Lesson 1: Managing User Accounts
Modern operating systems such as Windows Vista have been designed to meet the needs of many different users. Accordingly, the operating system provides a method for creating multiple user accounts on a single installation of Windows Vista. You can configure and customize each user account based on the needs of the individual who will be using it. For example, desktop settings, screen savers, shortcuts, and user-specific data files are all stored separately for each account. In general, give each user of a system his or her own account.
From the standpoint of a consumer—a typical home or small-business user—it’s common for a computer to include multiple user accounts. For example, a family of four might have separate accounts for each parent and each child. A small business might have various employees that occasionally use a single shared computer to perform specific tasks.
Regardless of the purpose of a particular user account, there are security-related considerations that should be addressed. In this lesson, you’ll learn about the different types of accounts that are available in Windows Vista and how to create and manage them.
After this lesson, you will be able to:
- Describe the differences between standard and administrative user accounts.
- Provide examples of tasks that can be performed by administrative user accounts but not by standard user accounts.
- Create new standard and administrative user accounts.
- View and modify details about a user account.
Estimated lesson time: 45 minutes
Understanding User Account Types
When a user logs on to a computer running Windows Vista, he or she must provide valid credentials that prove his or her identity. Most commonly, a user performs a logon by using a combination of a user name and a password. Each user account has its own collection of settings and permissions. These include the following:
- User profile A user profile contains all of the operating system preferences that are defined separately for each user account. Examples include desktop wallpaper options, the Windows Sidebar configuration, and application shortcuts. By default, user profiles are located in the C:\Users folder.
- Application settings Each user profile has its own collection of application settings. These settings usually pertain to personal preferences for an application (such as default paths, toolbar layouts, and related details). They are stored either in the user-specific portion of the registry or in configuration files that are stored within the profile.
- User data folder Each user has his or her user data storage location on the computer. This enables multiple users of the same computer to keep their files separate from each other.
- Other user-specific folders To improve consistency and usability for operating system users, each user profile includes several shortcuts to special folders. Examples include Music, Pictures, Saved Games, Documents, Downloads, and Videos. Each user will have his or her separate shortcuts and storage locations for these default folders.
- Security privileges and policy settings Each user account has a set of security-related actions that it can perform. For example, users might have restrictions related to logon hours or installing applications.
- File system permissions These are details related to which actions the user can take on which files. For example, a user will be allowed to create and delete documents in his or her own user data folder but will not be able to access another user’s data folder.
The two main types of user accounts in Windows Vista are Standard User and Administrator. In this lesson, you’ll learn about the purposes of each account type, along with differences in the permissions they are granted. In Lesson 2, “Understanding User Account Control (UAC),” you’ll look at details related to how the UAC feature can be used to enable the temporary elevation of privileges.
Standard User Accounts
The default type of user account in Windows Vista is a standard user account. This account is designed to provide basic permissions for completing common daily tasks. It allows users to launch applications, create new documents, and modify basic system configuration settings. In general, these operations affect only the user who is logged on to Windows Vista. They do not include systemwide changes such as the installation of new software.
Administrator User Accounts
Accounts that have Administrator permissions have the capability of performing any operation or task on the system. This includes all of the permissions that are granted to a standard user account plus the ability to make major operating system changes, install new software, and create and modify other user accounts. Administrator accounts also have the ability to set permissions for other users on the system.
There are potential security considerations for users who use an administrative account for daily computer use. The primary issue is that unwanted software can make changes to the operating system or to data without the user’s permission. This is because all programs run, by default, using the security permissions of the user who launched them. A related issue is that such users have the ability to perform actions that could lead to operating system instability or corruption. For example, a novice user who is running as an Administrator might accidentally delete critical operating system files or programs, thinking that they are not needed. These are all reasons why Microsoft designed the UAC feature as a major component of Windows Vista.
Therefore, it is recommended that most users log on to their computers using a standard user account. One potential problem with this approach is that applications often expect to have full permissions on the system. You’ll learn about ways in which this situation can be addressed in Lesson 2.
Windows Vista creates a default account called Administrator during the installation process. This account has full permissions on the system and is generally not designed for regular use. For this reason, the default Administrator account is disabled on new installations. For in-place upgrade installations of Windows Vista, the setup process disables the built-in Administrator account only if there are other active Administrator accounts on the system. If there aren’t any, the account remains enabled.
The Guest Account
A third type of account that is created with default Windows Vista installations is the Guest account. This account is designed for users who require temporary access to a computer and don’t need to store their user-specific profile settings permanently. For example, if a friend is visiting your home and just needs to launch a Web browser to check her e-mail, you can allow her to use the Guest account. Users who log on as a guest have a very limited set of permissions. For example, they cannot access other users’ files or perform systemwide tasks such as installing software or hardware.
For security reasons, the built-in Guest account is disabled by default. This prevents users from having an option to log on to the system as Guest.
Comparing User Permissions
When working with standard and Administrator user accounts, it’s important to understand which actions each type of user is allowed to perform. Specifically, it’s important to understand a list of permissions that are granted to standard user accounts. In this section, you’ll learn examples of operations that can be performed by each type of account.
Permissions of Standard User Accounts
The following actions can be performed by a standard user account:
- Perform basic system management tasks. The built-in Windows Vista applications and tools indicate operations that require elevated permissions with a shield icon next to the control.
- Change personal user settings such as passwords, desktop wallpaper, system sounds, and screen savers.
- Access removable media such as memory storage devices and CD/DVD media.
- Create a local area network (LAN) connection.
- Connect to a wireless network.
- Personalize display settings, including desktop resolution and number of colors.
- Use Remote Desktop to connect to remote computers.
- Perform basic configuration settings in Control Panel. For example, a user can change power management settings.
- Enable or disable accessibility options such as the screen magnifier.
- Connect and configure some external devices, such as universal serial bus (USB) storage or Bluetooth devices.
It is important to note that these are the default settings for a standard user account. Administrators can manually change the permissions and privileges of users to meet their requirements. Also, in some cases, a background service or process might perform important tasks that the user cannot perform directly. One example is the disk defragmentation service, which is configured to run under a specific user account.
Permissions of Administrator Accounts
Administrator accounts, as mentioned earlier, have full permissions on a computer system. This includes the ability to change or delete files owned by any user on the system and to make changes to the operating system. Examples of operations that can be performed by an Administrator account but not by a standard user account include the following:
- Installing new software on the computer
- Adding new hardware and installing device drivers on the computer
- Making changes to configuration of the Automatic Updates feature
- Accessing files that are in secure locations, such as the Windows folder and the Program Files folder
- Configuring Windows Firewall (including enabling, disabling, and adding exceptions)
- Performing a complete system backup and restore operation
- Creating new user accounts, removing user accounts, and configuring the user account type
- Managing the behavior of the UAC feature
Again, this is just a sample of the types of operations that a standard user account cannot perform.
Exam 70-623 tests your ability to identify which types of operations require privilege escalation. One great way to learn these is to “poke around” the Windows Vista user interface. Open Control Panel items and Administrative Tools to see the actions you can perform as a standard user and which ones require additional permissions. This will help give you a good idea of the limits of standard user accounts without having to memorize long lists of potential actions.
Managing User Accounts
So far, you have looked at details related to the different types of accounts that are available on a computer running Windows Vista. In this lesson, you’ll see how you can use that information to perform actual user account–related tasks. Many of these operations will require you to log on to the computer by using an account that has Administrator permissions.
Adding User Accounts
The Windows Vista Control Panel provides utilities that enable you to create and manage user accounts quickly and easily. To access the relevant settings, you need to have Administrator permissions on the computer. You can open the Manage Accounts window by clicking the Add Or Remove User Accounts link in the User Accounts And Family Safety section of the default Control Panel. Figure 6-1 shows an example of the available options and settings.
Figure 6-1 Using the Manage Accounts window in Control Panel
The default view shows a list of all of the users who are currently configured on the computer and an overview of their settings. The Create A New Account link starts the process of creating a new user (see Figure 6-2). The details that are required include the name of the new account. Usually, this corresponds to the individual who will be using that logon. The other option is related to whether the account should be created as a standard user (the default option), or as an Administrator.
Figure 6-2 Creating a new user account
After you click Create Account, the new account is available for logon. Generally, you will want to configure various properties of the account before you make it available for use by individuals.
Configuring User Accounts
There are several different operations that are commonly performed when managing user accounts. You can access these by clicking the name or icon of an account in the Manage Accounts window. Figure 6-3 shows the options that are available.
Figure 6-3 Changing settings for an account
The options include the following:
- Change The Account Name
- Change The Password (or Create A Password if the account does not currently have one)
- Remove The Password (if one is currently configured)
- Change The Picture
- Set Up Parental Controls
- Change The Account Type
- Delete The Account
The built-in Guest account has a limited set of options and commands. As mentioned earlier, this account is disabled by default. When you click the Guest account, you have the option of turning it on. If you click the Guest account item when it is turned on, you see the Turn Off The Guest Account link. The only other option that is available for a Guest account is the ability to change the picture that is used.
A common operation for users is to change their password. By default, standard users can change only their own passwords. It is a good practice for users to change any initial password that has been provided to them by an administrative user. Administrators have the ability to set, remove, or modify the password for any account. Figure 6-4 shows the Change Password dialog box.
Figure 6-4 Changing an account’s password
Passwords are case-sensitive; that is, capital and lowercase letters must be entered exactly as they have been defined. When changing a password, it might be necessary to enter the old password first. This is done to ensure that a user does not simply walk up to a computer to which someone is already logged on and make a change without knowing the original password. To make it easier to remember passwords, you can configure a password hint to be shown to all users who attempt to use the account through the logon screen. For this reason, this hint should be something that will help only the intended user access the system.
Performing Advanced User Account Configuration
The Manage Accounts window has been designed to provide access to the most common account-related operations on a computer running Windows Vista. In some cases, however, you might need to perform advanced operations. You can do this by using Local Users And Groups within the Computer Management console (see Figure 6-5). To access this console, in the Start menu, right-click Computer and choose Manage. Alternatively, if the Administrative Tools program group is available in the Start menu, select Computer Management.
Figure 6-5 Using the Computer Management console to manage user accounts
The two main folders are Users and Groups. The Users folder contains a list of all of the user accounts created on the system. Depending on the software and services you have installed on the computer, it’s possible that you’ll notice some accounts that might not have been present in the Manage Accounts Control Panel item. Often, these accounts are designed to provide support for special software or services that require particular sets of permissions on the computer. You can view and modify detailed settings for a user by right-clicking the account and selecting Properties. User accounts have several different options, such as those shown in Figure 6-6.
Figure 6-6 Viewing the General properties tab for a Windows user account
The Groups folder within Local Users And Groups displays a list of all of the security groups that are defined on the computer. You use groups to manage permissions for collections of users. A general practice is to place users in groups and then to assign permissions to the groups themselves. Because you can easily change the membership of a group, this simplifies the process of managing permissions.
MORE INFO Centrally managing advanced user settings
Most home and small-business users do not have reasons to configure advanced user settings and permissions manually. In general, you should encourage customers to use the features in Control Panel for managing security settings.
In corporate network environments, many of these options are more important. Most larger organizations have dedicated IT staff that are able to manage such settings centrally, using Windows Active Directory directory service.
In addition to the Administrators and Users groups, there are several other groups that pertain to collections of permissions that might be required for certain types of operations. For example, members of the Remote Desktop Users group are able to access this computer using the Remote Desktop feature, and members of the Backup Operators group can bypass standard file system security for performing a backup operation. Most groups include descriptive text that provides information about their purpose and function.
To view the members of a group, right-click the group name in the list and select Properties. The General tab shows a list of the user accounts that are currently members of the group (see Figure 6-7). The Add button also provides you with the ability to include new members in the group.
Figure 6-7 Viewing properties of a Windows Vista group
- What is the recommended type of account to use for daily computer use?
- Which type of account should you create or enable for a user who requires temporary access to the computer?
Quick Check Answers
- Use a standard user account for performing common operations on the computer.
- The Guest account has been designed to allow users temporary access to a computer. It provides a minimal set of permissions for performing common tasks.
Practice: Creating and Managing User Accounts
In this practice exercise, you will work with the user account management tools provided with the Windows Vista operating system.
Practice: Create and Configure New Accounts
This exercise familiarizes you with the process of creating a new user account. To complete this exercise, you need to log on to the computer as an administrator initially.
Open Control Panel and click User Accounts And Family Safety. This opens the main window for security and safety-related settings.
Under User Accounts, click Add Or Remove User Accounts.
You now see a list of all of the users who are currently configured on the computer.
Click Create A New Account to start the process of adding a new account.
Type Test User as a user name, and then choose the default Standard User option for the account type. This creates an account that has permissions to accomplish many common tasks, but it will not be able to change system settings.
Click Create Account.
You now see the new user account in the Manage Accounts window.
To view and modify the settings of the Test User account, click it.
Click Change The Picture and select a different picture for the user account. Click Change Picture to complete the configuration. The picture you select appears on the Windows Vista logon screen.
By default, the new user account has not been assigned a password. To increase security, click Create A Password.
Type test!123 in the New Password and Confirm New Password text boxes.
Note that you can optionally provide a password hint to help the user remember his or her logon information. Remember that this hint is visible to all users of the system (whether or not they have logged on), so be sure that it is something that is understood only by the user who will be using the account.
Click Create Password.
Close the Manage Accounts window and close Control Panel.
To test the new account, start by logging off the computer.
Next, test the new account by using it to log on to the system. You should see the Test User account as an option. Click this account, and then provide the password that you assigned in step 9 to log on to the system. During the first logon, Windows Vista creates a new user profile and sets up the default system settings for new accounts.
Try performing several different types of tasks using the new account. Make a note of which types of operations are allowed and which ones require you to type in administrator credentials.
When finished, log off the computer. Optionally, you can delete the Test User user account by logging on as an administrator and using the Manage Accounts window.
- For security reasons, it is recommended that users run with a minimal set of permissions whenever possible.
- Standard user accounts have limited permissions on the system but are able to perform most common day-to-day tasks.
- Administrator user accounts have full permissions on the computer, but users can run with minimal permissions for most tasks.
- You can enable the Guest account for use by individuals who might need to access the system occasionally.
- The Manage Accounts window in Control Panel enables administrators to create new accounts and modify account settings.
- You can use Local Users And Groups in the Computer Management console to perform advanced security configuration, including group membership.
You can use the following questions to test your knowledge of the information in Lesson 1, “Managing User Accounts.” The questions are also available on the companion CD if you prefer to review them in electronic form.
Answers to these questions and explanations of why each answer choice is correct or incorrect are located in the “Answers” section at the end of the book.
You are a Consumer Support Technician explaining the limitations of a standard user account to a customer. Which of the following operations require the user to provide approval for privilege escalation when running in Admin Approval Mode? (Choose all that apply.)
A. Changing the user’s own password
B. Installing new device drivers
C. Installing a new accounting software package
D. Changing the desktop wallpaper
You are a Consumer Support Technician assisting a user with configuring security on his Windows Vista–based laptop. The customer mentions that he often has friends and coworkers that want to use his computer temporarily to perform tasks such as checking stock quotes on a Web site. The customer wants to ensure that users cannot make permanent changes to his system configuration. Which of the following types of accounts are most appropriate for these individuals to use?
C. Standard User
D. Power User
© Microsoft. All Rights Reserved.