Windows 8 : Managing Local Logon (part 2) - Creating Passwords for Local User Accounts

3. Changing Local User Account Types

The User Accounts utility provides an easy way to change account types for local users. You can quickly set the default account type as either standard user or administrator user. For more advanced control, however, you need to use Local Users And Groups to assign group membership to individual accounts.

In a homegroup or workgroup, you can change the account type from standard local user to administrator local user and vice versa by completing the following steps:

1. In Control Panel, under the User Accounts heading, tap or click Change Account Type. This displays the Manage Accounts page.

2. Tap or click the account you want to change, and then tap or click Change The Account Type.

3. On the Change Account Type page, set the level of access for the user as either Standard User or Administrator, and then tap or click Change The Account Type.

Note

You won’t be able to change the account type for the last administrator account on a computer. A computer must have at least one local administrator.

In a domain, you can change the account type for a local computer user by completing the following steps:

1. In Control Panel, under the User Accounts heading, tap or click the Change Account Type link. This displays the User Accounts dialog box.

2. On the Users tab, tap or click the user account you want to work with, and then tap or click Properties.

3. In the Properties dialog box, tap or click the Group Membership tab.

4. Set the type of account as Standard User or Administrator, or select Other and then select the group you want to use.

5. Tap or click OK twice.

4. Switching Between Synced and Regular Accounts

The PC Settings utility provides an easy way to switch between synced and regular accounts. In a homegroup or workgroup, you can change the account type from a regular local account to a Microsoft account and vice versa by completing the following steps:

1. Log on as the user and then open PC Settings. One way to do this is by pressing the Windows key+I and then clicking Change PC Settings.

2. On the Users panel, under Your Account, click Switch To A Local Account or Switch To A Microsoft Account, as appropriate, and then follow the prompts.

You must be connected to the Internet to switch to a Microsoft account.

5. Creating Passwords for Local User Accounts

In a homegroup or workgroup configuration, local user accounts are created without passwords by default. This means that a user can log on simply by tapping or clicking his account name on the Welcome screen. To improve security, all local accounts should have passwords.

For the easiest management of local accounts, log on to each account that should have a password, and then use the User Accounts utility to assign a password to the account. If you are logged on as the user when you create a password, you don’t have to worry about losing encrypted data. If you create a password without logging on as the user, the user will lose access to her encrypted files, encrypted email, personal certificates, and stored passwords. This occurs because the user’s master key, which is needed to access her personal encryption certificate and unlock this data, is encrypted with a hash that is based on an empty password. So when you create a password, the hash doesn’t match, and there’s no way to unlock the encrypted data. The only way to resolve this is to restore the original settings by removing the password from the account. The user should then be able to access her encrypted files. Again, this issue is related only to local user accounts for computers and not to domain user accounts.

Tip

Only the User Accounts utility allows you to assign a password hint, which can be helpful in recovering a forgotten or lost password. Another technique for recovering a password is a password reset disk, which can be a floppy disk or a USB flash drive. It is important to note that these are the only techniques you should use to recover passwords for local user accounts unless you want to risk data loss. Why? Although you can create, reset, or remove a password from a user account, doing so deletes any personal certificates and stored passwords associated with this account. As a result, the user will no longer be able to access her encrypted files or private email messages that have been encrypted with her personal key. In addition, she will lose stored passwords for websites and network resources. It is also important to note that this is an issue only for local user accounts. Administrators can change or reset passwords for domain user accounts without affecting access to encrypted data.

You can create a password for a local user account by completing the following steps:

1. Optionally, log on as the user whose password you want to create. In Control Panel, under the User Accounts heading, tap or click Change Account Type. This displays the Manage Accounts page.

2. Tap or click the account you want to work with. To prevent possible data loss, this should be the same account as the account with which you logged on. Any account that has a current password is listed as Password Protected. Any account without this label doesn’t have a password.

3. Tap or click New Password. Type a password, and then confirm it, as shown in Figure 3. Afterward, type a unique password hint. The password hint is a word or phrase that can be used to obtain the password if it is lost or forgotten. This hint is visible to anyone who uses the computer.

4. Tap or click Create Password.

Figure 3. Create a password with a password hint.