Getting the Most Out of User Accounts
In Windows XP, a user account is a user name (and an optional password) that uniquely identifies a person who uses the system. The user account enables Windows XP to control the user's privileges; that is, the user's access to system resources (permissions) and the user's ability to run system tasks (rights). Standalone and workgroup machines use local user accounts that are maintained on the computer, while domain machines use global user accounts that are maintained on the domain controller. This section looks at local user accounts.
Security for Windows XP user accounts is handled most often (and most easily) by assigning each user to a particular security group. For example, the default Administrator account and all the user accounts you created during the Windows XP setup process are part of the Administrators group. Each security group is defined with a specific set of permissions and rights, and any user added to a group is automatically granted that group's permissions and rights. There are two main security groups:
- Administrators Members of this group have complete control over the computer, meaning they can access all folders and files; install or uninstall programs (including legacy programs) and devices; create, modify, and remove user accounts; install Windows updates, service packs, and fixes; use Safe Mode; repair Windows; take ownership of objects; and more.
- Users (also known as Limited Users or Restricted Users) Members of this group can access files only in their own folders and in the computer's shared folders; change their own account passwords and associated pictures; add .NET Passport support; and install and run programs that don't require administrative-level rights.
Besides these two groups, Windows XP also defines seven others that you'll use less often:
- Backup Operators Members of this group can access the Backup program and use it to back up and restore folders and files, no matter what permissions are set on those objects.
- Guests Members of this group have the same privileges as those of the Users group. The exception is the default Guest account, which is not allowed to change its account password.
- HelpServicesGroup Members of this group (generally, Microsoft personnel and the manufacturers of your computer) can connect to your computer to resolve technical issues using the Remote Assistance feature.
- Network Configuration Operators Members of this group have a subset of the Administrator-level rights that enables them to install and configure networking features.
- Power Users (also known as Standard Users) Members of this group have a subset of the Administrator group privileges. Power Users can't back up or restore files, replace system files, take ownership of files, or install or remove device drivers. Also, Power Users can't install applications that explicitly require the user to be a member of the Administrators group.
- Remote Desktop Users Members of this group can log on to the computer from a remote location using the Remote Desktop feature.
- Replicator Members of this group can replicate files across a domain.
Each user is also assigned a user profile, which contains all the user's folders and files, as well as the user's Windows settings. The folders and files are stored in %SystemRoot%\Documents and Settings\user, where user is the user name. This location contains a number of subfolders that hold the user's home folder (My Documents), Internet Explorer cookies (Cookies), desktop icons and subfolders (Desktop), Internet Explorer favorites (Favorites), Start menu items (Start Menu), and more. If a logged-on user has been assigned any group policies, the user's settings are stored in the HKU\sid\ registry key, where sid is a unique security identifier (SID) typically in the form S-1-5-nn, and nn is a variable-length string of numbers interspersed with hyphens. To determine which currently logged-on user is associated with a particular SID, see the following registry setting:
HKU\sid\Software\Microsoft\Windows\CurrentVersion\Explorer\Logon User Name
The rest of this section shows you the various methods Windows XP offers to create, modify, and remove local user accounts.
In this tutorial:
- Managing Logons and Users
- Useful Windows XP Logon Strategies
- Setting Up an Automatic Logon
- Setting Logon Policies
- More Logon Registry Tweaks
- Getting the Most Out of User Accounts
- Control Panel's User Accounts Icon
- The Local Users And Groups Snap-In
- Setting Account Policies
- Working with Users and Groups from the Command Line
- Creating and Enforcing Bulletproof Passwords
- User Account Password Options
- Recovering a Forgotten Password
- Sharing Your Computer Securely