Windows Vista : User Accounts and Groups

A domain is a logical group of computers that define a security boundary. A domain uses one database known as Active Directory, which is stored on one or more domain controllers. It gives the ability to share its common security and user and group account information for all computers with the domain. When a user logs on to the domain, that user can access resources throughout the domain with the same logon (single sign-on). The domain allows for centralized network administration of all users, groups, and resources on the network.

A user account enables a user to log on to a computer or domain with an identity that can be authenticated and authorized for access to the resources of the computer or domain. Because the user account is meant to be assigned to one and only one user, it allows you to assign rights and permissions to a single user and enables you to track what users are doing (accountability).

Two general types of user accounts are defined in Windows Vista:

• Local user accounts. User accounts defined on a local computer, which have access to the local computer only. You add or remove local user accounts with the Control Panel’s User Accounts options or the Local Users and Groups utility. Local Users and Groups is accessible through the Computer Management console, a Microsoft Management Console (MMC) tool, which is found in Administrative Tools.

• Domain user accounts. User accounts defined in the Active Directory. Through single sign-on, these accounts can access resources throughout a domain/forest. When a computer is a member of an Active Directory domain, you can create domain user accounts using Active Directory Users and Computers. This MMC tool is available on the Administrative Tools menu when you install the Windows Server Administrator Tools (Adminpak.msi) on your Windows Vista computer.

A local user account allows users to log on at and gain resources on only the computer where they create such an account. The user account tells Windows which files and folders the user can access, which changes the user can make to the computer, and the user’s personal preferences, such as desktop background or color theme. User accounts enable the sharing a computer between several people, with each user having personal files and settings. Each person accesses his user account with a username and password.

Default User Accounts

Every Windows Vista computer has local computer accounts, regardless of whether the computer is a member of a workgroup or a domain. When you install Windows Vista, the operating system installs default user accounts, which are managed using the Local Users and Groups console. The key accounts you’ll see are the following:

• Administrator. Administrator is a predefined account that provides complete access to files, directories, services, and other facilities on the computer. You can’t delete this account.

• Guest. Guest is designed for users who need one-time or occasional access. Although guests have only limited system privileges, you should be careful about using this account because it opens the system up to potential security problems. The risk is so great that the account is initially disabled when you install Windows Vista.

The built-in administrator account is disabled by default in Windows Vista on new installations. If Windows Vista determines during an upgrade from Windows XP that the built-in administrator is the only active local administrator account, Windows Vista leaves the account enabled and places the account in Admin Approval mode. The built-in administrator account, by default, cannot log on to the computer in Safe mode.

Windows Vista also provides groups, which you use to grant permissions to similar types of users and to simplify account administration. If a user is a member of a group that can access a resource, that particular user can access the same resource. Therefore, you can give a user access to various work-related resources just by making the user a member of the correct group.

Windows Vista Local Accounts

When you create additional accounts in Windows Vista using the Control Panel, you choose between three different kinds of accounts:

• Standard

• Administrator

• Guest

Each account type gives the user a different level of control over the computer.

The standard account is the account to use for everyday computing. A standard user account lets you use most of the capabilities of the computer, but permission from an administrator is required if you want to make changes that affect other users or the security of the computer. You can use most programs that are installed on the computer, but you can’t install or uninstall software and hardware, delete files that are required for the computer to work, or change settings on the computer that affect other users. If you’re using a standard account, some programs might require you to provide an administrator password before you can perform certain tasks.

The administrator account provides the most control over the computer, and should only be used when necessary. It lets you make changes that will affect other users. Administrators can change security settings, install software and hardware, and access all files on the computer. Administrators can also make changes to other local user accounts.

When you set up Windows, you’ll be required to create a user account. This account is an administrator account that enables you to set up your computer and install any programs that you would like to use. After you have finished setting up your computer, we recommend that you use a standard user account for your day-to-day computing.

The guest account is primarily for people who need temporary access to the computer. It is for users who don’t have a permanent account on your computer or domain. It enables people to use your computer without having access to your personal files. People using the guest account can’t install software or hardware, change settings, or create a password.

All user accounts are identified with a logon name. In Windows Vista, this logon name has two parts: the username and the user computer or domain in which the user account exists. If you have a computer called PC1 and the username is User1, the full logon name for Windows Vista is PC1\User1. Of course, User1 can log on to his local workstation and access local resources, but would not be able to access domain resources.

When working with domains, the full logon name can be expressed in two different ways:

• The user account name and the full domain name separated by the at (@) symbol. For example, the full logon name for User1 in the Acme.com domain is [email protected].

• The user account name and the domain separated by the backslash symbol (\). For example, the full logon name for User1 in the Acme domain is Acme\User1.

While Windows Vista represents a user with an user account, administrators as well as users see the user account represented by a user name for easy identification. Windows Vista identifies the user account by using the user account’s security identifier (SID). A SID is a unique identifier that is automatically generated when a user account is created and consists of a computer or domain security ID prefix combined with a unique relative ID for the user. Having a unique identifier allows administrators to change a user’s username while keeping all settings, permissions, and rights associated with the account. Because each user account has a unique security identify, an administrator can delete an account without worrying that someone might gain access to resources just by re-creating an account.

To provide security, user accounts should have passwords. Passwords are authentication strings for an account and may consist of upper- and lowercase characters, digits, and special characters.