Setting Account Policies
Windows XP offers several sets of policies that affect user accounts. There are three kinds of account policies: security options, user rights, and lockout policies. The next three sections take you through these policies.
Account Security Options
To see these policies, open the Group Policy editor and select Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options. (You can also launch the Local Security Policy snap-in and select Security Settings, Local Policies, Security Options.) The Accounts group of policies has five options:
- Administrator Account Status Use this option to enable or disable the Administrator account. This is useful if you think someone else might be logging on as the Administrator. (A less drastic solution would be to change the Administrator password or rename the Administrator account.) Note that only a different member of the Administrators group can enable a disabled Administrator account.
Note The Administrator account is always used during a Safe Mode boot, even if you disable the account. - Guest Account Status Use this option to enable or disable the Guest account.
- Limit Local Account Use Of Blank Passwords To Console Logon Only When this option is enabled, Windows XP allows users with blank passwords only to log on to the system directly by using either the Welcome screen or the Log On To Windows dialog box. Such users can't log on via the RunAs command or remotely over a network.
This policy modifies the following registry setting:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\limitblankpassworduse
- Rename Administrator Account Use this option to change the name of the Administrator account.
- Rename Guest Account Use this option to change the name of the Guest account.
Setting User Rights Policies
Windows XP also has a long list of policies associated with user rights. To view these policies in the Group Policy editor, select Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignment. (You can also launch the Local Security Policy snap-in and select Security Settings, Local Policies, User Rights Assignment.) Each policy here is a specific task or action, such as Back Up Files And Directories, Deny Logon Locally, and Shut Down The System. For each task or action, the Security Setting column shows the users and groups who can perform the task or to whom the action applies. To change the setting, double-click the policy. In the policy's Properties window, click Add User Or Group to add an object to the policy; delete an object from the policy by selecting it and clicking Remove.
Setting Account Lockout Policies
Lastly, Windows XP has a few policies that determine when an account gets locked out, which means the user is unable to log on. A lockout occurs when the user fails to log on after a specified number of attempts. This is a good security feature because it prevents an unauthorized user from trying a number of different passwords. These policies are in the Group Policy editor under Computer Configuration, Windows Settings, Security Settings, Account Policies, Account Lockout Policy. (You can also launch the Local Security Policy snap-in and select Security Settings, Account Policies, Account Lockout Policy.) There are three policies:
- Account Lockout Duration This policy sets the amount of time, in minutes, that the user is locked out. Note that to change this policy, you must set the Account Lockout Threshold (described next) to a non-zero number.
- Account Lockout Threshold This policy sets the maximum number of logons the user can attempt before being locked out. Note that after you change this to a non-zero value, Windows XP offers to set the other two policies to 30 minutes.
- Reset Account Lockout Counter After This policy sets the amount of time, in minutes, after which the counter that tracks the number of invalid logons is reset to 0.
In this tutorial:
- Managing Logons and Users
- Useful Windows XP Logon Strategies
- Setting Up an Automatic Logon
- Setting Logon Policies
- More Logon Registry Tweaks
- Getting the Most Out of User Accounts
- Control Panel's User Accounts Icon
- The Local Users And Groups Snap-In
- Setting Account Policies
- Working with Users and Groups from the Command Line
- Creating and Enforcing Bulletproof Passwords
- User Account Password Options
- Recovering a Forgotten Password
- Sharing Your Computer Securely