Getting the Most Out of User Accounts | Insider Power Techniques for Microsoft Windows XP (Bpg-Other)

In Windows XP, a user account is a user name (and an optional password) that uniquely identifies a person who uses the system. The user account enables Windows XP to control the user’s privileges; that is, the user’s access to system resources (permissions) and the user’s ability to run system tasks (rights). Standalone and workgroup machines use local user accounts that are maintained on the computer, while domain machines use global user accounts that are maintained on the domain controller. This section looks at local user accounts.

Security for Windows XP user accounts is handled most often (and most easily) by assigning each user to a particular security group. For example, the default Administrator account and all the user accounts you created during the Windows XP setup process are part of the Administrators group. Each security group is defined with a specific set of permissions and rights, and any user added to a group is automatically granted that group’s permissions and rights. There are two main security groups:

Administrators Members of this group have complete control over the computer, meaning they can access all folders and files; install or uninstall programs (including legacy programs) and devices; create, modify, and remove user accounts; install Windows updates, service packs, and fixes; use Safe Mode; repair Windows; take ownership of objects; and more.
Users (also known as Limited Users or Restricted Users) Members of this group can access files only in their own folders and in the computer’s shared folders; change their own account passwords and associated pictures; add .NET Passport support; and install and run programs that don’t require administrative-level rights.

Besides these two groups, Windows XP also defines seven others that you’ll use less often:

Backup Operators Members of this group can access the Backup program and use it to back up and restore folders and files, no matter what permissions are set on those objects.
Guests Members of this group have the same privileges as those of the Users group. The exception is the default Guest account, which is not allowed to change its account password.
HelpServicesGroup Members of this group (generally, Microsoft personnel and the manufacturers of your computer) can connect to your computer to resolve technical issues using the Remote Assistance feature.
Network Configuration Operators Members of this group have a subset of the Administrator-level rights that enables them to install and configure networking features.
Power Users (also known as Standard Users) Members of this group have a subset of the Administrator group privileges. Power Users can’t back up or restore files, replace system files, take ownership of files, or install or remove device drivers. Also, Power Users can’t install applications that explicitly require the user to be a member of the Administrators group.
Remote Desktop Users Members of this group can log on to the computer from a remote location using the Remote Desktop feature.
Replicator Members of this group can replicate files across a domain.

Each user is also assigned a user profile, which contains all the user’s folders and files, as well as the user’s Windows settings. The folders and files are stored in %SystemRoot%\Documents and Settings\user, where user is the user name. This location contains a number of subfolders that hold the user’s home folder (My Documents), Internet Explorer cookies (Cookies), desktop icons and subfolders (Desktop), Internet Explorer favorites (Favorites), Start menu items (Start Menu), and more. If a logged-on user has been assigned any group policies, the user’s settings are stored in the HKU\sid\ registry key, where sid is a unique security identifier (SID) typically in the form S-1-5-nn, and nn is a variable-length string of numbers interspersed with hyphens. To determine which currently logged-on user is associated with a particular SID, see the following registry setting:

HKU\sid\Software\Microsoft\Windows\CurrentVersion\Explorer\Logon User Name

The rest of this section shows you the various methods Windows XP offers to create, modify, and remove local user accounts.

Control Panel’s User Accounts Icon

Windows XP has a number of methods for working with user accounts. The most direct route is to launch Control Panel’s User Accounts icon. If you’re using a standalone or workgroup computer, you’ll see the User Accounts window, which we’ll discuss in this section. (Domain-based computers display the User Accounts dialog box, which we discuss in the next section.)

If you’re a member of the Administrators or Power Users group, you create a new user account by clicking the Create A New Account link, entering a name for the account (don’t use spaces), and then clicking Next. Windows XP then asks you to choose the account type. Note that you have only two choices here: Computer Administrator (Administrators group) or Limited (Users group). Make your choice and click Create Account.

To modify an existing account, click the account in the User Accounts window to see a list of tasks for changing the account. (If you’re a member of the Users or Guests group, launching Control Panel’s User Accounts icon takes you directly to the task list.) Depending on your account’s privileges, you can then change the account name, create or change the account password, change the picture associated with the account, change the account type, apply a .NET Passport to the account, or delete the account.

The User Accounts Dialog Box

Control Panel’s User Accounts window has one major limitation: It offers only the Administrator and Limited (Users) account types. If you want to assign a user to one of the other groups, you need to use the User Accounts dialog box, shown in Figure 5-3. You get there by entering the command control userpasswords2 in the Run dialog box.

click to expand
Figure 5-3: The User Accounts dialog box enables you to assign users to any Windows XP security group.

To enable the list of users, make sure the Users Must Enter A User Name And Password To Use This Computer check box is selected. You can now perform the following tasks:

Add a new user Click Add to launch the Add New User Wizard. You use the first two dialog boxes to specify the user’s name and password. You use the third and final dialog box to specify the user’s security group: Standard User (Power Users group), Restricted User (Users group), or Other. Select Other to assign the user to any of the nine default Windows XP groups.
Delete a user Select the user and click Remove.
Change the user’s name or group Select the user’s name and click Properties. The resulting property sheet enables you to change the user’s name and assign the user to a different group.

Change the user’s password Select the user’s name and click Reset Password. (Note that this option is not enabled for the Administrator account.)

Tip

How do you change the Administrator password? If you have the Welcome screen disabled (as described earlier) and have logged on as Administrator, press Ctrl+Alt+Delete to display the Windows Security dialog box, and then click Change Password. If the Welcome screen is enabled, use the NET USER command (described later in this chapter). You can also use the Local Users And Groups snap-in, discussed next.

On the Advanced tab, click the Advanced button to select the Local Users And Groups snap-in (discussed in the next section). Also, you can force users to press Ctrl+Alt+Delete before logging on by selecting the Require Users To Press Ctrl+Alt+Delete check box. (Note that this check box will be cleared if you applied the Do Not Require CTRL+ALT+DEL policy discussed earlier in this chapter.)

The Local Users And Groups Snap-In

The most powerful of the Windows XP tools for working with users is the Local Users And Groups snap-in. To load this snap-in, open Computer Management and select System Tools, Local Users And Groups. Alternatively, either click the Advanced button on the Advanced tab of the User Accounts dialog box (see the previous section), or use the Run dialog box to launch lusrmgr.msc. Select the Users branch to see a list of the users on your system, as shown in Figure 5-4.

click to expand
Figure 5-4: The Users branch lists all the system’s users and enables you to add, modify, and delete users.

From here, you can perform the following tasks:

Add a new user Make sure no user is selected and then select Action, New User. In the New User dialog box, specify the user name and password (we discuss the password-related check boxes later in this chapter), and click Create.
Change the user’s name Right-click the user and then select Rename.
Change the user’s group Right-click the user and then select Properties. On the Member Of tab, click Add, use the Enter The Object Names To Select box to enter the group name, and then click OK.
Change the user’s profile Right-click the user and then select Properties. Use the Profile tab to change the profile path, logon script, and home folder (select the Local Path option to specify a local folder, or select Connect to specify a shared network folder).
Disable an account Right-click the user and then select Properties. On the General tab, select the Account Is Disabled check box.
Delete a user Right-click the user’s name and then select Delete.

Change the user’s password Right-click the user’s name and then select Set Password.

Note

Another way to change a user’s group is to select the Groups branch, right-click the group you want to work with, and then select Add To Group. Now click Add, type the user name in the Enter The Object Names To Select box, and then click OK.

Setting Account Policies

Windows XP offers several sets of policies that affect user accounts. There are three kinds of account policies: security options, user rights, and lockout policies. The next three sections take you through these policies.

Account Security Options

To see these policies, open the Group Policy editor and select Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options. (You can also launch the Local Security Policy snap-in and select Security Settings, Local Policies, Security Options.) The Accounts group of policies has five options:

Administrator Account Status Use this option to enable or disable the Administrator account. This is useful if you think someone else might be logging on as the Administrator. (A less drastic solution would be to change the Administrator password or rename the Administrator account.) Note that only a different member of the Administrators group can enable a disabled Administrator account.

Note
The Administrator account is always used during a Safe Mode boot, even if you disable the account.
Guest Account Status Use this option to enable or disable the Guest account.
Limit Local Account Use Of Blank Passwords To Console Logon Only When this option is enabled, Windows XP allows users with blank passwords only to log on to the system directly by using either the Welcome screen or the Log On To Windows dialog box. Such users can’t log on via the RunAs command or remotely over a network.

This policy modifies the following registry setting:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\limitblankpassworduse

Rename Administrator Account Use this option to change the name of the Administrator account.
Rename Guest Account Use this option to change the name of the Guest account.

Setting User Rights Policies

Windows XP also has a long list of policies associated with user rights. To view these policies in the Group Policy editor, select Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignment. (You can also launch the Local Security Policy snap-in and select Security Settings, Local Policies, User Rights Assignment.) Each policy here is a specific task or action, such as Back Up Files And Directories, Deny Logon Locally, and Shut Down The System. For each task or action, the Security Setting column shows the users and groups who can perform the task or to whom the action applies. To change the setting, double-click the policy. In the policy’s Properties window, click Add User Or Group to add an object to the policy; delete an object from the policy by selecting it and clicking Remove.

Setting Account Lockout Policies

Lastly, Windows XP has a few policies that determine when an account gets locked out, which means the user is unable to log on. A lockout occurs when the user fails to log on after a specified number of attempts. This is a good security feature because it prevents an unauthorized user from trying a number of different passwords. These policies are in the Group Policy editor under Computer Configuration, Windows Settings, Security Settings, Account Policies, Account Lockout Policy. (You can also launch the Local Security Policy snap-in and select Security Settings, Account Policies, Account Lockout Policy.) There are three policies:

Account Lockout Duration This policy sets the amount of time, in minutes, that the user is locked out. Note that to change this policy, you must set the Account Lockout Threshold (described next) to a non-zero number.
Account Lockout Threshold This policy sets the maximum number of logons the user can attempt before being locked out. Note that after you change this to a non-zero value, Windows XP offers to set the other two policies to 30 minutes.
Reset Account Lockout Counter After This policy sets the amount of time, in minutes, after which the counter that tracks the number of invalid logons is reset to 0.

Working with Users and Groups from the Command Line

You can script your user and group chores by taking advantage of the NET USER and NET LOCALGROUP command-line utilities. These commands enable you to add users, change passwords, modify accounts, add users to groups, and remove users from groups.

For local users, the NET USER command has the following syntax:

NET USER [username [password | * | /RANDOM] [/ADD] [/DELETE] [options]]

username		The name of the user you want to add or work with. If you run NET USER with only the name of an existing user, the command displays the user’s account data.
password		The password you want to assign to the user. If you use * instead, Windows XP prompts you for the password; if you use the /RANDOM switch instead, Windows XP assigns a random password (containing eight characters, consisting of a random mix of letters, numbers, and symbols), and then displays that password on the console.
/ADD		Creates a new user account.
/DELETE		Deletes the specified user account.
options		These are optional switches you can append to the command:
	/ACTIVE:{YES \| NO}	Specifies whether the account is active or disabled.
	/EXPIRES:{date \| NEVER}	The date (expressed in the system’s Short Date format) on which the account expires. This parameter cannot be set nor viewed by other Windows XP tools.
	/HOMEDIR:path	The home folder for the user (make sure the folder exists).
	/PASSWORDCHG:{YES \| NO}	Specifies whether the user is allowed to change his or her password.
	/PASSWORDREQ:{YES \| NO}	Specifies whether the user is required to have a password. This parameter cannot be set nor viewed by other Windows XP tools.
	/PROFILEPATH:path	The folder that contains the user’s profile.
	/SCRIPTPATH:path	The folder that contains the user’s logon script.
	/TIMES:{times \| ALL}	Specifies the times that the user is allowed to log on to the system. Use single days or day ranges (for example, Sa or M-F). For times, use 12-hour notation with am or pm, or 24-hour notation. Separate the day and time with a comma; separate day/time combinations with semicolons. Here are some examples: M-F,9am-5pm M,W,F,08:00-13:00 Sa,12pm-6pm;Su,1pm-5pm Note that the abbreviated form of Thursday, Saturday, or Sunday requires the use of the first two characters of the day’s name. This parameter cannot be set or viewed by other Windows XP tools.

Caution

If you use the /RANDOM switch to create a random password, be sure to make a note of the new password so that you can communicate it to the new user.

Note that if you run NET USER without any parameters, it displays a list of the local user accounts.

Tip

If you want to force a user to log off when his or her logon hours expire, open the Group Policy editor and select Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options. In the Network Security group of policies, enable the Force Logoff When Logon Hours Expire policy.

The NET LOCALGROUP has the following syntax for adding users to, or removing users from, a group:

NET LOCALGROUP [group name1 [name2 ...] {/ADD | /DELETE}

group	This is the name of the local group with which you want to work. If the name1 [ name2…] parameters are not provided, then the /ADD or /DELETE switch applies to the named group.
name1 [name2 ...]	One or more user names that you want to add or delete, separated by spaces.
/ADD	Adds the user or users to the named group or, if no users are named, the named group is added to the system.
/DELETE	Removes the user or users from the named group or, if no users are named, the named group is deleted from the system.