Windows XP Professional uses three types of user accounts: local user accounts, domain user accounts, and built-in user accounts.
Local user accounts allow users to log on only to the computer on which the local user account has been created and to access resources on only that computer. When you create a local user account, Windows XP Professional creates the account only in that computer's security database, called the local security database, shown in Figure 3.1. Windows XP Professional uses the local security database to authenticate the local user account, which allows the user to log on to that computer. Windows XP Professional does not replicate local user account information to any other computer.
Figure 3.1 Characteristics of local user accounts
Microsoft recommends that you use local user accounts only on computers in workgroups. If you create a local user account in a workgroup of five computers running Windows XP Professional-for example, User1 on Computer1-you can only log on to Computer1 with the User1 account. If you need to be able to log on as User1 to all five computers in the workgroup, you must create a local user account, User1, on each of the five computers. Furthermore, if you decide to change the password for User1, you must change the password for User1 on each of the five computers because each computer maintains its own local security database.
A domain does not recognize local user accounts, so do not create local user accounts on computers running Windows XP Professional that are part of a domain. Doing so restricts users from accessing resources in the domain and prevents the domain administrator from administering the local user account properties or assigning access permissions for domain resources.
Domain user accounts allow you to log on to the domain and access resources anywhere on the network. When you log on, you provide your logon information-your user name and password. Microsoft Windows 2000 Server uses this logon information to authenticate your identity and build an access token that contains your user information and security settings. The access token identifies you to the computers in the domain on which you try to access resources. The access token is valid throughout the logon session.
You can have domain user accounts only if you have a domain.You can have a domain only if you have at least one computer running one of the Windows 2000 Server products that is configured as a domain controller, which has the Active Directory directory service installed.
You create a domain user account in the copy of the Active Directory database (the directory) on a domain controller, as shown in Figure 3.2. The domain controller replicates the new user account information to all domain controllers in the domain. After Windows 2000 Server replicates the new user account information, all of the domain controllers in the domain tree can authenticate the user during the logon process.
Figure 3.2 Domain user accounts
Windows XP Professional automatically creates built-in accounts. Two commonly used built-in accounts are Administrator and Guest.
Use the built-in Administrator account to manage the overall computer. You can perform tasks to create and modify user accounts and groups, manage security policies, create printer resources, and assign the permissions and rights that allow user accounts to access resources.
If you want to log on as Administrator and are using the Welcome screen, you can press Ctrl+Alt+Delete twice. Windows XP Professional displays a logon prompt and you can log on as Administrator. The Administrator account will not appear on the Welcome screen if you are running in a workgroup environment, the Welcome screen is enabled, and you created a user account during Setup. See Chapter 2, "Installing Windows XP Professional," for information about creating a user account during Setup. Lesson 3 in this chapter explains how to configure the computer to use the logon prompt instead of the Welcome screen.
As the administrator, you should create a user account for performing nonadministrative tasks and use your Administrator account only for administrative tasks.
You cannot delete the Administrator account. As a best practice, you should always rename the built-in Administrator account to provide greater security. Use a name that does not identify it as the Administrator account, making it more difficult for unauthorized users to use it to break into your computer.
The Administrator account is enabled by default, but you can configure the Account: Administrator Account Status Security Option to disable it. For more information, see Chapter 13, "Configuring Security Settings and Internet Options."
Use the built-in Guest account to allow occasional users to log on and access resources. For example, an employee who needs access to resources for a short time can use the Guest account.
Allow Guest access only in low-security networks, and always assign a password to the Guest account. You can rename the Guest account, but you cannot delete it.
Log on with a user account that is a member of the Administrators group and use the User Accounts tool in the Control Panel (shown in Figure 3.3) to give access to the Guest account on the computer.
Figure 3.3 The User Accounts tool in a workgroup environment
To access the User Accounts program, click Start, click Control Panel, and then click User Accounts.
The User Accounts program displays the user accounts that can log on to the computer. The User Accounts program in Figure 3.3 indicates that Guest access is off, meaning that the Guest account is disabled.
To enable the Guest account, complete the following steps:
Figure 3.4 The Do You Want To Turn On The Guest Account window
You can also use the User Accounts program to disable Guest account access. If the Guest account is active, the User Accounts program indicates that Guest Access Is On.
To prevent Guest account access to the computer, complete the following steps:
The Guest account is now disabled.
The following questions will help you determine whether you have learned enough to move on to the next lesson. If you have difficulty answering these questions, review the material in this lesson before beginning the next lesson. The answers are in Appendix A, "Questions and Answers."