, you should look to Windows automation tools to help simplify the job and minimize errors due to typing mistakes. You can use the command-line tools I mentioned previously inside batch files as an excellent means of getting the job done. You can also use Windows Script Host (WSH). WSH is by far the more flexible of the two options. By tying in to the Active Directory Service Interfaces (ADSI), you can create, read, or modify any information or configuration options available for a user account.

Here's an example. A common task that help desk personnel often require is the ability to easily unlock user accounts after a user has entered too many incorrect passwords. The following script file named unlock.vbs prompts for an account name and unlocks the account. From the command line, unlock runs the script. The user who is running the script must have the rights to unlock the target account.

 Set WshNetwork = WScript.CreateObject("Wscript.Network") CurDomName = WshNetwork.UserDomain DomainName = InputBox("Enter the Domain Name", "Domain", CurDomName) UserName   = InputBox("Enter the account name to unlock", "User ID") on error resume next Set myUser = GetObject("WinNT://" & DomainName & "/" & UserName & " ") If myUser is Nothing Then     msgbox "Unable to find user account " & DomainName & "\" & UserName ElseIf myUser.IsAccountLocked Then     myUser.IsAccountLocked = 0     myUser.SetInfo     If Err.Number then         msgbox "Unable to unlock account, you may not have permission"     Else         msgbox UserName & " is now unlocked"     End If Else     msgbox UserName & " is already unlocked" End if

For more on this topic, you might consider some of these excellent references:

Windows XP Under the Hood by Brian Knittel; ISBN 0789727331 (our favorite, of course!)

Windows NT/2000 ADSI Scripting for System Administrators by Thomas Eck; ISBN 1578702194

Windows 2000 Script Host by Tim Hill; ISBN 1578701392

You'll also find some downloadable examples of administrative scripts at InformIT.com (www.informit.com) and the Microsoft Development Network (msdn.microsoft.com/scripting). I also recommend taking a look at Andrew Clinick's administrative scripts from the Microsoft TechEd 2000 conference. The article and source code are available for download at http://msdn.microsoft.com/library/en-us/dnclinic/html/scripting06122000.asp.

Managing User Profiles

A user profile is a folder that contains all of a user's personalized information: the Registry file that contains his customized settings, his Desktop and My Documents folders, and application data such as the Outlook Express address list and email database. By default, profiles are stored under C:\Documents and Settings , in folders with the same name as the user account.

When you create a new user account, the user's profile folder is not created at that time. Instead, it's created when the user logs on for the first time, and it's copied from the default user profile stored in \Documents and Settings\Default User . I'll talk more about this in a moment.

You'll find an interface for simple local user profile management by right-clicking My Computer, selecting Properties, Advanced, and then clicking the Settings button in the User Profiles box. You should see something similar to Figure 5.8.

Figure 5.8. The User Profile Management dialog.

Notice the three buttons :

Change Type This configures whether the selected user will use the network-stored roaming profile folder (for domain networks only) or a locally stored profile folder.
Delete This permanently deletes the selected profile (but not the account. If the user should log back on, a new profile folder will be created).
Copy To This copies the selected profile to another profile directory, overwriting the files and settings in the destination profile with those in the selected users' profile.

One important reason to know about User Profiles is that you can customize the Default profile used for new accounts on your computer.

Configuring a Default User Profile

If you aren't happy with the initial desktop and other settings created for each user at the time of logon, you can configure a profile and copy it into the Default User profile. Subsequently, new users who log on to the system for the first time will get your desired settings, rather than the default profile provided out of the box. Here's how to do it:

1.	Create a new user account (someone without an existing personal profile on the system) and log on to that account.
2.	Make all the changes you want included in the default profile. For example, you can set a default screensaver configuration, add some default favorites, drop some shortcuts on the desktop, reorganize the shortcuts on the Start bar, and set the background. You can also delete the sample files in My Documents and My Pictures or create new files and folders.
3.	Log off as this user and log back in as with a Computer Administrator account. Note that you must log off from the new account in order to free the associated Registry files; doing a fast user switch does not work.
4.	Under My Computer, click Tools, Folder Options, and go to the View tab. Check Show Hidden Files and Folders and click OK. Otherwise, you will not be able to see the Default User folder.
5.	Right-click My Computer, select Properties, Advanced, and click the Settings button in the User Profiles box.
6.	Select the profile of the user you just configured, and click the Copy To button.
7.	Click Browse, and browse to `\Documents and Settings\Default User` (usually on the C: drive). Click OK.
8.	Click the Change button under Permitted to Use, and type `Everyone` . Click OK. This ensures that all new users have permission to read the default profile. Now, click OK to close the Copy To dialog. You will have to confirm overwriting the default profile.
9.	Log out.

Now, when you log on as a user who has not previously logged on to this computer, the initial settings will come from the prepared default profile.

Roaming User Profiles

Roaming profiles are available on domain networks only. A roaming profile is a profile folder created by a domain administrator and stored on a network server. When you log on using a domain account that is configured with a roaming user profile, the profile folders are copied from the network to the computer you are using. When you log out, any changes to your documents or profile settings are copied back to the domain server, so those changes will be available on subsequent logins from different systems. It's a nifty ideayour preferences, desktop, and documents can literally follow you anywhere in the world.

Note

Some relatively unimportant folders are not copied back and forth between the domain server and a local computer to save time and network traffic. By default, these folders include Local Settings, Temp, Temporary Internet Files, and the History folder. The list of ignored folders is stored in the Registry under HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ExcludeProfileDirs , which can be configured per user.

Controlling How Users Log On and Off

Although Windows 9x treated user authentication (logging on) as an option, user tracking is deeply ingrained in the Windows NT product line and that includes Windows XP. In Windows XP a user must always log on before the Windows desktop can appear. There are three ways to log on: The Welcome Screen, the Logon dialog, or an optional automatic logon upon startup.

The Welcome Screen Versus the Logon Dialog

Windows XP provides a stylish graphical logon screen that lists all available user accounts ^[*] . It's convenient , but in some cases it can be seen as a security risk; it displays usernames, and thus provides half of the information needed for an intruder to log on.

^[*] Well, almost all available accounts. On Windows XP Home Edition, Administrator isn't shown, as it's only available in Safe mode. On XP Pro, Administrator isn't shown if any other Computer Administrator accounts exist. If you want, you can control which accounts appear and which don't; we'll discuss that shortly.

An older logon system called the Logon Dialog is also available (and it's the only one available if your computer is a member of a corporate domain network), shown in Figure 5.9. With this system, you must enter your logon name and password, and then click OK.

Figure 5.9. The classic Windows logon dialog.

The Options button hides or displays additional buttons, such as Shut Down. These options may be disabled by the network policy on some corporate systems.

Note

For domain logons , the most obvious method is to enter your username and password in the spaces provided, and then select your domain from the Log on To drop-down box. But you can also specify your username as username @ domain . For example, if my username in the MyCompany.com domain were bknittel, I could enter my username as bknittel@mycompany.com.

You can also use this method to log on to a local account by entering accountname @ computername . For example, you can log on to computer JAVA's local Administrator account with administrator@java.

To choose which method is used, go into the User Accounts applet under the Control Panel, and click Change the Way Users Log On Or Off. To use the Logon Dialog, clear the options to Use Fast User Switching and the Welcome Screen. To use the Welcome screen, check both options.

Logging on as Administrator from the Welcome Screen

The Windows XP Welcome screen does not normally list the local Administrator account as an available account unless no other Computer Administrator users are defined (and then, only on XP Professional, not Home Edition). If you don't know the passwords to any of the accounts displayed on the Welcome screen, or if none of the displayed accounts have administrative privileges but you need to perform some administrative function, you can bypass the Welcome screen to log on with the "standard" logon dialog, using any valid local account, by pressing Ctrl+Alt+Del twice.

Then, simply enter the local administrator username and password, make whatever changes to the system you need to make, and log out. You'll be back at the Welcome screen.

Note

On Windows XP Home Edition, the Administrator account is only available when you boot Windows in Safe mode, and by default, a password is not set for the Administrator account.

Remember that you can often save yourself the trouble of logging on as Administrator; you can also right-click a shortcut and select Run As, or use the runas command at the Command Prompt, to run programs with Administrator privileges.

For more information about the runas command, see " runas ," p. 409.

Showing and Hiding Accounts on the Welcome Screen

By default, the Administrator account and several system service accounts are not shown on the Welcome screen, although Administrator does appear if no other Computer Administrator accounts are defined. You can instruct Windows to display the Administrator account or to remove specific user accounts by editing the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList . (The Registry is discussed in Chapter 6, "Tweaking and Tuning Windows.") This key holds values that determine which accounts are omitted from the Welcome screen.

The UserList key contains values that name the accounts to be hidden, such as Administrator, HelpAssistant, and NetShowServices. The associated values determine how the account is displayed:

Value	Result
	Account will not be shown.
1	Account will be shown.
0x00010000	Any account whose name starts with the same letters as the value name will not be shown.

To add the Administrator account to the Welcome screen, log on as Administrator and run regedit . Open the key indicated earlier and change the Administrator value from to 1 . To hide a user account, add a new DWORD value with the same name as the user's logon name, and enter the numeric value .

You can log on to a hidden account by pressing Ctrl+Alt+Del twice at the Welcome screen to display the Logon dialog.

Fast User Switching

Windows XP has a feature called Fast User Switching that lets you log on to alternate accounts without logging off from the first. You might compare this to having a big Lazy Susan on your deskinstead of cleaning it off so someone else can work at it, you just turn it around, leaving your original workspace intact, although out of reach. This is almost exactly what Fast User Switching does. When you switch users, you remain logged in and your programs even keep running; they're just not visible while someone else's desktop is displayed. Several different people can trade off use of the computer using this technique.

Fast User Switching is useful in several different scenarios:

You can use it to temporarily log on as a Computer Administrator to install software, without having to log off from your primary account.
You can let someone else use your computer while your own applications run uninterrupted.
You can leave your computer in a "locked" state, at the Welcome screen, while your applications continue to run. You can then come back later, or even connect from another location using Remote Desktop Connection, and in either case pick up exactly where you left off.

To switch users, click Start, Log Off, Switch Users (or use the Window+L keyboard shortcut). This brings you back to the Welcome Screen. From here, you can log back on to your original account to reconnect with your original session, or you can log on as another user.

Note

By default, you'll also get kicked back to the Welcome screen if your screensaver has time to activate. If you don't like having to sign back on after clearing the screensaver, right-click the desktop, select Properties, view the Screen Saver tab, and uncheck On Resume, Display the Welcome Screen.

I recommend saving any open documents before switching users. If another user shuts Windows down or manages to crash the system, your data could be lost if you have not saved it.

And keep this in mind: You already know that running multiple applications requires more system resources. Running multiple applications for multiple users takes even more. Things will run more smoothly if you have a fast processor and a lot of RAM. Also, some applications may not work correctly in this new multi-user environment. If the application you are using was written to the Microsoft Windows XP Logo standards (see www.microsoft.com/winlogo for details), it should behave properly.

If Fast User Switching doesn't seem to be available on your computer, you may have to make a tradeoff . Several Windows XP features are mutually exclusive with Fast User Switching:

Domain Networks If your computer is a member of a corporate domain network, Fast User Switching is not available, period. Bummer!
Login Dialog If you have disabled the Welcome Screen and use the Login Dialog to log on, Fast User Switching is not available. You can get Fast User Switching by re-enabling the Welcome Screen, as discussed previously.
Offline Files If you have enabled Offline File access (network caching), Fast User Switching is not available. You must choose between one and the other. To disable Offline Files, open Windows Explorer and select Tools, Folder Options. Use the Offline Files tab to make the change, and then enable Fast User Switching.
Serial Keys This accessibility feature is not useable with Fast User Switching and vice versa. Serial Keys provides support for alternative input devices such as puff and sip devices, switch-driven input devices, and other serial-based keyboard or mouse alternatives.

To enable Fast User Switching, log on as a Computer Administrator. Disable any competing features, and then open the User Accounts Control Panel applet. Select the task Change The Way Users Log On Or Off, and then check Use Fast User Switching. If you want to disable it, follow the same steps but uncheck the option. Yours must be the only account currently logged on.

Enabling Automatic Logon

You can't make Windows give up on the concept of user accounts, but you can tell Windows to log on to one account automatically when it boots up. You might want to do this in a kiosk environment, in an industrial control installation where the computer's job is simply to run some specialized software, or in a very trusting home or work environment with just one user.

To bypass the Welcome Screen or logon dialog, open a Command Prompt window, type the command control userpasswords2 , and press Enter. Uncheck Users Must Enter a User Name and Password to Use This Computer and click OK. You'll be prompted for a username and password. (If the account has no password, leave the password fields blank.) The next time Windows boots up, it will automatically log on using this account information. You can use shortcuts placed in the Startup folder to automatically run applications. And, you can use Local Security Policy to disable any features you don't want this unprotected computer to make available.

If you want to log on using another user account you can simply log off or switch users, and then log back on using the alternate account.

To change Windows back so that it presents the Welcome Screen or logon dialog, use the control userpasswords2 command again, and check Users Must Enter a User Name.

Dealing with a Lost Password

It will eventually happen that you or one of your users will forget his password, or worse , the Administrator password.

In this case, there are only a few things you can do. You should try them in the following order.

1.	If the user created a Password Reset disk as discussed earlier, use it as described earlier under "Local Accounts and Password Reset Disks" to log on. The first thing that the user should do after that is to set a new password.
2.	On a domain network, the network administrator can reset the password for any domain account. For standalone computers, workgroup computers, or local accounts, continue....
3.	On XP Home Edition, boot your computer in Safe mode. From the Welcome Screen, select the "Administrator" account, which by default has no password. Use the Users control panel applet to reset the password on the desired account.
4.	There are other things that can be done, but on XP Professional, all of the remaining methods will cause the user to lose any encrypted files she has. If there are any encrypted files, now is the time to stop and try to remember that password one more time.
5.	If you have access to any Computer Administrator account, any Computer Administrator account, log on using that account, and use the User Accounts control panel to change the other account's password, or remove the password entirely. Then, the user can log on and select a new password. If it's the Administrator account password you're trying to reset, and Administrator doesn't appear in the User Accounts control panel, use the Local Users and Groups Management Console, described earlier. Open the Users list, right-click Administrator, and select Set Password.
6.	If you get here, it means you have no way to log on as a Computer Administrator. Oh dear. Things get very dicey from here on down. One way to reset the Administrator password is to use a special-purpose "cracking" tool developed just for this purpose. You can visit www.winternals.com and purchase ERD Commander or their entire Administrator's Pak package. Windows XP/2000/NT Key from LostPassword.com also works well. Both programs require you to boot up from a floppy disk or CD, which runs a program that clears out the Administrator password. I know of two other such programs, although I haven't personally tested them: NTAccess from www.sunbelt-software.com and NTAccess (same name, different program) from www.mirider.com.
7.	If you have a second hard drive or disk partition on your hard drive with at least 2GB of free space, you can install a second copy of Windows XP into the alternate partition or drive, and boot it up. You can then copy files from the original installation, or reset the permissions on the original files so that any other user can read them. This doesn't fix the lost password problem but it does let you rescue your data.
8.	Equivalently, you can remove your hard drive and install it in another computer running Windows XP or 2000, and copy or at least unsecure your files.
9.	Finally, you can perform a clean install of Windows on your original disk partition. This will erase all of your existing user accounts and preferences, and you will have to reinstall your applications. But, your files will be intact. When you re-create user accounts, Windows will create new profile folders with different names. Files in the previous installation's My Documents folders will be the original profile folders. You'll have to use Windows Explorer to dig into `\Documents and Settings` to find them.

Prevention is the best medicine in this case, so you might want to take a minute now to create a password reset disk for your personal account and your computer's Administrator Account. If you manage many computers, it also can't hurt to get a copy of the Administrator Pak from winternals.com now, before you run into a crisis.

Note

This section's given you just the basics of user management. As you might guess, it's a large topic. If you want to get into more detail, I recommend you pick up a copy of Special Edition Using Microsoft Windows XP Professional, 3rd Edition (or the Home Edition ), published by Que.