Windows 8 : Managing Local Logon (part 3) - Recovering Local User Account Passwords, Controlling Logon

6. Recovering Local User Account Passwords

As discussed previously, in order to preserve access to any encrypted data and stored passwords that a user might have, it is preferable to try and recover a user password rather than change or remove the password.

Windows 8 provides two ways to recover user passwords:

• Password hint A hint can be accessed on the Welcome screen. Ordinarily, the Welcome screen is displayed when the computer is started and no one is logged on. If someone is logged on to the workstation, ask him or her to log off. Tap or click the user’s name to display the Password prompt, and then tap or click the blue Enter button to display the password hint. Hopefully, the password hint will help the user remember the password. If it doesn’t, you need to use a password reset disk.

• Password reset disk Password reset disks can be created for any local user account with a password. They enable anyone to change the password of the related local account without needing to know the old password. Because anyone with access to these disks can change account passwords, you should store password reset disks in a secure location. If users are allowed to create their own password reset disks, be sure they know how important the disks are.

Note

Passwords for domain users and those for local users are managed differently. Administrators manage passwords for domain user accounts and can reset forgotten passwords using the Active Directory Users And Computers console.

Passwords for local machine accounts can be stored in a secure, encrypted file on a password reset disk, which can be a floppy disk or a USB flash device.

7. Controlling Logon

By default, Windows 8 displays a Lock screen and a Welcome screen whether a computer is part of a homegroup or workgroup or a domain. The difference between the Lock screen and the Welcome screen is an important one.

The Lock screen is displayed when no one is logged on. In PC Settings, you tap or click Personalize and then tap or click Lock Screen to set related settings. You can select a lock screen picture, choose apps to run in the background and specify whether and how those apps display quick status and notifications. By default, the Messaging, Calendar, and Mail apps display quick status and notifications information. As an administrator, you can override these settings in Group Policy, by enabling Turn Off App Notifications On The Lock Screen in the Administrative Templates policies for Computer Configuration under the System\Logon path.

When you press and hold or click and then drag up on the Lock screen, you see the Welcome screen. In a domain, the name of the last user to log on is displayed by default. You can log on with this account by entering the required password. you can log on as another user as well. On the Welcome screen, note the button to the left of the user picture. This is the Switch User button. Tap or click Switch User, select one of the alternative accounts listed, and then provide the password for that account, or tap or click Other User to enter the user name and password for the account to use.

On the Welcome screen for computers that are part of a homegroup or workgroup, you see a list of accounts on the computer. To log on with one of these accounts, tap or click the account and enter a password if required. Contrary to what many people think, the Welcome screen doesn’t display all the accounts that have been created on the computer. Some accounts, such as Administrator, are hidden from view automatically.

The Welcome screen is convenient, but it also makes it easier for someone to try to gain access to the computer. Whether in a homegroup, workgroup, or domain, you can hide the accounts and require users to type a logon name. Hiding the user name of the last user to log on can improve security by requiring users to know a valid account name for the computer. Hide the user name by enabling Interactive Logon: Do Not Display Last User Name in Group Policy. This Computer Configuration option is under Windows Settings\Security Settings\Local Policies\Security Options.

By default, domain users can’t use PIN passwords but can use picture passwords. These Administrative Templates policies for Computer Configuration under the System\Logon path allow you to modify this behavior: Turn On PIN Sign In and Turn Off Picture Password Sign-In.

In a domain environment, you can use Active Directory–based Group Policy to apply the security configuration you want to a particular set of computers. You can also configure this setting on a per-computer basis by using local security policy. To configure local policy for a homegroup or workgroup computer, follow these steps:

1. Open Local Group Policy Editor. One way to do this is by pressing the Windows key, typing gpedit.msc, and then pressing Enter.

2. In the editor, under Computer Configuration, expand Windows Settings, Security Settings, Local Policies, and then select Security Options (see Figure 4).

   

   Figure 4. Disable account name display as a security best practice.

3. Double-tap or double-click Interactive Logon: Do Not Display Last User Name.

4. Select Enabled, and then tap or click OK.

5. Next, expand Computer Configuration, Administrative Templates, System, Logon, and then configure related policies as appropriate.

8. Removing Accounts and Denying Local Access to Workstations

Domain administrators are automatically granted access to local resources on workstations. Other users aren’t granted access to local resources on workstations other than to the computers to which they are permitted to log on. As workstations are moved around an organization, you might find that previous owners of a workstation still have access to its resources or that users who were granted temporary access to a workstation were never removed from the access list.

In a domain, you can control the workstations to which users can log on by using the account properties in Active Directory Users And Computers. Double-tap or double-click the account to display the Properties dialog box. On the Account tab, tap or click Log On To.

In a homegroup or workgroup, you can remove a user’s local account and effectively deny logon by completing these steps:

1. Log on as a user with local administrator privileges. In Control Panel, under the User Accounts heading, tap or click Change Account Type. This displays the Manage Accounts page.

2. Tap or click the account you want to remove.

3. Tap or click Delete The Account.

4. Before deleting the account, you have the opportunity to save the contents of the user’s desktop and documents folders to a folder on the current user’s desktop. To save the user’s desktop and documents, tap or click Keep Files. To delete the files, tap or click Delete Files.

5. Confirm the account deletion by tapping or clicking Delete Account.

   Keep in mind that in a domain, unless further restrictions are in place with regard to logging on to a workstation, a user might still be able to gain access to the workstation by logging on with a domain account.