User Account Administration

In order to log in to Windows XP Professional, a user account is required. Only an administrator can create and modify user and group accounts. Windows XP Professional supports two types of user accounts, local user accounts and domain user accounts. A local user account provides access to the computer on which it is defined. A domain user account provides access to all the resources on a domain to which it has been assigned access. Domain accounts are stored in Active Directory. Local accounts are stored on the computer's local SAM.

Every user requires his or her own user account. However, rather than trying to manage a large number of individual users, administrators organize user accounts into groups for easier management. By making a user account a member of a group, the user account inherits all the permissions assigned to the group account. User accounts can be added to multiple group accounts, and the resulting set of permission assignments is the accumulation of all their group permissions.

Examing Built-in user Accounts

Windows XP automatically creates a number of local user accounts during its installation. These user accounts and their purposes are outlined in Table 9.1.

Note 

If Windows XP Professional was installed as an upgrade on an existing computer, any user accounts already defined on the computer will be migrated into Windows XP Professional as well.

Table 9.1: Built-in Windows XP Professional User Accounts

User Account

Description


Administrator

An administrative account with complete control over all local resources

Guest

An account used by individuals with temporary access requirements that provides limited access to system resources

HelpAssistant

An account used by the Remote Assistance utility to provide the remote helper with access to the local computer

Support

An account used by the Help and Support services

Because of its importance, the Administrator account must be closely guarded. It should be assigned a strong password. If possible, this password should be written down and locked in a safe place. This account should not be used to perform normal work on the computer. Individuals who require administrative privileges should have their user accounts added to the local Administrators group. The administrator account can be renamed but it cannot be disabled.

The Guest account is disabled by default and should only be enabled if absolutely necessary. This account provides only limited access capabilities, but it can be used by a would-be intruder to gain access to the computer and search for other ways of gaining access.

Administering User Accounts

When Windows XP Professional is first installed, the administrator is given the opportunity to add new user accounts to the computer. Windows XP Professional provides two utilities for administering user accounts once the operating system has been installed, as outlined below.

  • User Accounts folder

  • Local Users and Groups snap-in or extension

The User Accounts folder is located on the Windows Control Panel and provides basic account administration capabilities. It can be used to create, modify, and delete local user accounts but only provides limited control over the accounts. The Local Users and Groups snap-in or extension provides moredetailed control over user accounts, including the ability to remotely manage user accounts on other computers to which the administrator has administrative privileges.

Working with the User Accounts Folder

The User Accounts folder displays a list of all currently configured user accounts. In addition, it displays the following tasks:

  • Change an account

  • Create a new account

  • Change the way users log off

When creating a new user account using the User Accounts folder, the administrator is limited to creating two types of accounts, Computer Administrator and Limited. User Accounts creates a Computer Administrator account by adding it to the local Administrators group. Likewise, it creates a Limited account by adding it to the local Users group.

A Computer Administrator account has complete control over the local computer and its resources. A Limited account has the following capabilities:

  • Saving and retrieving files created by that account

  • Changing the password associated with that account

  • Modifying desktop settings and themes

  • Viewing files located in the Shared Documents folder

Users with Limited accounts can also change their passwords, run applications and submit print jobs. A Limited account cannot be used to modify system settings, install new hardware, or install most applications.

Note 

Windows XP Professional allows user account names to be up to 20 characters long and supports passwords up to 256 characters long. Passwords are case-sensitive, meaning that they must be typed using the same case as was used when they were created. Although passwords are case-sensitive, user account names are not. However, user account names must be unique.

The following procedure outlines the steps involved in creating a new user account.

  1. Click on Start and the Control Panel. The Windows XP Control Panel appears.

  2. Click on User Accounts. The User Account folder appears.

  3. Click on Create a new account.

  4. The Name the new account screen appears. Type a name for the account, as demonstrated in Figure 9.3, and then click on Next.

  5. The Pick an account type screen appears. Select Computer administrator to create a local administrative account or Limited to create a Limited account and click on Create Account, as shown in Figure 9.4.

click to expand
Figure 9.3: Usernames can be up to 20 characters long

click to expand
Figure 9.4: Select the type of account to be created

Using the User Accounts folder, the administrator can modify any existing user account. The changes that can be made to an account vary for different types of accounts. For example, the only configuration options that can be made to the Guest account are:

  • Change the picture. Modifies the icon associated with the Guest account

  • Turn off the guest account. Disables the Guest account to prevent it from being used

  • Turn on the guest account. Enables the Guest account so that it can be used

Changes that can be made to other types of accounts include:

  • Change the password. Changes the password associated with a user account

  • Set up my account to use a .NET Passport. Registers a .NET Passport account

  • Change the name. Changes the name assigned to the user account

  • Remove the password. Deletes the password associated with a user account

  • Change the account type. Adds the account to either the Administrators or Users group

  • Delete the account. Deletes the user account

Note 

A .NET Passport is an Internet-based account used by Microsoft to track user activity at Web sites that use their service. For more information about the .NET Passport, including how to set one up, refer to "Using Windows Messenger to Deliver a Remote Access Invitation" in Chapter 3, "Help and Support."

All user accounts should be required to have a password. Passwords help protect user accounts from unauthorized access. Administrators should also establish a policy that governs password strength and ensure that users follow it. A strong password is one that contains:

  • At least eight characters

  • Uppercase and lowercase letters

  • Numbers

  • Special characters

The following procedure outlines the steps involved in modifying a user account.

  1. Click on Start and then Control Panel. The Windows XP Control Panel appears.

  2. Click on User Accounts. The User Account folder appears.

  3. Click on Change an account.

  4. The Pick an account to change screen appears, as shown in Figure 9.5.

  5. The screen shown in Figure 9.6 appears.

  6. Click on an option to change its associate account attribute and then click on the Back button to return to the main User Account screen.

click to expand
Figure 9.5: Select a user account to modify

click to expand
Figure 9.6: Select an account attribute to change

Working with the Local Users and Groups Snap-in

The Local Users and Groups snap-in or extension provides a more powerful account management tool. It can be used to administer both user and group accounts and provides detailed control over all account attributes. Local Users and Groups also provides the ability to perform remote account administration, making it the preferred tool for account administration.

Local Users and Groups is conveniently located as an extension in the Computer Management console. Table 9.2 lists the built-in group accounts provided by Windows XP Professional. In addition, administrators can use Local Users and Groups to create new local groups.

Table 9.2: Built-in Windows XP Professional Group Accounts

Group Account

Description


Administrators

Members of this group have complete control over the computer and its resources.

Backup Operators

Members of this group can back up and restore all files on the computer.

Guests

Members of this group are given equivalent access capabilities as those of the Users group. This group contains the Guest account, which is further restricted.

Network Configuration Operators

Members of this group have the ability to configure TCP/IP and other network settings on the computer.

Power Users

Members of this group have the same capabilities as members of the Users group, plus the ability to install applications and modify certain system settings.

Remote Desktop Users

Members of this group are permitted to use Remote Assistance to connect to the computer.

Replicator

This group is managed by Windows XP and is used to support domain replication.

Users

Members of this group are permitted to log in, run applications, save and print files, turn off the computer, and perform nonadministrative tasks.

HelpServicesGroup

This group is managed by Windows XP and supports the Help and Support Center service.

Note 

Before creating new accounts, the administrator should ensure that standards are developed and followed in order to ensure consistency and manageability. For example, always set up new user accounts so that users must change their password the first time that they log in. Instruct users to create strong passwords and establish guidelines for doing so using Group Policy, as explained later in this chapter.

The following procedure outlines the steps involved in creating a new account using Local Users and Groups.

  1. Click on Start and then right-click on My Computer and select Manage. The Computer Management console appears.

  2. To administer accounts on a remote computer, right-click on Computer Management, Select Connect to another computer, specify the computer's name or IP address, and click on OK.

  3. Expand the System Tool node in the console tree.

  4. Expand the Local Users and Groups node on the console tree.

  5. Select Users. A list of user accounts defined in the SAM is displayed in the right-hand pane, as shown in Figure 9.7.

    click to expand
    Figure 9.7: Examining all user accounts defined in the targeted computer's SAM

  6. Right-click on Users and select New User. The New User dialog appears, as shown in Figure 9.8. Type a new username in the User name field. Type a user's real name in the Full name field and a brief descriptionin the Description field. Type and confirm a password for the account and then select any number of the following options:

    • User must change password at next logon. Forces the user to change the assigned password at his or her first login

    • User cannot change password. Prevents the user from changing his or her password

    • Password never expires. Prevents the account from expiring by overriding the Maximum password age policy

    • Account is disabled. Prevents the account from being used until it is later enabled

    click to expand
    Figure 9.8: Creating a new user account using the Local Users and Groups extension in the Computer Management console

  7. Click on Create followed by Close.

Once a user account has been created, it can be further modified using the following procedure.

  1. Double-click on the user account. The user account's Properties dialog appears, as shown in Figure 9.9.

    click to expand
    Figure 9.9: Modifying user account properties

  2. The General property sheet on the user account Properties dialog allows the administrator to modify the user account's name and description. In addition, the administrator can configure any of the following options:

    • User must change password at next logon. Adds or removes the requirement that the user change his or her password at the next login

    • User cannot change password. Enables or disables the user's ability to change the password

    • Password never expires. Enables or disables the ability of the password to expire

    • Account is disabled. Can be used to enable or disable a user account

    • Account is locked out. Can be used to lock an account or unlock a locked account

  3. Click on the Member Of property sheet, as shown in Figure 9.10.

    click to expand
    Figure 9.10: Administering the account's group membership

  4. By default, new accounts are added to the Users group. To add the user account to other groups, click on Add, specify a group, and click on OK.

  5. To remove the user account from a group, select the group and click on Remove.

  6. Click on the Profile property sheet, as shown in Figure 9.11.

    click to expand
    Figure 9.11: Configuring an account profile and home folder

  7. By default, Windows XP automatically manages the location of user account profiles and home folders. However, administrators can modifythese settings to accommodate corporate standards and set up profiles and home folders on centralized servers. The following options can be configured:

    • Profile path. The location where the user account's profile will be stored

    • Logon script. The location of a script to be run when the user logs on to the computer

    • Local path. The location of the user account's home folder on the local computer

    • Connect. The location of the user account's home folder on a network server

  8. Click on OK.

Note 

Windows XP Professional implements user profiles as a means of allowing individual users to create custom settings without affecting the settings implemented by other users. Examples of settings stored in user profiles include the Windows desktop background, a screen saver, and a custom Start menu configuration. Windows XP automatically saves any configuration changes made by the user at logoff and reloads them at login. Unless changed by the administrator, Windows XP Professional stores user profiles in the root directory on the drive where Windows XP system files are stored (usually C:\Windows) in a folder with the same name as the user's account name.

If a user account is no longer needed, it can be deleted using the following procedure.

  1. Click on Start and then right-click on My Computer and select Manage. The Computer Management console appears.

  2. To administer an account on a remote computer, right-click on Computer Management, select Connect to another computer, specify the computer's name or IP address, and click on OK.

  3. Expand the System Tool node in the console tree.

  4. Expand the Local Users and Groups node on the console tree.

  5. Select Users to display a list of locally defined user accounts.

  6. Select an account and press the Delete key. Click on Yes when prompted for confirmation.

In addition to detailed control over accounts on local and remote computers, Local Users and Groups can also be used to create new Group accounts. Managing large numbers of users by placing them into groups is a lot easier on administrators than trying to manage user accounts individually. The steps involved in setting up a group account are outlined in the following procedure.

  1. Click on Start and then right-click on My Computer and select Manage. The Computer Management console appears.

  2. To administer an account on a remote computer, right-click on Computer Management, select Connect to another computer, specify the computer's name or IP address, and click on OK.

  3. Expand the System Tool node in the console tree.

  4. Expand the Local Users and Groups node on the console tree.

  5. Select Groups. A list of group accounts defined in the SAM is displayed in the right-hand pane, as shown in Figure 9.12.

    click to expand
    Figure 9.12: Administering group accounts

  6. Right-click on Groups and select New Group. The New Group dialog appears, as shown in Figure 9.13.

    click to expand
    Figure 9.13: Defining a new group and populating it with user accounts

  7. Type a name for the group in the Group name field and a brief description in the Description field.

  8. To add new members to the group, click on Add, type the name of a user account, and click on OK.

  9. To delete a user account from the group, select the user account and click on Remove.

  10. Click on Close.



Microsoft Windows XP Professional Administrator's Guide
Microsoft Windows XP Professional Administrators Guide
ISBN: 1931841969
EAN: 2147483647
Year: 2005
Pages: 358

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net