Windows 8 : Managing User Access and Security - Managing Local User Accounts and Groups (part 3)

Adding and Removing Local Group Members

You use Local Users And Groups to add or remove local group members. Complete the following steps:

1. Expand Local Users And Groups in Computer Management, and then select the Groups folder in the left pane. Double-tap or double-click the group with which you want to work.

2. Tap or click Add to add user accounts to the group. This opens the Select Users dialog box. In the Select Users dialog box, type the name of a user you want to use in the Enter The Object Names To Select text box, and then tap or click Check Names. If matches are found, select the account you want to use, and then tap or click OK. If no matches are found, update the name you entered and try searching again. Repeat this step as necessary, and then tap or click OK.

3. Use the Remove button to remove user accounts from the group. Simply select the user account you want to remove from the group, and then tap or click Remove.

4. Tap or click OK when you have finished.

You can access Group Policy and use a preference item to add or remove members from a local group by completing the following steps:

1. Open a Group Policy Object for editing in the Group Policy Management Editor. To configure preferences for computers, expand Computer Configuration\Preferences\Control Panel Settings, and then select Local Users And Groups. To configure preferences for users, expand User Configuration\Preferences\Control Panel Settings, and then select Local Users And Groups.

2. Press and hold or right-click the Local Users And Groups node, point to New, and then select Local Group. This opens the New Local Group Properties dialog box.

3. In the Action list, select Update to update the group’s settings, or select Replace to delete the group and then re-create it exactly as you specify. If you update a group, you can enter a new name in the Rename To box.

4. Specify whether the current user should be added or removed as a member of the group, or select Do Not Configure For The Current User.

5. Specify whether all existing member users, all existing member groups, or both should be deleted.

6. To add or remove group members, tap or click Add. In the Local Group Member dialog box, in the Action list, select Add To This Group if you are adding a member, or select Remove From This Group if you are removing a member. Next, tap or click the browse button (the one with the three dots). Use the Select User, Computer, Or Group dialog box to select a user or group to add to the local group, and then tap or click OK twice. Repeat this step as necessary.

7. Use the options on the Common tab to control how the preference is applied, and then tap or click OK. The next time policy is refreshed, the preference item will be applied as appropriate for the Group Policy Object in which you defined the preference item.

Enabling or Disabling Local User Accounts

Local user accounts can become disabled for several reasons. If a user forgets a password and tries to guess it, he might exceed the account policy for bad logon attempts. Another administrator could have disabled the account while a user was on vacation. When an account is disabled or locked out, you can enable it by using the methods described here.

When an account is disabled, you can enable it on a local computer by completing the following steps:

1. Expand Local Users And Groups in Computer Management, and then select the Users folder in the left pane.

2. In the right pane, double-tap or double-click the user’s account name, and then clear the Account Is Disabled check box.

3. Tap or click OK.

When an account is locked out, you can enable it on a local computer by completing the following steps:

1. In Local Users And Groups, select the Users folder in the left pane.

2. In the right pane, double-tap or double-click the user’s account name, and then clear the Account Is Locked Out check box.

3. Tap or click OK.

You can enable or disable accounts and set other account options through policy preferences by completing the following steps:

1. Open a Group Policy Object for editing in the Group Policy Management Editor. To configure preferences for computers, expand Computer Configuration\Preferences\Control Panel Settings, and then select Local Users And Groups. To configure preferences for users, expand User Configuration\Preferences\Control Panel Settings, and then select Local Users And Groups.

2. In the right pane, double-tap or double-click the user’s account name to open the related Properties dialog box.

3. Select Update in the Action list. Make any necessary changes, and then tap or click OK. The next time policy is refreshed, the preference item will be applied as appropriate for the Group Policy Object in which you defined the preference item.

Creating a Secure Guest Account

In some environments, you might need to set up a Guest account that can be used by visitors. Most of the time, you’ll want to configure the Guest account on a specific computer or computers and carefully control how the account can be used. To create a secure Guest account, I recommend that you perform the following tasks:

• Enable the Guest account for use By default, the Guest account is disabled, so you must enable it to make it available. To do this, access Local Users And Groups in Computer Management, and then select the Users folder. Double-tap or double-click Guest, and then clear the Account Is Disabled check box. Tap or click OK.

• Set a secure password for the Guest account By default, the Guest account has a blank password. To improve security on the computer, you should set a password for the account. In Local Users And Groups/Select Users, press and hold or right-click Guest, and then select Set Password. Tap or click Proceed at the warning prompt. Type the new password and then confirm it. Tap or click OK twice.

• Ensure that the Guest account cannot be used over the network The Guest account shouldn’t be accessible from other computers. If it is, users at another computer could log on over the network as a guest. To prevent this, start the Local Security Policy tool from the Tools menu in Server Manager, or type secpol.msc at a prompt. Then, under Local Policies\User Rights Assignment, check that the Deny Access To This Computer From The Network policy lists Guest as a restricted account.

• Prevent the Guest account from shutting down the computer When a computer is shutting down or starting up, it is possible that a guest user (or anyone with local access) could gain unauthorized access to the computer. To help deter this, you should be sure that the Guest account doesn’t have the Shut Down The System user right. In the Local Security Policy tool, expand Local Policies\User Rights Assignment, and ensure that the Shut Down The System policy doesn’t list the Guest account.

• Prevent the Guest account from viewing event logs To help maintain the security of the system, the Guest account shouldn’t be allowed to view the event logs. To be sure this is the case, start Registry Editor by typing regedit at a command prompt, and then access the HKLM\SYSTEM\CurrentControlSet\Services\Eventlog key. Here, among others, you’ll find three important subkeys: Application, Security, and System. Make sure each of these subkeys has a DWORD value named RestrictGuestAccess, with a value of 1.

Renaming Local User Accounts and Groups

When you rename an account, you give it a new label. Because the SID for the account remains the same, the permissions and properties associated with the account don’t change. To rename an account while you are accessing a local computer, complete the following steps:

1. In Local Users And Groups, select the Users or Groups folder, as appropriate.

2. Press and hold or right-click the account name, and then tap or click Rename. Type the new account name, and then tap or click a different entry.

To rename an account using Group Policy, complete the following steps:

1. Open a Group Policy Object for editing in the Group Policy Management Editor. To configure preferences for computers, expand Computer Configuration\Preferences\Control Panel Settings, and then select Local Users And Groups. To configure preferences for users, expand User Configuration\Preferences\Control Panel Settings, and then select Local Users And Groups.

2. Do one of the following:

   • If a preference item already exists for the user or group, double-tap or double-click the user or group name to open the related Properties dialog box. Select Update in the Action list. In the Rename To box, type the new account name, and then tap or click OK.

   • If a preference item doesn’t already exist for the user or group, you need to create one using the techniques discussed previously. Because you want to rename the user or group, select Update in the Action list, and then type the new account name in the Rename To box.

Deleting Local User Accounts and Groups

Deleting an account permanently removes it. Once you delete an account, if you create another account with the same name, you can’t automatically get the same permissions because the SID for the new account won’t match the SID for the account you deleted.

Because deleting built-in accounts can have far-reaching effects on the workstation, Windows 8 doesn’t let you delete built-in user accounts or group accounts. In Local Users And Groups, you can remove other types of accounts by selecting them and pressing the Delete key or by pressing and holding or right-clicking and then tapping or clicking Delete. When prompted, tap or click Yes.

Note

When you delete a user account using Local Users And Groups, Windows 8 doesn’t delete the user’s profile, personal files, or home directory. If you want to delete these files and directories, you have to do it manually.

To delete an account using Group Policy, complete the following steps:

1. Open a Group Policy Object for editing in the Group Policy Management Editor. To configure preferences for computers, expand Computer Configuration\Preferences\Control Panel Settings, and then select Local Users And Groups. To configure preferences for users, expand User Configuration\Preferences\Control Panel Settings, and then select Local Users And Groups.

2. Do one of the following:

   • If a preference item already exists for the user or group, double-tap or double-click the user or group name to open the related Properties dialog box. Select Delete in the Action list. On the Common tab, set the appropriate options, such as Apply Once And Do Not Reapply, and then tap or click OK.

   • If a preference item doesn’t already exist for the user or group, you need to create one for the user or group using the techniques discussed previously. Be sure to select Delete in the Action list, and then select the appropriate options on the Common tab.