Implementing Users and Groups
In this section, you find out how to create user accounts that can be used to log on to the system and how to create groups to organize users together as a single object that permissions can be assigned to.
Creating user accounts
To secure the Windows operating system from unauthorized access, you can create a user account for each person who is allowed to use the system. Anyone who doesn't have a user account will be unable to log on to the system and, as a result, will not be able to use the computer. The other benefit of creating user accounts is that even if a person has a user account and logs onto the system, he or she may not be able to access a file because you have not given permission to that user to access the file.
To create a user account in Windows 2000or Windows XP systems, you use the Computer Management console. To start the Computer Management console, right-click My Computer and choose Manage.
In the Computer Management console, expand Local Users and Groups and select the Users folder. In the Users folder, you will notice some user accounts on the right side. These user accounts are built-in accounts, meaning that they were built by the operating system or by a piece of software you have installed.
Two built-in accounts you should be familiar with:
- Administrator: The administrator account is the built-in account in Windows that has full access to the system and can manage all aspects of the computer. During the installation of Windows 2000/XP/2003, you were asked what you wanted to set as the password for the administrator account; you use that password to log on with the username of administrator. When you do log on as administrator, you can change any settings on the system. A normal user account cannot change major settings on the system such as the time, installing software, or any changes that affect the system. To make these types of changes you need to log on as administrator to make changes.
- Guest: Users can use the guest account if they don't have an actual user account. When they try to access the system, they are authenticated as guest. The guest user inherits any permissions the guest account has on the system. There is one hook to this scenario - by default, the guest account is disabled, meaning that it is not available for use. Due to the security concerns of not requiring someone to log on, Microsoft has disabled the account. A disabled account appears with a red "X" on it and cannot be used.
Now that you have identified the two major built-in accounts, you can create your own user accounts. To create your own user accounts in the Computer Management console, right-click the Users folder and choose New User. The New User dialog box appears. Fill in the following account details:
- User Name: This will be the name that the user will use to log on to the system. Typically, it is a short version of the full name. For example, my full name is Glen Clarke so I might use gclarke as my username. A username is also known as the logon name.
- Full Name: This is typically the person's first name and last name. For example, my user account would have Glen Clarke as the full name.
- Description: This is a description of the user account. I normally put the person's job role here. For example, if I was an accountant, I might put Accountant in the description.
- Password: Type what you want for the user accounts password. The user needs to know this password to log on to the system. Be sure to use good practices with passwords, such as not using words found in the dictionary and using a combination of upper- and lowercase letters, numbers, and symbols. See the preceding tutorial for more information about strong passwords.
- Confirm Password: Type the password again in this box. This ensures that you typed what you thought you typed.
- User Must Change Password at Next Logon: Set this option if you want to force the user to change the password the first time he logs on. This ensures that you don't know the user's password because the password you originally set is overwritten.
- User Cannot Change Password: Set this option if you don't want the user to be able to change the password. This ensures that the password you set is the password the user is using.
- Password Never Expires: In a password policy, you can specify that passwords must be changed every so many days. That policy applies to all users except for any accounts that have Password Never Expires activated. You might use this option if you have two employees sharing a user account.
- Account Is Disabled: If you want to disable an account at any time, you can set this option. A disabled account is unusable until you enabled it again.
After you have typed all the account information, click the Create button and then click Close to get rid of the New User dialog box. The user account has been created, and you can start using it right away to log on to Windows.