Configuring Local Windows XP Accounts | A+ Technician's on the Job Guide to Windows XP

Windows XP Professional, in an attempt to be all things to all people, provides flexible account management, but account management that is also powerful at the local level. When I say “local level” or “local machine,” I am taking about local computer accounts configured at a local Windows XP Professional computer—not domain accounts that are configured on a Windows 2000 Server and stored in the Active Directory. In many cases, only domain accounts are used, and the configuration of local accounts is not necessary. However, depending on the setup of your environment, you may very well use local computer accounts to control what users can and cannot do at the local machine.

You can configure local user accounts in two different places—the User Accounts applet in Control Panel, and the Local Users and Groups option in Computer Management. The following sections explore the options that Windows XP Professional gives you and shows you how to configure and manage accounts.

Understanding User Accounts

To make account management easier for end users, Windows XP provides three different types of accounts: Administrator, Limited User, and Guest. By default, Administrator and Guest accounts are created when Windows XP is first installed. The following bullets give you a quick overview of these account types:

Administrator The Administrator account has complete control over the computer and access to all portions of the operating system. The Administrator can configure all system components, and install and remove hardware and all programs. In short, the Administrator account has full control. The Administrator can add, remove, or modify all existing user accounts. You can configure multiple Administrator accounts, or assign administrative privileges to multiple accounts if necessary, although local users should not have an Administrator account unless absolutely necessary.
Limited The Limited account, formerly called a user account, should be used for most users. The Limited account gives the user full access to using the computer, but the Limited user cannot make hardware or system configuration changes. The Limited user also cannot install programs, but the user can use programs already installed. The Limited account cannot make any changes to existing accounts or add other accounts.
Guest The Guest account is designed for someone who does not have an account on the computer. The guest can log on, but not make any changes to the computer or install software, although the guest can launch programs currently installed. The guest account can access the Internet, check e-mail, and perform other basic tasks. The guest account can also be disabled if it is not needed.

Secret

You may also see an “unknown” account type if you open and browse User accounts in Control Panel. The unknown account appears if you upgraded to Windows XP from a previous version of Windows. The accounts that existed at the time of the upgrade are considered “unknown” accounts.

One of the best features of accounts in Windows XP is that accounts control what users can and cannot do, but accounts keep one user’s data separate from that of another user. For example, when an account is created, you’ll find a folder for that account in C:\Documents and Settings. The user’s specific files and settings are stored in this user’s folder, which is not accessible by other users, except the Administrator, who can browse any user’s folder. If four different users access the same computer, then each user can log on with his or her account, and see his or her own desktop settings (assuming Group Policy allows the user to do so) and his or her own documents and files. To the user, it appears that he or she is the only one that uses the computer.

Working with User Accounts in Control Panel

You can easily configure user accounts using the User Accounts applet in Control Panel. This interface, designed for local accounts and created for easy account management by end users, gives you an easy way to create, modify, and delete local user accounts on Windows XP. When you first open the User Accounts applet in Control Panel, you see the existing accounts and the option to pick a task, shown in Figure 6-1. The following steps show you how to create a new account.

click to expand
Figure 6-1: User Accounts

Creating a New Account

Log on with an administrator account and open User Accounts in Control Panel.
Click the Create a New Account option under Pick a Task.
In the Name the New Account dialog box, shown next, assign a name for the account. This is the name that will appear on Windows XP’s Welcome screen and the Start Menu, so this account name is the “username” that the user will use to log on to the system. Enter the desired name and click Next.

Note
Usernames must be unique and can contain up to 20 characters, including numbers. However, user accounts cannot contain any of the following characters: “ ? \ [ ] : ; | = + * / < >.
In the Pick an Account Type dialog box, shown here, choose whether you want the account to be an Administrator account or a Limited account by selecting the desired radio button. Click Create Account.

The new account is created and is now ready for use.

Changing an Account

A computer administrator can make changes to any account at any time. A Limited user, on the other hand, can change only his or her password or the account picture that appears. In other words, a Limited user cannot change other accounts, delete accounts, or change his or her account from Limited to Administrator. If you need to change an account, simply open User Accounts in Control Panel, then select the option to Change an Account under Pick a Task. In the next dialog box, select the account that you want to change. As you can see in Figure 6-2, you can change the account’s name, password, picture, or account type, or you can delete the account. Simply select a desired action and follow the prompts.

click to expand
Figure 6-2: Choose an action in the User Accounts window

Working with Passwords

Windows XP gives you complete password flexibility; in fact, you don’t even have to use passwords. If this seems odd, remember that Windows XP Professional is designed for both domains and small environment use. In a small office or even a home office setting, several users may need their own account in order to keep settings and files separate, but security may not be a concern. In this case, a user can simply log on at the Welcome screen by clicking his or her username. The option of having no password just keeps things simple.

Troubleshooting: The Problem with Multiple Administrators

As you are aware, the administrator on the local Windows XP computer has complete control over the system—including the other user accounts. You might wonder if you can have more than one administrator. Yes, in fact, you can create as many administrative user accounts as you want. Actually, all accounts on the computer can be administrator accounts. Before handing out administrative privileges, however, you should always stop and think about this decision. Since administrators can make system-wide changes, including software and hardware changes, the administrator account should be treated with care. The best rule of practice is to give administrative accounts only to those people who should be making system-wide changes and who have the technical knowledge to make wise choices. Failure to do so can result in a number of problems as users make configuration changes they should not have made. So, although the trouble here is simply user error, it is a problem that can be avoided by carefully determining who should, and should not, get an administrator account.

However, in most cases, passwords are very important and keep only valid users logging on to the computer, instead of anyone who simply wants to. For this reason, users can create a password for themselves, and as a computer administrator, you can change users’ passwords as needed.

For passwords to be effective, they should combine letters and numbers and be at least seven characters long. Passwords are case-sensitive, so passwords that use both upper- and lowercase letters are stronger. Also, passwords should not be common items, such as a name, children’s names, and so on. The more random you can make them, the stronger they are.

To change your password, both Administrators and Limited users need only open the User Accounts applet in Control Panel, choose the Change an Account option, then click your account. Choose Change My Password from the list. Enter your existing password, the new password, and a hint that can remind you of your password, as shown in Figure 6-3. You can leave the hint option blank if you do not want to use it.

click to expand
Figure 6-3: Change your password

As a local administrator, you can also use the User Accounts applet to change a user’s password. This simply gives you a way to create and enforce a new password for a particular user, in the event that user forgets his or her password. The problem, however, is that the user will lose all Encrypting File System (EFS) encrypted files, certificates, and stored passwords for Web sites and network connections. Because of these problems, your best solution is to have users create a password reset disk. The password reset disk allows you to change your account’s password without having to know the old password. It is a good practice to have users create a reset password disk and store the disk in a secure location (since the disk would also allow anyone else access to the account). To create a password reset disk, follow the steps described in the following subsection.

Note

You only need to create the password reset disk one time—not each time you change the password.

Creating a Password Reset Disk

Log on with your desired account.
Open User Accounts in Control Panel.
Click the Change an Account option.
Click your account.
In the Related Tasks box in the left pane, click the Prevent a Forgotten Password option, shown here.
The Forgotten Password Wizard appears. Click Next on the Welcome screen.
Choose to create a password reset disk and store it on a floppy disk or other removable disk. Click Next.
Enter the current user account password and click Next.
The necessary data is copied to the disk. Click Next, then click Finish.

Note

If you are using a laptop computer that has no floppy disk drive, the password reset data is stored in the C drive.

Tech Talk: Using a .NET Passport

In an effort to integrate local computing more closely with the Internet, Windows XP also supports the linking of your user account to a .NET Passport. A .NET Passport gives you a single sign-on to a number of secured Microsoft sites and other Web sites that support the .NET Passport initiative. You can access bank records, pay bills online, check e-mail, and perform other online options.

When you associate a user account with a .NET passport, you are automatically logged on to Passport when you log on to Windows XP. Essentially, this gives users a one-stop logon process to access both the local computer and the Internet sites requiring a Passport. To associate a Passport with your user account, simply open User Accounts in Control Panel, then click Change an Account. Select your account from the list and choose to Set Up My Account to Use a .NET Passport. Then the .NET Passport Wizard appears. Then follow the instructions to set up the Passport.

Managing the Way Users Log On

If the computers you manage are part of a Windows domain, a typical domain logon dialog box appears. To log on, users must enter their domain user account and password in this dialog box. If the computer is a stand-alone computer or a member of a workgroup, then you can either use the classic logon, where the user presses CTRL-ALT-DEL and enters the username and password, or you can use the Welcome screen, which is typically enabled by default. The Welcome screen shows you all of the current user accounts, except for the administrator account, which is hidden. Then the user simply clicks the user account that he or she wishes to use when logging on. If a password is required, a password dialog box appears and the user enters the password.

Secret

The administrator account is hidden, but not unavailable. When you see the logon screen, simply press CTRL-ALT-DEL. This will give you a standard Windows logon dialog box where you can enter your administrator account and password.

You can easily enable or disable the Welcome screen with User Accounts in Control Panel. Log on with an Administrator account, then open User Accounts. Click the Change the Way Users Log On or Log Off option. In the dialog box that appears, shown in Figure 6-4, you can choose to use the Welcome screen by clicking the Use the Welcome Screen check box option.

click to expand
Figure 6-4: Logon and logoff options

Also notice that you can choose to use Fast User Switching. This feature, which is new in Windows XP, allows multiple users to be logged on to the computer at the same time. One user can use the computer, then another user can switch to his or her account, keeping the existing applications and files open that the other user was accessing. This feature allows different people to use the computer quickly and easily without having to close programs and stop processes, while keeping individual files and information secure.

However, Fast User Switching does have some restrictions. To use this feature, you have to enable the Welcome screen and you must never join the computer to a domain. Also, Fast User Switching does not work when offline files are enabled as well as some networking services, such as Client for NetWare networks.

Tech Talk: Fast User Switching in the Real World

Fast User Switching is a cool Windows feature designed for computers that have multiple users, particularly if those users access the computer several times each during the same day. With Fast User Switching, multiple users can have different programs open, working on different projects, and then simply trade off using the computer among themselves as needed—without closing programs or losing work. It is a great workgroup feature; however, do keep in mind that Fast User Switching does not work when a computer is configured to access a Windows domain and it does not work with offline files. However, Fast User Switching does work well with most Windows services, including Windows XP's remote desktop feature.

If you are using Fast User Switching, you can simply click Start | Log Off | Switch User to switch between users. This opens the Welcome screen, and the next user can simply log on.

Note

You can also simply press the Windows logo key + L. This brings up the Welcome screen more quickly for Fast User Switching.

Working with Computer Management

If you open the Computer Management console, which is found in Administrative Tools in Control Panel, you see a Local Users and Groups node in the left console pane. If you expand Local Users and Groups, you’ll see the Users and Groups Container. If you open the Users container, you can see the current local users that are configured, as shown in Figure 6-5.

click to expand
Figure 6-5: Local Users and Groups

If you have to manage a number of local users, you may find the Local Users and Groups console easier to work with. You can easily create a new user by following the steps described in the following subsection.

Creating a New User

In the Computer Management console, expand Local Users and Groups. Right-click the Users container and click New User.
In the New User dialog box, shown in Figure 6-6, enter a username, full description, and password, then confirm the password. Then, you can choose to:

Figure 6-6: Account creation
- Change password at next logon
- Restrict the user from changing the password
- Ensure that the password never expires
- Disable the account
After making your selections, click the Create button. The new account appears in the Local Users container.

Once you have created a new user account, you can manage it from within the Users container simply by right-clicking on the user account. From the menu that pops up, you can reset the user’s password, rename the account, delete it, or access its properties. If a user forgets his or her password, you can reset the password using the Set Password option. This is the same feature that you can use in User Accounts. Again, the user will lose personal data tied to the account, so a password reset disk is always your best option.

On the User Account Properties sheet, shown in Figure 6-7, you can manage the password restrictions. You can disable the account on the General tab, and using the Member Of tab, you can add the user to desired local groups. Finally, on the Profile tab, you can configure a local or roaming user profile, which is described in the next section.

click to expand
Figure 6-7: User Account Properties sheet

Secret

You have more options when configuring user accounts in Computer Management than in Users in the Control Panel. For example, you can force a user to change his or her password, you can configure the password to never expire, and you can even disable the account quickly and easily. These options are not available in Users in the Control Panel.

Configuring User Profiles

Once a user account is created, a Documents and Settings folder is created. This folder stores any settings configured by the user as well as any personal documents. Users cannot access each other’s folders, with the exception of the administrator, who can access any folder as needed. Once users are created, they can be grouped as needed for organizational purposes and rights assignment. Each local user account is given a folder, which is found in \Documents and Settings\username. (If the computer was upgraded to Windows XP, the user’s profile could be stored in \\%windir%\profiles.) The Documents and Settings folder is the default location where all user profiles are stored. You can change this location if you like and configure some additional profile options. To make changes to the default profile path, you must access the user account’s properties via the Computer Management console. Expand Local Users and Groups, and in the right pane, right-click the desired user account. Then click Properties. Click the Profile tab, as shown in Figure 6-8.

click to expand
Figure 6-8: Profile tab

As you can see, the Profile path is empty, which means the default of \Documents and Settings\username is being used. If you want to store the profile in a different location, just enter a new path. You may want to store the profile a more secure location or even on a different disk. If a logon script is used, you can enter the script path in the Logon Script text box.

You use the Home Folder panel to establish a local home folder. By default, My Documents is used, but you can specify a different home folder in which to store the user’s files by entering a local path in the Local Path text box.

You can also configure a roaming user profile in the Profile tab. This feature is beneficial to users who access several different computers each day, but want the same documents and settings regardless of where they log on. You can configure the profile on a server, such as in a domain environment, and then configure the profile path as a network address, such as \\server1\profile1. The following steps show you how to set up a roaming user profile.

Setting Up a Roaming User Profile

On the primary computer that the user accesses, configure a shared Home folder with a desired network path. For example, suppose that a user, JohnM, has an account on a computer, XP49, and a Home folder stored in Documents and Settings\JohnM. Configure the system as desired for JohnM. Or, create a shared folder that can store the profile, and place the folder on a server in the domain environment.
Go to the next machine that JohnM will use and create a user account with the same name and password for the user.
Access the User Account Properties sheet and click the Profile tab. Choose a desired drive letter, and then enter the Universal Naming Convention (UNC) path to the profile that you originally created. In this example, the profile would be \\XP49\Documents and Settings\JohnM. The user should receive the same settings on the remote computer.

Working with Group Accounts

Group accounts are used on the local computer to assign certain rights and permissions to certain users. Group configuration is an easy way to manage group rights and permissions. Although not as complicated at the local level, Windows 2000 groups are extremely important in domain environments, where thousands of users may need different types of rights and access. The group account is the preferred method of managing these users.

Windows XP Professional has several built-in groups that you can use. These are

Administrators Administrators have complete and unrestricted access to the computer.
Backup Operators Backup Operators can override security restrictions in order to back up and restore data.
Users Users are restricted to their own individual folders in terms of system configuration. This setting thus restricts users from making systemwide changes. The Users group is more restrictive, as you can see. In fact, a Users group cannot run a number of legacy applications.
Guests A Guests group has the same permissions as the Users group by default. However, additionally, the Guests group is denied access to the application and system event logs.
Network Configuration Operators Members of this group have some administrative features that enable them to manage and configure networking.
Power Users Power Users have most administrative rights, with certain restrictions. They can run most applications, including legacy applications.
Remote Desktop Users Group members have the right to log on remotely.

As with user accounts, you can easily create a new group by right-clicking on the Group container, then clicking New Group. Enter the group name and a description if desired, and then add members to the group. You can manage the membership of the group by accessing the group’s properties.