Windows 8 provides user accounts and group accounts (of
which users can be members). User accounts are designed for
individuals. Group accounts, usually referred to as groups,
are designed to simplify the administration of multiple users. You can
log on with a user account, but you can’t log on with a group account.
Two general types of user accounts are defined in Windows 8:
-
Local user accounts User accounts defined on a local computer are called local user accounts. These accounts have access to the local computer only. You add or remove local user accounts with the User
Accounts options on Control Panel or with the Local Users And Groups
utility. Local Users And Groups is accessible in the System Tools node
of Computer Management, a Microsoft Management Console (MMC) snap-in.
-
Domain user accounts
User accounts defined in Active Directory are called domain user accounts.
Through single sign-on, these accounts can access resources throughout
a forest. When a computer is a member of an Active Directory domain,
you can use it to create domain
user accounts by using Active Directory Users And Computers. This MMC
tool is available on the Tools menu in Server Manager when you install
the Remote Server Administrator Tools on your computer running Windows
8.
Both local user accounts and domain user accounts can be configured
as standard user accounts or administrator accounts. A standard user
account on a local computer has limited privileges, and an
administrator account on a local computer has extended privileges.
Windows 8 adds a special type of local account called a Microsoft account, which is not available on earlier releases of Windows. Microsoft accounts can be thought of as synchronized local accounts, and here’s how they work:
-
A user signs in to a computer using an email address for his logon
name and a password that is shared with his Microsoft account online.
-
Because the user has connected to her Microsoft account, the user
also is able to use the various connected features of that account.
Synchronizing the account allows the user to purchase apps and other
content for their computer from Windows Store. It also allows synced
content (files, photos, and more) and certain profile settings stored
on SkyDrive to be available if the user logs on to another computer
running Windows 8. Synced content between computers helps to give users
seamless experience regardless of which computer they log on to.
Otherwise, synchronized accounts work exactly like regular local
accounts.
A regular local account can be converted into a synced account at
any time. Similarly, a synced account can be converted to a regular
account at any time.
Note
REAL WORLD On corporate PCs, you might not want users to be able to create or log on with Microsoft
accounts. In Group Policy, you can block Microsoft accounts by enabling
the Accounts: Block Microsoft Accounts policy. This policy is found in
the Security Options policies for Computer Configuration under Windows
Settings/Security Settings/Local Policies. Use the Users Can’t Add
Microsoft Accounts setting to prevent users from creating Microsoft
accounts. To block users from logging on with and creating Microsoft
accounts, use the User Can’t Add Or Log On With Microsoft Accounts
setting.
1. User Account Essentials
All user accounts are identified with a logon name. In Windows 8, this logon name has two parts:
For the user
WilliamS, whose account is created for the computer ENGPC85, the full
logon name for Windows 8 is ENGPC85\WilliamS. With a local computer
account, WilliamS can log on to his local workstation and access local
resources but is not able to access domain resources.
When you create a Microsoft account for a user,
Windows 8 uses the name information you specify as the logon name. The
user’s first and last names are set as part of the display text. The
full email address serves as the logon name because this is what’s
stored locally on the computer. When the user logs on and the computer
is connected to the Internet, the user’s settings and content can be
synced and updated according to their preferences. If the computer
isn’t connected to the Internet, the user’s settings and content come
from their profile, as with regular user accounts.
When working with domains, the full logon name can be expressed in two different ways:
-
The user account name and the full domain name separated by the At
sign (@). For example, the full logon name for the user name Williams
in the domain technology.microsoft.com would be Williams@technology.microsoft.com.
-
The user account name and the domain separated by the backslash
symbol (\). For example, the full logon name for Williams in the
technology domain would be technology\Williams.
Although Windows 8 displays user names when describing account
privileges and permissions, the key identifiers for accounts are
security identifiers (SIDs). SIDs are unique identifiers generated when
security principals are created. Each SID combines a computer or domain
security ID prefix with a unique relative ID for the user. Windows 8
uses these identifiers to track accounts and user names independently.
SIDs serve many purposes, but the two most important are to enable you
to easily change user names and to delete accounts without worrying
that someone might gain access to resources simply by re-creating an
account.
When you change a user name, you tell Windows 8 to map a particular
SID to a new name. When you delete an account, you tell Windows 8 that
a particular SID is no longer valid. Even if you create an account with
the same user name later, the new account won’t have the same
privileges and permissions as the previous one because the new account
will have a new SID.
User accounts can also have passwords and certificates associated
with them. Passwords are authentication strings for an account.
Certificates combine a public and private key to identify a user. You
log on with a password interactively, whereas you log on with a
certificate by using its private key, which is stored on a smart card
and read with a smart card reader.
When you install Windows 8, the operating system installs default
user accounts. You’ll find several built-in accounts, which have
purposes similar to those of accounts created in Windows domains. The
key accounts are the following:
-
Administrator
Administrator is a predefined account that provides complete access to
files, directories, services, and other facilities. You can’t delete or
disable this account. In Active Directory, the Administrator account
has domainwide access and privileges. On a local workstation, the
Administrator account has access only to the local system.
-
Guest Guest is designed for users who need one-time or occasional access. Although guests have only limited system
privileges, you should be very careful about using this account because
it opens the system to potential security problems. The risk is so
great that the account is initially disabled when you install Windows 8.
By default, these
accounts are members of various groups. Before you modify any of the
built-in accounts, you should note the property settings and
group memberships for the account. Group membership grants or limits
the account’s access to specific system resources. For example,
Administrator is a member of the Administrators group and Guest is a
member of the Guests group. Being a member of a group makes it possible
for the account to use the privileges and rights of the group.
In addition to the built-in accounts, Windows 8 has several
pseudo-accounts that are used to perform specific types of system
actions. The pseudo-accounts are available only on the local system.
You can’t change the settings for these accounts with the user
administration tools, and users can’t log on to a computer with these
accounts. The pseudo-accounts available include the following:
-
LocalSystem
LocalSystem is used for running system processes and handling system-level tasks. This account grants the logon right Log On As A Service. Most services run under the LocalSystem
account. In some cases, these services have privileges to interact with
the desktop. Services that need fewer privileges or logon rights run
under the LocalService or NetworkService account. Services that run as LocalSystem include Background Intelligent Transfer Service, Computer Browser, Group Policy Client, Netlogon, Network Connections, Print Spooler, and User Profile Service.
-
LocalService
LocalService is used for running services that need fewer privileges
and logon rights on a local system. By default, services that run under
this account are granted the right Log On As A Service and the
privileges Adjust Memory Quotas For A Process, Bypass Traverse Checking, Change The System Time, Change The Time Zone, Create Global Objects, Generate Security Audits, Impersonate A Client After Authentication, and Replace A Process Level Token. Services that run as LocalService include Application Layer Gateway Service, Remote Registry, Smart Card, SSDP Discovery Service, TCP/IP NetBIOS Helper, and WebClient.
-
NetworkService
NetworkService is used for running services that need fewer privileges
and logon rights on a local system but must also access network
resources. Like services that run under LocalService, services that run
by default under the NetworkService account are granted the right Log
On As A Service and the privileges Adjust Memory Quotas For A Process,
Bypass Traverse Checking, Create Global Objects, Generate Security
Audits, Impersonate A Client After Authentication, and Replace A Process Level Token. Services that run under NetworkService include BranchCache, Distributed Transaction Coordinator, DNS Client, Remote Desktop Services, and Remote Procedure Call (RPC). NetworkService can also authenticate to remote systems as the computer account
2. Group Account Essentials
Windows 8 also provides groups, which you use to grant permissions
to similar types of users and to simplify account administration. If a user
is a member of a group that has access to a resource, that user has
access to the same resource. You can give a user access to various
work-related resources just by making the user a member of the correct
group. Although you can log on to a computer with a user account, you
can’t log on to a computer with a group account. Because different
Active Directory domains or local computers might have groups with the
same name, groups are often referred to by Domain\GroupName or Computer\GroupName (for example, Technology\GMarketing for the GMarketing group in a domain or on a computer named Technology).
Windows 8 uses the following three types of groups:
-
Local groups Defined on a local computer and used on the local computer only. You create local groups with Local Users And Groups.
-
Security groups
Can have security
descriptors associated with them. You use a Windows server to define
security groups in domains, using Active Directory Users And Computers.
-
Distribution groups
Used as email
distribution lists. They can’t have security descriptors associated
with them. You define distribution groups in domains using Active
Directory Users And Computers.
As with user accounts, group
accounts are tracked using unique SIDs. This means that you can’t
delete a group account and re-create it and then expect that all the
permissions and privileges remain the same. The new group will have a
new SID, and all the permissions and privileges of the old group will
be lost.
When you assign user access levels, you have the opportunity to make
the user a member of the built-in or predefined groups, including:
-
Access Control Assistance Operators
Members of this group can remotely query authorization attributes and permissions for resources on a computer.
Note
Windows has several operator groups. By default, no other group or
user accounts are members of the operator groups. This is to ensure
that you grant explicit access to the operator groups.
-
Administrators
Members of this group are local administrators and have complete access
to the workstation. They can create accounts, modify group membership,
install printers, manage shared resources, and more. Because this
account has complete access, you should be very careful about which
users you add to this group.
-
Backup Operators
Members of this
group can back up and restore files and directories on the workstation.
They can log on to the local computer, back up or restore files, and
shut down the computer. Because of how this account is set up, its
members can back up files regardless of whether the members have
read/write access to the files. However, they can’t change access
permissions on the files or perform other administrative tasks.
-
Cryptographic Operators
Members can manage the configuration of encryption, Internet Protocol Security (IPSec), digital IDs, and certificates.
-
Event Log Readers
Members can view the event logs on the local computer.
-
Guests
Guests are users
with very limited privileges. Members can access the system and its
resources remotely, but they can’t perform most other tasks.
-
Hyper-V Administration
Members of this group can manage all features of Hyper-V. Virtualization technologies are built into Windows 8 and supported on 64-bit hardware with Second Level Address Translation (SLAT).
-
Network Configuration Operators
Members can manage
network settings on the workstation. They can also configure TCP/IP
settings and perform other general network configuration tasks.
-
Performance Log Users
Members can view and manage performance counters. They can also manage performance logging.
-
Performance Monitor Users
Members can view performance counters and performance logs.
-
Power Users
In earlier versions
of Windows, this group is used to grant additional privileges, such as
the capability to modify computer settings and install programs. In
Windows 8, this group is maintained only for compatibility with legacy
applications.
-
Remote Desktop Users
Members can log on
to the workstation remotely using Remote Desktop Services. Once members
are logged on, additional groups of which they are members determine
their permissions on the workstation. A user who is a member of the
Administrators group is granted this privilege automatically. (However,
remote logons must be enabled before an administrator can remotely log
on to a workstation.)
-
Remote Management Users
Members can access WMI resources over management protocols.
-
Replicator
Members can manage the replication
of files for the local machine. File replication is primarily used with
Active Directory domains and Windows servers.
-
Users Users are
people who do most of their work on a single workstation running
Windows 8. Members of the Users group have more restrictions than
privileges. They can log on to a workstation running Windows 8 locally,
keep a local profile, lock the workstation, and shut down the
workstation.
-
WindowsRMRemoteWMIUsers Members can access WMI resources through Windows RM.
In most cases, you configure user access by using the Users or Administrators group. You can configure user
and administrator access levels by setting the account type to Standard
User or Administrator, respectively. Although these basic tasks can be
performed using the User
Accounts options of Control Panel, you make a user a member of a group
by using Local Users And Groups under Computer Management.
3. Domain vs. Local Logon
When computers are members of a domain,
you typically use domain accounts to log on to computers and the
domain. All administrators in a domain have access to resources on the
local workstations that are members of the domain. Users, on the other
hand, can access resources only on the local workstations they are
permitted to log on to. In a domain, any user with a valid domain
account can by default log on to any computer that is a member of the
domain. When logged on to a computer, the user has access to any
resource that his or her account or the groups to which the user’s
account belongs are granted access, either directly or indirectly with
claims-based access policies. This includes resources on the local
machine, as well as resources in the domain.
You can restrict logons to specific domain workstations on a
per-user basis by using Active Directory Users And Computers. In Active
Directory Users And Computers, press and hold or right-click the user
account and then tap or click Properties. On the Account tab of the
user’s Properties dialog box, tap or click Log On To, and then use the
options in the Logon Workstations dialog box to designate the
workstations to which the user is permitted to log on.
Note
REAL WORLD Don’t confuse logon workstation restrictions with Primary Computers. Primary computers are associated with the Redirect
Folders On Primary Computers Only policy found in the Administrative
Templates policies for Computer Configuration under the System\Folder
Redirection path. This policy allows administrators to specify from
which computer users can access roaming profiles and redirected
folders. The goal of the policy to protect personal and corporate data
when users log on to computers other than the ones they use regularly
for business. Data security is improved by not downloading and caching
this data on computers a user doesn’t normally use. In the context of
the policy, a Primary Computer
is a computer that has been specifically designated as permitted for
use with redirected data by editing the advanced properties of a user
or group in Active Directory and setting the msDS-PrimaryComputer property to the name of the permitted computers.
When you work with Windows 8, however, you aren’t always
logging on to a domain. Computers configured in workgroups have only
local accounts. You might also need to log on locally to a domain
computer to administer it. Only users with a local user account can log
on locally. When you log on locally, you have access to any resource on
the computer that your account or the groups to which your account
belongs are granted access. 
