Creating and Managing User Accounts | Special Edition Using Microsoft Windows XP Professional (3rd Edition)

To create new local user accounts or to modify an existing account, log on as Administrator or with a Computer Administrator account. Keep in mind that you don't need to log on as Administrator to manage your own account.

CAUTION

Every user account in Windows XP has a unique security identifier, a long string of numbers called an SID. This unique identifier ties all security settings to the user account. If you delete a user account, you also delete its SID, and it can never be used again. Even if you create a new user account with the same username and properties, the SID will be different for the new account. The new account will not be able to view the old account's My Documents files. You will be forced to regenerate all security data, such as group information, set file ownership and access permissions, and so on. As a general rule, you should delete user accounts only when absolutely necessary for organizational purposes.

Two programs are used to manage user accounts: the User Accounts control panel applet, and the Local Users and Groups management tool. I'll discuss both.

User Accounts Control Panel

The easiest way to administer user accounts is with the Control Panel tool. Select Start, Control Panel, User Accounts.

NOTE

If your computer is a member of a domain network, you probably don't needand might not be permittedto add local user accounts. Check with your domain administrator.

What you'll see depends on whether or not your computer is a member of a Windows domain-type network. I'll cover standalone and workgroup computers first, and the domain version in the subsequent section.

User Management for Workgroup Networks

On a standalone or workgroup network computer, the User Accounts program is shown in Figure 28.4. You can perform three tasks here:

To modify the password, name, picture, or security level of an account, or to delete an account, select Change an Account or click on one of the account icons.
To create a new account, (no surprise here) click Create a New Account.
To choose between the Welcome Screen (the graphical Windows XP login screen) and the older Windows Logon dialog box, choose Change the Way Users Log On or Off. (More on this topic later in the chapter.)

Figure 28.4. The User Accounts control panel applet lets you create, delete, and modify user accounts on a workgroup computer.

Microsoft has done a good job of designing the Windows XP account management tool, and most of the dialog boxes are self-explanatory. I'll go through them here to show you what's possible.

Changing and Deleting Accounts

You can alter an account's settings at any time using the User Accounts control panel. You can always change your own account settings. In addition, Computer Administrator users can adjust any user's account.

Selecting Change an Account or clicking on an account icon displays the Change Account task list, as shown in Figure 28.5. Here you can

Change the name of a login account.
Add, change, or remove an account's password. Changing another account's password has consequencesplease see the section "Working with Passwords," earlier in this chapter.
Change the picture associated with an account. These pictures appear on the Welcome screen. You can select one of the several provided by Microsoft, or choose Browse to select one of your own digital photographs. You can use any image file in .BMP, .GIF, .JPG, or .PNG format. The picture will be displayed at about postage stamp size, so it's best to choose fairly small images of an object or person that fills the picture.
Change the account type from Computer Administrator to Limited or vice versa. (But, as I discussed earlier, I prefer to make most user accounts "Power Users," following the instructions in the section titled "Removing Users from the Administrators Group.")
Delete the account. (This option is available only when you're logged on with a different, Administrator-level account. You can't delete the account you're currently using, and you can't delete a Computer Administrator level account if it's the only one besides the Administrator account itself.) When you delete an account, you have the option of retaining or deleting the user's personal files stored in their My Documents and Desktop folders. If you want to keep them, they'll be put into a folder on your desktop.
Change your Microsoft .NET Passport. This is where your user account is matched up with a Passport email address. You can use this task to assign a Passport or change your Passport settings. (This task is only available when you're changing your own account.)
Modify passwords stored for access to other network resources, by clicking the Related Tasks option.

Figure 28.5. Manage account settings with the Change User Account screen.

You cannot view or alter the Administrator account from the User Accounts control panel. Nor can you set user accounts to the Power Users privilege level, or set all of the displayed accounts to Limited. To do that, you need to use the more powerful Local Users and Groups management tool, discussed later in this chapter.

NOTE

Although Microsoft doesn't seem to encourage you to, I recommend that you assign passwords to all the accounts on your computer. To change the password for the real Administrator account, you'll have to follow the procedure in the next section.

Enabling and Disabling the Welcome Screen

One of Windows XP's new features is the friendly graphical logon system called the Welcome Screen. There are actually three options for the Windows sign-on process:

The Welcome Screen allows users to choose their account names and passwords from a list. It's fast and user-friendly.
The Windows Logon dialog box requires users to enter a username, password, and optional network domain name. This enhances security by not presenting potential hackers with a visible list of logon names to try.
A higher-security option requires users to type Ctrl+Alt+Del before seeing the Logon dialog box. Ctrl+Alt+Del forces Windows to suspend any programs (including a virus that might be masquerading as the logon program) and to run the real logon system.

Unless your network administrator has prevented your changing these options, you can control which logon procedure is used on your computer. As a Computer Administrator user, run the User Manager by clicking Start, Control Panel, User Accounts. Under Pick a Task, select Change the Way Users Log On or Off.

Then, you can check or uncheck Use the Welcome Screen. When the Welcome Screen is enabled, you can enable or disable the Fast User Switching feature.

NOTE

You can enable Fast User Switching or the Offline Files feature, but not both at the same time. Offline Files was described in Chapter 18. To use one feature, you'll have to disable the other.

By the way, the Welcome Screen is not available if your computer is a member of a domain network: You'll always be presented with the old tried-and-true Windows logon dialog box when you go to sign on.

To enable the higher security "must hit Ctrl+Alt+Del to log in" feature, disable the Welcome screen as described. Then, open a command prompt window and type

 control userpasswords2

This brings up the domain-style account manager shown in Figure 28.6 (shown later in this chapter). Select the Advanced tab, check Require User to Press Ctrl+Alt+Delete, and click OK.

Figure 28.6. Local User Management control panel applet for domain member computers.

Automatically Logging On at Startup

Your computer can automatically log itself on and go directly to the desktop when it boots up, bypassing the sign-on process entirely. You might want do this if you have only one account on the computer and you are completely unconcerned about security, or if you are setting up a computer that will not directly interact with users, such as a kiosk or industrial control system. (The ticket dispensers in San Francisco's Bay Area Rapid Transit railway system are run by Windows 2000 computers that do just this. I saw one stuck partway through its startup process.)

You can't do this with a computer that's part of a corporate "domain" network. And, you can't actually eliminate the need for a user account and logon name. What you can do is tell Windows to automatically log on for you, by following this procedure:

Click Start, Run and enter cmd into the run field. With the Command Prompt window open, type the command

 control userpasswords2

If you are not currently logged on as a Computer Administrator, you will be prompted for the Administrator password.

On the Users tab, uncheck Users Must Enter a User Name and Password to Use This Computer.

Click OK. You will be prompted for the username and password to use when the system starts up. If the account has no password, leave the password field blank.

Now, every time Windows boots up, it will automatically log on with the specified username and password. If you want to use a different account, simply log off, and you'll get the Welcome Screen or logon dialog as usual.

You can go back to the normal logon-at-boot system by repeating this procedure, checking the box in step 2.

User Management for Domain Networks

If your computer is a member of a domain network, Windows displays a different set of user management dialog boxes. To manage local users you must be logged on as the local or domain Administrator. Click Start, Control Panel, User Accounts. Windows displays the local user list as shown in Figure 28.6.

Adding User Accounts

On a domain member computer, you can create new local accounts for local users, and also let members of other domains log on to your computer. (Anyone in your own domain can log on without doing anything extra.) There are different procedures for setting up each type of user.

To let an existing user from another domain log on to your computer, follow these steps:

Open the User Accounts control panel applet.

Click Add. Enter the user's logon name and domain name. You can click Browse to locate a user by searching Active Directory. When you have identified the user, click Next.

Select the desired privilege level for this user; this will assign the account to one of three groups: Power Users, Users, or Administrators, as shown in Figure 28.7. Click Finish. If you want this user to be prevented from installing or configuring software, select Users; otherwise you would generally want to select Power Users.

Figure 28.7. The Group Membership dialog box lets you assign a user account to one of three security levels.

To create a new local account (one that will be able to use your computer but not necessarily other resources on your network), follow these steps:

1.	Open the User Accounts control panel applet and select the Advanced tab.
2.	Click Advanced to view the Local Users and Groups management tool.
3.	Select the Users folder in the left pane.
4.	Select Action, New User, or right-click User and select New User.
5.	Fill in the new user information.

I'll discuss the Local Users and Groups management tool later in this chapter.

Changing User Accounts

To edit an existing account, open the User Accounts Control Panel applet, and highlight the appropriate user entry.

If you have Administrator privileges, you can click Reset Password to change the account's password.

Select Properties to modify the account's username or security privileges. Change the user's basic security level by selecting the Group Membership tab (refer to Figure 28.7).

For more detailed control of user privileges and group membership, you can use the Local Users and Groups management tool.

Advanced Settings

The Advanced tab on the User Accounts control panel applet has three unrelated security management tools:

Passwords and .NET Passports Lets you delete or change passwords for other computer systems that Windows has remembered for you. For more information on maintaining other passwords, see "Changing Network Passwords" earlier in this chapter.
Advanced User Management Opens the Local Users and Groups computer management tool, which I'll discuss in the next section.
Secure logon Lets you determine whether users must press Ctrl+Alt+Del before logging on. This is a good idea because it eliminates the opportunity for Trojan horse virus programs to present a fake login dialog box to capture passwords. On a domain network, this feature is enabled by default, and you should think twice before disabling it.