Local user accounts and groups are managed much
like domain accounts. You can create accounts, manage their properties,
reset accounts when they are locked or disabled, and so on. These and
other tasks are examined in this section.
Creating Local User Accounts Using Local Users and Groups
In
addition to being able to create local user accounts with Control
Panel, you can create local user accounts with Local Users And Groups.
You can access this utility and create an account by completing the
following steps:
-
Click Start, All Programs, Administrative Tools,
Computer Management. Alternatively, access Control Panel, click System
And Maintenance, click Administrative Tools, and finally double-click
Computer Management.
-
Right-click the Computer Management entry in the
console tree and select Connect To Another Computer on the shortcut
menu. You can now select the Windows Vista workstation whose local
accounts you want to manage; domain controllers do not have local users
or groups.
-
Expand the System Tools node by clicking the plus sign (+) next to it. Then select Local Users And Groups.
-
Right-click Users and then select New User. This opens the New User dialog box, shown in Figure 1. The fields in the dialog box are used as follows:
-
q User Name The logon name for the user account. This name should follow the conventions for the local user name policy.
-
q Full Name The full name of the user, such as William R. Stanek.
-
q Description A
description of the user. Normally you'd type the user's job title, such
as Webmaster. You could also type the user's job title and department.
-
q Password The password for the account. This password should follow the conventions of your password policy.
-
q Confirm Password A field to ensure that you assign the account password correctly. Simply retype the password to confirm it.
-
q User Must Change Password At Next Logon If this check box is selected, the user must change the password upon logon.
-
q User Cannot Change Password If this check box is selected, the user can't change the password.
-
q Password Never Expires If this check box is selected, the password for this account never expires. This setting overrides the local account policy.
-
q Account Is Disabled
If this check box is selected, the account is disabled and can't be
used. Use this field to temporarily prevent anyone from using an
account.
Figure 1: Configure new workstation accounts using the New User dialog box in Local Users And Groups.
-
Click Create when you're finished configuring the new account.
Creating Local Groups for Workstations
You create local groups with Local Users And
Groups. You can access this utility and create a group by completing
the following steps:
-
Click Start, All Programs, Administrative Tools,
Computer Management. Alternatively, access Control Panel, click System
And Maintenance, click Administrative Tools, and finally double-click
Computer Management.
-
Right-click the Computer Management entry in the
console tree and select Connect To Another Computer. You can now select
the computer whose local accounts you want to manage. Domain
controllers don't have local users and groups.
-
Expand the System Tools node by clicking the plus sign (+) next to it. Then select Local Users And Groups.
-
Right-click Groups and then select New Group. This opens the New Group dialog box, shown in Figure 2.
Figure 2: The New Group dialog box enables you to add a new local group to a Windows Vista workstation.
-
After you type a name and description for the
group, use the Add button to add names to the group. This opens the
Select Users dialog box.
-
In the Select Users dialog box, click Locations
to select the computer or domain in which the users you want to work
with are located.
-
Type the name of a user you want to use in the
Enter The Object Names To Select field and then click Check Names. If
matches are found, select the account you want to use and then click
OK. If no matches are found, update the name you entered and try
searching again. Repeat this step as necessary and click OK when
finished.
-
The New Group dialog box is updated to reflect
your selections. If you made a mistake, select a name and remove it by
clicking Remove.
-
Click Create when you're finished adding or removing group members.
Adding and Removing Local Group Members
You use Local Users And Groups to add or remove local group members. Complete the following steps:
-
Access Local Users And Groups in Computer
Management and then select the Groups folder. Double-click the group
with which you want to work.
-
Use the Add button to add user accounts to the
group. This opens the Select Users dialog box. In the Select Users
dialog box, type the name of a user you want
to use in the Enter The Object Names To Select field and then click
Check Names. If matches are found, select the account you want to use
and then click OK. If no matches are found, update the name you entered
and try searching again. Repeat this step as necessary and click OK
when finished.
-
Use the Remove button to remove user accounts
from the group. Simply select the user account you want to remove from
the group and then click Remove.
-
Click OK when you are finished.
Enabling Local User Accounts
Local user accounts can become disabled for
several reasons. If a user forgets the password and tries to guess it,
he or she might exceed the account policy for bad logon attempts.
Another administrator could have disabled the account while a user was
on vacation. When an account is disabled or locked out, you can enable
it using the methods described here.
When an account is disabled, complete the following steps:
-
Access Local Users And Groups in Computer Management and then select the Users folder.
-
Double-click the user's account name and then clear the Account Is Disabled check box.
-
Click OK.
When an account is locked out, complete the following steps:
-
In Local Users And Groups, select the Users folder.
-
Double-click the user's account name and then clear the Account Is Locked Out check box.
-
Click OK.
Creating a Secure Guest Account
In some environments, you might need to set up a
guest account that can be used by visitors. Most of the time, you'll
want to configure the guest account for use on a specific computer or
computers and carefully control how the account can be used. To create
a secure guest account, I recommend that you perform the following
tasks:
-
Enable the guest account for use. By default, the
guest account is disabled. Therefore, you must first enable it to make
it available. To do this, access Local Users And Groups in Computer
Management and then select the Users folder. Double-click Guest and
then clear the Account Is Disabled check box. Click OK.
-
Set a secure password on the guest account. By default, the guest account has a blank password. To improve security on the computer, you should set one. In Local
Users And Groups, right-click Guest and then select Set Password. Click
Proceed at the warning prompt. Type and then confirm the new password.
Click OK.
-
Ensure that the guest account cannot be used over the network.
The guest account shouldn't be accessible from other computers. If it
is, users at another computer could log on over the network as a guest.
To prevent this, start the Local Security Policy tool in the
Administrative Tools menu, or type secpol.msc at
the command prompt. Then under Local Policies\User Rights Assignment,
ensure the Deny Access To This Computer From The Network policy lists
Guest as a restricted account.
-
Prevent the guest account from shutting down the computer.
When a computer is shutting down or starting up, there is a possibility
that a guest user (or anyone with local access) might be able to gain
unauthorized access to the computer. To help deter this, you should
ensure the guest account doesn't have the Shut Down The System user
right. In the Local Security Policy tool, expand Local Policies\User
Rights Assignment and ensure the Shut Down The System policy doesn't
list the Guest account.
-
Prevent the guest account from viewing event logs.
To help maintain the security of the system, the guest account
shouldn't be allowed to view the event logs. To ensure this is the
case, start Registry Editor by typing regedit at
an elevated command prompt and then access the HKLM\SYSTEM\Current
ControlSet\ Services\Eventlog key. Here you'll find three subkeys:
Application, Security, and System. Make sure each of these subkeys has
a DWORD value named RestrictGuestAccess with a value of 1.
Renaming Local User Accounts and Groups
When you rename an account, you give it a new
label. Because the SID for the account remains the same, the
permissions and properties associated with the account don't change. To
rename an account, complete the following steps:
-
In Local Users And Groups, select the Users or Groups folder as appropriate.
-
Right-click the account name and then select Rename. Type the new account name and then click a different entry.
Deleting Local User Accounts and Groups
Deleting an account permanently removes it. Once
you delete an account, you can't create another account with the same
name to automatically get the same permissions because the SID for the
new account won't match the SID for the old account.
Because deleting built-in accounts can have
far-reaching effects on the workstation, Windows Vista doesn't let you
delete built-in user accounts or group accounts. You can remove
other types of accounts by selecting them and pressing the Del key or
by right-clicking and selecting Delete. When prompted, click Yes.
| Note |
When you delete a user account using Local Users
And Groups, Windows Vista doesn't delete the user's profile, personal
files, or home directory. If you want to delete these files and
directories, you'll have to do it manually.
|
|
