Microsoft Windows Vista workstations can be
configured as a member of a workgroup or domain. When a workstation is
configured as a member of a workgroup, user access and security are
configured on the workstation itself. Each computer maintains its own
security database, which includes its own local user accounts and
groups. If a user on one computer needs to access resources on other
computers, a user account must be created on each computer. The user and
group information is not shared with other computers.
A domain is a logical
group of computers that define a security boundary. A domain uses one
database known as Active Directory, which is stored on one or more
domain controllers. It gives the ability to share its common security
and user and group account information for all computers with the
domain. When a user logs on to the domain, that user can access
resources throughout the domain with the same logon (single sign-on).
The domain allows for centralized network administration of all users,
groups, and resources on the network.
A user account
enables a user to log on to a computer or domain with an identity that
can be authenticated and authorized for access to the resources of the
computer or domain. Because the user account is meant to be assigned to
one and only one user, it allows you to assign rights and permissions to
a single user and enables you to track what users are doing
(accountability).
Note
It is highly recommended that all users who log on to the network should have their own unique user account and password.
Two general types of user accounts are defined in Windows Vista:
Local user accounts. User accounts defined on a local computer, which have access to the local computer only. You add or remove local user accounts
with the Control Panel’s User Accounts options or the Local Users and
Groups utility. Local Users and Groups is accessible through the
Computer Management console, a Microsoft Management Console (MMC) tool,
which is found in Administrative Tools.
Domain user accounts.
User accounts defined in the Active Directory. Through single sign-on,
these accounts can access resources throughout a domain/forest. When a
computer is a member of an Active Directory domain, you can create
domain user accounts using Active Directory Users and Computers. This
MMC tool is available on the Administrative Tools menu when you install
the Windows Server Administrator Tools (Adminpak.msi) on your Windows
Vista computer.
A local user account
allows users to log on at and gain resources on only the computer where
they create such an account. The user account tells Windows which files
and folders the user can access, which changes the user can make to the
computer, and the user’s personal preferences, such as desktop
background or color theme. User accounts enable the sharing a computer
between several people, with each user having personal files and
settings. Each person accesses his user account with a username and
password.
Default User Accounts
Every Windows Vista
computer has local computer accounts, regardless of whether the computer
is a member of a workgroup or a domain. When you install Windows Vista,
the operating system installs default user accounts, which are managed
using the Local Users and Groups console. The key accounts you’ll see
are the following:
Administrator.
Administrator is a predefined account that provides complete access to
files, directories, services, and other facilities on the computer. You
can’t delete this account.
Guest.
Guest is designed for users who need one-time or occasional access.
Although guests have only limited system privileges, you should be
careful about using this account because it opens the system up to
potential security problems. The risk is so great that the account is
initially disabled when you install Windows Vista.
The built-in
administrator account is disabled by default in Windows Vista on new
installations. If Windows Vista determines during an upgrade from Windows
XP that the built-in administrator is the only active local
administrator account, Windows Vista leaves the account enabled and
places the account in Admin Approval mode. The built-in administrator
account, by default, cannot log on to the computer in Safe mode.
Windows Vista also
provides groups, which you use to grant permissions to similar types of
users and to simplify account administration. If a user is a member of a
group that can access a resource, that particular user can access the
same resource. Therefore, you can give a user access to various
work-related resources just by making the user a member of the correct
group.
Windows Vista Local Accounts
When you create
additional accounts in Windows Vista using the Control Panel, you choose
between three different kinds of accounts:
Standard
Administrator
Guest
Each account type gives the user a different level of control over the computer.
The standard account is the
account to use for everyday computing. A standard user account lets you
use most of the capabilities of the computer, but permission from an
administrator is required if you want to make changes that affect other
users or the security of the computer. You can use most programs that
are installed on the computer, but you can’t install or uninstall
software and hardware, delete files that are required for the computer
to work, or change settings on the computer that affect other users. If
you’re using a standard account, some programs might require you to
provide an administrator password before you can perform certain tasks.
The administrator account
provides the most control over the computer, and should only be used
when necessary. It lets you make changes that will affect other users.
Administrators can change security settings, install software and
hardware, and access all files on the computer. Administrators can also
make changes to other local user accounts.
Note
When you
create an administrator user, it adds the user to the Administrators
group. When you create a standard user, it adds the user to the Users
group.
When you set up Windows,
you’ll be required to create a user account. This account is an
administrator account that enables you to set up your computer and
install any programs that you would like to use. After you have finished
setting up your computer, we recommend that you use a standard user
account for your day-to-day computing.
The guest account is
primarily for people who need temporary access to the computer. It is
for users who don’t have a permanent account on your computer or domain.
It enables people to use your computer without having access to your
personal files. People using the guest account can’t install software or
hardware, change settings, or create a password.
Note
By default, the
administrator account and guest account are disabled on new
installations of Windows Vista. Therefore, you must enable these
accounts before they can be used.
All user accounts are
identified with a logon name. In Windows Vista, this logon name has two
parts: the username and the user computer or domain in which the user
account exists. If you have a computer called PC1 and the username is
User1, the full logon name for Windows Vista is PC1\User1. Of course,
User1 can log on to his local workstation and access local resources,
but would not be able to access domain resources.
When working with domains, the full logon name can be expressed in two different ways:
The user account
name and the full domain name separated by the at (@) symbol. For
example, the full logon name for User1 in the Acme.com domain is
[email protected].
The
user account name and the domain separated by the backslash symbol (\).
For example, the full logon name for User1 in the Acme domain is
Acme\User1.
While
Windows Vista represents a user with an user account, administrators as
well as users see the user account represented by a user name for easy
identification. Windows Vista identifies the user account by using the
user account’s security identifier (SID). A SID is a unique identifier
that is automatically generated when a user account is created and
consists of a computer or domain security ID prefix combined with a
unique relative ID for the user. Having a unique identifier allows
administrators to change a user’s username while keeping all settings,
permissions, and rights associated with the account. Because each user
account has a unique security identify, an administrator can delete an
account without worrying that someone might gain access to resources
just by re-creating an account.
To provide security,
user accounts should have passwords. Passwords are authentication
strings for an account and may consist of upper- and lowercase
characters, digits, and special characters.