DESKTOP

Windows 8 : Understanding User and Group Accounts

9/20/2013 8:58:34 PM

Windows 8 provides user accounts and group accounts (of which users can be members). User accounts are designed for individuals. Group accounts, usually referred to as groups, are designed to simplify the administration of multiple users. You can log on with a user account, but you can’t log on with a group account.

Two general types of user accounts are defined in Windows 8:

  • Local user accounts User accounts defined on a local computer are called local user accounts. These accounts have access to the local computer only. You add or remove local user accounts with the User Accounts options on Control Panel or with the Local Users And Groups utility. Local Users And Groups is accessible in the System Tools node of Computer Management, a Microsoft Management Console (MMC) snap-in.

  • Domain user accounts User accounts defined in Active Directory are called domain user accounts. Through single sign-on, these accounts can access resources throughout a forest. When a computer is a member of an Active Directory domain, you can use it to create domain user accounts by using Active Directory Users And Computers. This MMC tool is available on the Tools menu in Server Manager when you install the Remote Server Administrator Tools on your computer running Windows 8.

Both local user accounts and domain user accounts can be configured as standard user accounts or administrator accounts. A standard user account on a local computer has limited privileges, and an administrator account on a local computer has extended privileges.

Windows 8 adds a special type of local account called a Microsoft account, which is not available on earlier releases of Windows. Microsoft accounts can be thought of as synchronized local accounts, and here’s how they work:

  • A user signs in to a computer using an email address for his logon name and a password that is shared with his Microsoft account online.

  • Because the user has connected to her Microsoft account, the user also is able to use the various connected features of that account.

Synchronizing the account allows the user to purchase apps and other content for their computer from Windows Store. It also allows synced content (files, photos, and more) and certain profile settings stored on SkyDrive to be available if the user logs on to another computer running Windows 8. Synced content between computers helps to give users seamless experience regardless of which computer they log on to. Otherwise, synchronized accounts work exactly like regular local accounts.

A regular local account can be converted into a synced account at any time. Similarly, a synced account can be converted to a regular account at any time.

Note

REAL WORLD On corporate PCs, you might not want users to be able to create or log on with Microsoft accounts. In Group Policy, you can block Microsoft accounts by enabling the Accounts: Block Microsoft Accounts policy. This policy is found in the Security Options policies for Computer Configuration under Windows Settings/Security Settings/Local Policies. Use the Users Can’t Add Microsoft Accounts setting to prevent users from creating Microsoft accounts. To block users from logging on with and creating Microsoft accounts, use the User Can’t Add Or Log On With Microsoft Accounts setting.

1. User Account Essentials

All user accounts are identified with a logon name. In Windows 8, this logon name has two parts:

  • User name The display text for the account

  • User computer or domain The computer or domain in which the user account exists

For the user WilliamS, whose account is created for the computer ENGPC85, the full logon name for Windows 8 is ENGPC85\WilliamS. With a local computer account, WilliamS can log on to his local workstation and access local resources but is not able to access domain resources.

When you create a Microsoft account for a user, Windows 8 uses the name information you specify as the logon name. The user’s first and last names are set as part of the display text. The full email address serves as the logon name because this is what’s stored locally on the computer. When the user logs on and the computer is connected to the Internet, the user’s settings and content can be synced and updated according to their preferences. If the computer isn’t connected to the Internet, the user’s settings and content come from their profile, as with regular user accounts.

When working with domains, the full logon name can be expressed in two different ways:

  • The user account name and the full domain name separated by the At sign (@). For example, the full logon name for the user name Williams in the domain technology.microsoft.com would be .

  • The user account name and the domain separated by the backslash symbol (\). For example, the full logon name for Williams in the technology domain would be technology\Williams.

Although Windows 8 displays user names when describing account privileges and permissions, the key identifiers for accounts are security identifiers (SIDs). SIDs are unique identifiers generated when security principals are created. Each SID combines a computer or domain security ID prefix with a unique relative ID for the user. Windows 8 uses these identifiers to track accounts and user names independently. SIDs serve many purposes, but the two most important are to enable you to easily change user names and to delete accounts without worrying that someone might gain access to resources simply by re-creating an account.

When you change a user name, you tell Windows 8 to map a particular SID to a new name. When you delete an account, you tell Windows 8 that a particular SID is no longer valid. Even if you create an account with the same user name later, the new account won’t have the same privileges and permissions as the previous one because the new account will have a new SID.

User accounts can also have passwords and certificates associated with them. Passwords are authentication strings for an account. Certificates combine a public and private key to identify a user. You log on with a password interactively, whereas you log on with a certificate by using its private key, which is stored on a smart card and read with a smart card reader.

When you install Windows 8, the operating system installs default user accounts. You’ll find several built-in accounts, which have purposes similar to those of accounts created in Windows domains. The key accounts are the following:

  • Administrator Administrator is a predefined account that provides complete access to files, directories, services, and other facilities. You can’t delete or disable this account. In Active Directory, the Administrator account has domainwide access and privileges. On a local workstation, the Administrator account has access only to the local system.

  • Guest Guest is designed for users who need one-time or occasional access. Although guests have only limited system privileges, you should be very careful about using this account because it opens the system to potential security problems. The risk is so great that the account is initially disabled when you install Windows 8.

By default, these accounts are members of various groups. Before you modify any of the built-in accounts, you should note the property settings and group memberships for the account. Group membership grants or limits the account’s access to specific system resources. For example, Administrator is a member of the Administrators group and Guest is a member of the Guests group. Being a member of a group makes it possible for the account to use the privileges and rights of the group.

In addition to the built-in accounts, Windows 8 has several pseudo-accounts that are used to perform specific types of system actions. The pseudo-accounts are available only on the local system. You can’t change the settings for these accounts with the user administration tools, and users can’t log on to a computer with these accounts. The pseudo-accounts available include the following:

  • LocalSystem LocalSystem is used for running system processes and handling system-level tasks. This account grants the logon right Log On As A Service. Most services run under the LocalSystem account. In some cases, these services have privileges to interact with the desktop. Services that need fewer privileges or logon rights run under the LocalService or NetworkService account. Services that run as LocalSystem include Background Intelligent Transfer Service, Computer Browser, Group Policy Client, Netlogon, Network Connections, Print Spooler, and User Profile Service.

  • LocalService LocalService is used for running services that need fewer privileges and logon rights on a local system. By default, services that run under this account are granted the right Log On As A Service and the privileges Adjust Memory Quotas For A Process, Bypass Traverse Checking, Change The System Time, Change The Time Zone, Create Global Objects, Generate Security Audits, Impersonate A Client After Authentication, and Replace A Process Level Token. Services that run as LocalService include Application Layer Gateway Service, Remote Registry, Smart Card, SSDP Discovery Service, TCP/IP NetBIOS Helper, and WebClient.

  • NetworkService NetworkService is used for running services that need fewer privileges and logon rights on a local system but must also access network resources. Like services that run under LocalService, services that run by default under the NetworkService account are granted the right Log On As A Service and the privileges Adjust Memory Quotas For A Process, Bypass Traverse Checking, Create Global Objects, Generate Security Audits, Impersonate A Client After Authentication, and Replace A Process Level Token. Services that run under NetworkService include BranchCache, Distributed Transaction Coordinator, DNS Client, Remote Desktop Services, and Remote Procedure Call (RPC). NetworkService can also authenticate to remote systems as the computer account

2. Group Account Essentials

Windows 8 also provides groups, which you use to grant permissions to similar types of users and to simplify account administration. If a user is a member of a group that has access to a resource, that user has access to the same resource. You can give a user access to various work-related resources just by making the user a member of the correct group. Although you can log on to a computer with a user account, you can’t log on to a computer with a group account. Because different Active Directory domains or local computers might have groups with the same name, groups are often referred to by Domain\GroupName or Computer\GroupName (for example, Technology\GMarketing for the GMarketing group in a domain or on a computer named Technology).

Windows 8 uses the following three types of groups:

  • Local groups Defined on a local computer and used on the local computer only. You create local groups with Local Users And Groups.

  • Security groups Can have security descriptors associated with them. You use a Windows server to define security groups in domains, using Active Directory Users And Computers.

  • Distribution groups Used as email distribution lists. They can’t have security descriptors associated with them. You define distribution groups in domains using Active Directory Users And Computers.

As with user accounts, group accounts are tracked using unique SIDs. This means that you can’t delete a group account and re-create it and then expect that all the permissions and privileges remain the same. The new group will have a new SID, and all the permissions and privileges of the old group will be lost.

When you assign user access levels, you have the opportunity to make the user a member of the built-in or predefined groups, including:

  • Access Control Assistance Operators Members of this group can remotely query authorization attributes and permissions for resources on a computer.

    Note

    Windows has several operator groups. By default, no other group or user accounts are members of the operator groups. This is to ensure that you grant explicit access to the operator groups.

  • Administrators Members of this group are local administrators and have complete access to the workstation. They can create accounts, modify group membership, install printers, manage shared resources, and more. Because this account has complete access, you should be very careful about which users you add to this group.

  • Backup Operators Members of this group can back up and restore files and directories on the workstation. They can log on to the local computer, back up or restore files, and shut down the computer. Because of how this account is set up, its members can back up files regardless of whether the members have read/write access to the files. However, they can’t change access permissions on the files or perform other administrative tasks.

  • Cryptographic Operators Members can manage the configuration of encryption, Internet Protocol Security (IPSec), digital IDs, and certificates.

  • Event Log Readers Members can view the event logs on the local computer.

  • Guests Guests are users with very limited privileges. Members can access the system and its resources remotely, but they can’t perform most other tasks.

  • Hyper-V Administration Members of this group can manage all features of Hyper-V. Virtualization technologies are built into Windows 8 and supported on 64-bit hardware with Second Level Address Translation (SLAT).

  • Network Configuration Operators Members can manage network settings on the workstation. They can also configure TCP/IP settings and perform other general network configuration tasks.

  • Performance Log Users Members can view and manage performance counters. They can also manage performance logging.

  • Performance Monitor Users Members can view performance counters and performance logs.

  • Power Users In earlier versions of Windows, this group is used to grant additional privileges, such as the capability to modify computer settings and install programs. In Windows 8, this group is maintained only for compatibility with legacy applications.

  • Remote Desktop Users Members can log on to the workstation remotely using Remote Desktop Services. Once members are logged on, additional groups of which they are members determine their permissions on the workstation. A user who is a member of the Administrators group is granted this privilege automatically. (However, remote logons must be enabled before an administrator can remotely log on to a workstation.)

  • Remote Management Users Members can access WMI resources over management protocols.

  • Replicator Members can manage the replication of files for the local machine. File replication is primarily used with Active Directory domains and Windows servers.

  • Users Users are people who do most of their work on a single workstation running Windows 8. Members of the Users group have more restrictions than privileges. They can log on to a workstation running Windows 8 locally, keep a local profile, lock the workstation, and shut down the workstation.

  • WindowsRMRemoteWMIUsers Members can access WMI resources through Windows RM.

In most cases, you configure user access by using the Users or Administrators group. You can configure user and administrator access levels by setting the account type to Standard User or Administrator, respectively. Although these basic tasks can be performed using the User Accounts options of Control Panel, you make a user a member of a group by using Local Users And Groups under Computer Management.

3. Domain vs. Local Logon

When computers are members of a domain, you typically use domain accounts to log on to computers and the domain. All administrators in a domain have access to resources on the local workstations that are members of the domain. Users, on the other hand, can access resources only on the local workstations they are permitted to log on to. In a domain, any user with a valid domain account can by default log on to any computer that is a member of the domain. When logged on to a computer, the user has access to any resource that his or her account or the groups to which the user’s account belongs are granted access, either directly or indirectly with claims-based access policies. This includes resources on the local machine, as well as resources in the domain.

You can restrict logons to specific domain workstations on a per-user basis by using Active Directory Users And Computers. In Active Directory Users And Computers, press and hold or right-click the user account and then tap or click Properties. On the Account tab of the user’s Properties dialog box, tap or click Log On To, and then use the options in the Logon Workstations dialog box to designate the workstations to which the user is permitted to log on.

Note

REAL WORLD Don’t confuse logon workstation restrictions with Primary Computers. Primary computers are associated with the Redirect Folders On Primary Computers Only policy found in the Administrative Templates policies for Computer Configuration under the System\Folder Redirection path. This policy allows administrators to specify from which computer users can access roaming profiles and redirected folders. The goal of the policy to protect personal and corporate data when users log on to computers other than the ones they use regularly for business. Data security is improved by not downloading and caching this data on computers a user doesn’t normally use. In the context of the policy, a Primary Computer is a computer that has been specifically designated as permitted for use with redirected data by editing the advanced properties of a user or group in Active Directory and setting the msDS-PrimaryComputer property to the name of the permitted computers.

When you work with Windows 8, however, you aren’t always logging on to a domain. Computers configured in workgroups have only local accounts. You might also need to log on locally to a domain computer to administer it. Only users with a local user account can log on locally. When you log on locally, you have access to any resource on the computer that your account or the groups to which your account belongs are granted access.
Other  
  •  Windows Small Business Server 2011 : Working with Permissions (part 4) - Assigning NTFS Permissions
  •  Windows Small Business Server 2011 : Working with Permissions (part 3) - Understanding Effective Permissions
  •  Windows Small Business Server 2011 : Working with Permissions (part 2) - Using NTFS Permissions
  •  Windows Small Business Server 2011 : Working with Permissions (part 1) - Using Share Permissions
  •  Windows Small Business Server 2011 : Understanding Windows SBS Security Principles
  •  Windows Management and Maintenance : The Windows 7 Control Panel (part 11) - Region and Language, System
  •  Windows Management and Maintenance : The Windows 7 Control Panel (part 10) - Programs and Features
  •  Windows Management and Maintenance : The Windows 7 Control Panel (part 9) - Notification Area Icons, Performance Information and Tools
  •  Windows Management and Maintenance : The Windows 7 Control Panel (part 8) - Fonts
  •  Windows Management and Maintenance : The Windows 7 Control Panel (part 7) - Ease of Access Center
  •  
    Top 10
    Review : Sigma 24mm f/1.4 DG HSM Art
    Review : Canon EF11-24mm f/4L USM
    Review : Creative Sound Blaster Roar 2
    Review : Philips Fidelio M2L
    Review : Alienware 17 - Dell's Alienware laptops
    Review Smartwatch : Wellograph
    Review : Xiaomi Redmi 2
    Extending LINQ to Objects : Writing a Single Element Operator (part 2) - Building the RandomElement Operator
    Extending LINQ to Objects : Writing a Single Element Operator (part 1) - Building Our Own Last Operator
    3 Tips for Maintaining Your Cell Phone Battery (part 2) - Discharge Smart, Use Smart
    REVIEW
    - First look: Apple Watch

    - 3 Tips for Maintaining Your Cell Phone Battery (part 1)

    - 3 Tips for Maintaining Your Cell Phone Battery (part 2)
    VIDEO TUTORIAL
    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
    Popular Tags
    Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8