4. Usernames and Security Identifiers
When you create a new user, a security identifier (SID)
is automatically created on the computer for the user account. The
username is a property of the SID. For example, a user SID might look
like this:
5-1-5-21-823518204-746137067-120266-629-500
It's apparent that
using SIDs for user identification would make administration a
nightmare. Fortunately, for your administrative tasks, you see and use
the username instead of the SID.
SIDs have several advantages.
Because Windows 7 uses the SID as the user object, you can easily rename
a user while still retaining all the user's properties. The reason for
this is that all security settings get associated with the SID and not
the user account.
SIDs also ensure that if you
delete and re-create a user account with the same username, the new user
account will not have any of the properties of the old account because
it is based on a new, unique SID. Every time you create a new user, a
unique SID gets associated. Even if the username is the same as a
previously deleted account, the system still sees the username as a new
user.
Because every user account gets a
unique SID number, it is a good practice to disable instead of delete
accounts for users that leave the company or have an extended absence.
If you ever need to access the disabled account again, you have the
ability.
When you create a new user, there are many options that you have to configure. Table 2 describes all the options available in the New User dialog box.
Table 2. User account options available in the New User dialog box
| Option | Description |
|---|
| User Name | Defines
the username for the new account. Choose a name that is consistent with
your naming convention (e.g., WPanek). This is the only required field.
Usernames are not case sensitive. |
| Full Name | Allows
you to provide more detailed name information. This is typically the
user's first and last names (e.g. Will Panek). By default, this field
contains the same name as the User Name field. |
| Description | Typically
used to specify a title and/or location (e.g., Sales- Nashville) for
the account, but it can be used to provide any additional information
about the user. |
| Password | Assigns
the initial password for the user. For security purposes, avoid using
readily available information about the user. Passwords are case
sensitive. |
| Confirm Password | Confirms that you typed the password the same way two times to verify that you entered the password correctly. |
| User Must Change Password At Next Logon | If
enabled, forces the user to change the password the first time they log
on. This is done to increase security. By default, this option is
selected. |
| User Cannot Change Password | If
enabled, prevents a use r from changing their password. It is useful fo
r accounts such as Guest and accounts that are shared by mo re than one
user. By default, this option is not selected. |
| Password Neve r Expires | If
enabled, specifies that the password w ill never exp ire, even if a
password policy has been specified. For example, you might enable this
option if this is a service account and you do not want the
administrative overhead of managing password changes. By default, this
option is not selected. |
| Account Is Disabled | If
enabled, specifies that this account cannot be used for logon purposes.
For example, you might select this option for template accounts or if
an account is not currently being used. It helps keep inactive accounts
from posing security threats. By default, this option is not selected. |
Complete Exercise 3
to create a new local user account. Before you complete the following
steps, make sure you are logged on as a user with permissions to create
new users and have already added the Local Users And Groups snap-in to
the MMC.
Open
the Admin Console MMC Desktop shortcut that was created in a previous
exercise and expand the Local Users And Groups snap-in. If a dialog box
appears, click Yes. Highlight the Users folder and select Action => New User The New User dialog box appears.
In the User Name text box, type CPanek. In the Full Name text box, type Crystal Panek. In the Description text box, type Operations Manager. Leave
the Password and Confirm Password text boxes empty and accept the
defaults for the check boxes. Make sure you uncheck the User Must Change
Password At Next Logon option. Click the Create button to add the user. Use the New User dialog box to create six more users, filling out the fields as follows: Name: WPanek; Full Name: Will Panek; Description: IT Admin; Password: (blank) Name: JDoe; Full Name: John Doe; Description: Cisco Admin; Password: (blank) Name: GWashington; Full Name: George Washington; Description: President; Password: P@sswOrD Name: JAdams: Full Name: John Adams; Description: Vice President; Password: v!$t@ Name: BFranklin; Full Name: Ben Franklin; Description: NH Sales Manager; Password: P3@ch (with an uppercase P) Name: ALincoln; Full Name: Abe Lincoln; Description: Tech Support; Password: Bearded! (uppercase 8)
After you've finished creating all of the users, click the Close button to exit the New User dialog box.
|
NOTE
You can also create users through the command-line utility NET USER. For more information about this command, type NET USER /? at a command prompt.
As I stated earlier, it's
good practice to disable accounts for users who leave the company. Let's
take a look at the process of disabling accounts.
5. Disabling User Accounts
When a user account is no longer
needed, the account should be disabled or deleted. After you've
disabled an account, you can later enable it again to restore it with
all of its associated user properties. An account that is deleted,
however, can never be recovered.
You might disable an account
because a user will not be using it for a period of time, perhaps
because that employee is going on vacation or taking a leave of absence.
Another reason to disable an account is that you're planning to put
another user in that same function.
For example, suppose
that Gary, the engineering manager, quits. If you disable his account,
when your company hires a new engineering manager, you can simply rename
Gary's user account (to the username for the new manager) and enable
it. This ensures that the user who takes over Gary's position will have
all the same user properties and own all the same resources.
Disabling accounts also
provides a security mechanism for special situations. For example, if
your company were laying off a group of people, as a security measure,
you could disable their accounts at the same time the layoff notices
were given out. This prevents those users from inflicting any damage to
the company's files after they receive their layoff notice.
In Exercise 4, you will disable a user account. Before you complete the follow steps, you should have already created new users in Exercise 3.
Open the Admin Console MMC Desktop shortcut and expand the Local Users And Groups snap-in. Open the Users folder. Double-click user WPanek to open his Properties dialog box. In the General tab, check the Account Is Disabled box. Click OK. Close the Local Users And Groups MMC. Log off and attempt to log on as WPanek. This should fail because the account is now disabled. Log back on using your user account.
|
NOTE
You can also access a user's properties by highlighting the user, right-clicking, and selecting Properties.
Now when users have left a
company for a long period of time and you know you no longer need the
user account, you can delete it. Let's take a look at how to delete user
accounts.
6. Deleting User Accounts
As noted in the
preceding section, you should disable a user account if you are not sure
whether the account will ever be needed again. But if the account has
been disabled and you know that the user account will never need access
to it again, you should delete the account.
To delete a user, open the
Local Users And Groups utility, highlight the user account you wish to
delete, and click Action to bring up the menu shown in Figure 3. Then select Delete. You can also delete an account by clicking on the account and pressing the Delete key on the keyboard.
Because deleting an account is a permanent action, you will see the dialog box shown in Figure 4,
asking you to confirm that you really wish to delete the account. After
you click the Yes button here, you will not be able to re-create or
re-access the account (unless you restore your local user accounts
database from a backup).
Complete Exercise 5 to delete a user account.
Open the Admin Console MMC Desktop shortcut and expand the Local Users And Groups snap-in. Expand the Users folder and single-click on user JAdams to select his user account. Select Action => Delete. The dialog box for confirming user deletion appears. Click the Yes button to confirm that you wish to delete this user. Close the Local Users And Groups MMC.
|
Now that you have disabled and deleted accounts, let's take a look at how to rename a user's account.
7. Renaming User Accounts
Once an account has been created,
you can rename it at any time. Renaming a user account allows the user
to retain all the associated user properties of the previous username.
You might want to rename a
user account because the user's name has changed (for example, the user
got married) or because the name was spelled incorrectly. Also, as
explained in the section "Disabling User Accounts,"
you can rename an existing user's account for a new user, such as
someone hired to take an ex-employee's position, when you want the new
user to have the same properties.
Complete Exercise 6 to rename a user account.
Open the Admin Console MMC Desktop shortcut and expand the Local Users And Groups snap-in. Open the Users folder and highlight user ALtncoln. Type the username RReagan
and press Enter. Notice that the Full Name field retained the original
property of Abe Lincoln in the Local Users And Groups utility. Double-click RReagan to open the properties and change the user's full name to Ronald Reagan. Click the User Must Change Password At Next Logon check box. Close the Local Users And Groups MMC.
|
NOTE
Renaming a user does not
change any "hard-coded" names, such as the name of the user's home
folder. If you want to change these names as well, you need to modify
them manually—for example, through Windows Explorer.
Another very common task that we must deal with is resetting the user's password. Let's take a look at how to do that.
8. Changing a User's Password
What should you do if a user
forgets their password and can't log on? You can't just open a dialog
box and see the old password. However, as the administrator, you can
change the user's password, and then they can use the new one.
It is very important as IT
managers and IT administrators that we teach our users proper security
measures that go along with password protection. As you have all
probably seen before, the users that tape their password to their
monitors or under the keyboards are not using correct security.
It's our job as IT
professionals to teach our users proper security, and it always amazes
me when I do consulting on how many IT departments don't teach their
users properly.
Complete Exercise 7 to change a user's password.
Open the Admin Console MMC Desktop shortcut and expand the Local Users And Groups snap-in. Open the Users folder and highlight user CPanek. Select Action => Set Password. The Set Password dialog box appears. A warning appears indicating the risks involved in changing the password. Select Proceed. Type the new password and then confirm the password. Click OK. Close the Local Users And Groups MMC.
|
Now that you have seen how to
create users in Windows 7, let's take a look at how to configure and
manage your users' properties.
