Why do I need a user account. User Accounts in Windows XP

I get a lot of letters from readers describing the problems they encounter when creating or managing accounts. Many administrators are having difficulty with inadvertently skipping important elements when setting up or not sticking to the system. Therefore, I decided to once again turn to the basics of creating and managing accounts and give some tips to help simplify these processes.

The user account contains a name and password for registration on the local computer or in the domain. In Active Directory (AD), the user account can also contain additional information, such as the full user name, email address, phone number, department, and physical address. In addition, the user account serves as a means for assigning permissions, logon scenarios, profiles, and home directories.

Local accounts against domain names

When users log on to the local computer, not in the domain, they use local accounts. In a workgroup environment (with peer nodes - P2P), local accounts provide logging functions for users local computers  and provide remote users with access to computer resources. Certain users, for example, can access data on the server and use a local account to register on such a system.

However, most of the user accounts on the corporate network are domain-based and grant domain-wide permissions and permissions. Unless the domain account explicitly prohibits this, users can register with a domain account with a domain account on any workstation. After registration, users receive specific permissions in relation to network resources for the domain account.

But domain accounts have not only users. In a domain, accounts represent physical records that can correspond to a computer, user, or group. User accounts, computer accounts, and group accounts are principals (access elements) - directory service objects that automatically receive SIDs, which determine access to the resources of the domain.

The two most important applications of domain accounts are user authentication and permission or denial of access to domain resources. Authentication allows users to log on to computers and domains with characteristics that are authenticated by domain services. The domain allows or denies access to domain resources based on the permissions received by the user through membership in one or more domain groups.

Built-in domain accounts

When a domain is created, Windows automatically generates several user accounts. In Windows 2000, the Administrator and Guest accounts are built-in. Windows Server 2003 domains have a third built-in account named HelpAssistant, which is automatically created the first time Remote Assistance is launched. Each of these built-in accounts has a different set of permissions.

The Administrator account has a set of Full Control permissions on all domain resources and can assign permissions to users in the domain. By default, the Administrator account is a member of the following groups:

• Administrators
• Domain Admins
• Domain Users
• Enterprise Admins
• Group Policy Creator Owners
• Schema Admins

Some administrators rename or disable the Administrator account to make it difficult for users to access the domain controller (DC). Instead, administrators could register with accounts that are members of the same groups, which would give them enough rights to administer the domain. If you disable the Administrator account, you can use this account if you need to access the DC, by downloading the DC in Safe Mode (the Administrator account is always available in Safe Mode).

The Guest account allows you to register in the domain to users who do not have an account. The Guest account does not require a password, but you can set permissions for it in the same way as for any user account. The Guest account is a member of the Guests and Domain Guests groups. It is clear that the ability to register in the domain to any person who does not have a real account, creates a certain risk, so most administrators do not use this account. In Windows 2003, the Guest account is disabled by default. To disable the Guest account in Windows 2000, you need to click on it right-click in the Microsoft Management Console (MMC) snap-in in Active Directory Users and Computers, then select Disable from the menu.

The HelpAssistant account appeared only in Windows 2003. The Remote Desktop Help Session Manager service creates this account and manages it when the user requests a Remote Assistance session.

Create domain user accounts

Accounts  domain users are created on the DC as an AD function. You must open the Active Directory Users and Computers snap-in, and then expand the appropriate domain (if more than one). Unlike Windows NT 4.0, in Windows 2000 and Windows 2003, the account creation and configuration processes are divided: first the administrator creates the user and the corresponding password, then performs the configuration by specifying the group membership.

To create a new domain user, right-click the Users container, and then click New, User to open the New Object-User dialog box on screen 1. Next, you must enter the user name and login name. Windows automatically adds the suffix of the current domain to the registration name, which is called the user principal suffix (UPN suffix). You can create additional UPN suffixes and select a suffix for the new user in the combo box. You can also enter a different user name for domain registration from NT 4.0 and Windows 9.x computers (by default, the previous name is substituted).

Next, click Next to configure the user's password, as shown on screen 2. By default, Windows forces users to change the password at the next registration, so for each new user you can take a certain standard password  company, and then give users the option to enter a new password after the first self-registration. Next, select the password options that you want to set for this user. Finally, you need to click Next to see the overall picture of the selected settings, then click Finish to create a user account in AD.

User account properties

To configure or change the properties of a domain user account, you must select it in the list and double-click the right mouse button. Screen 3 shows the categories of settings.

The Member Of tab controls the membership of the user in groups (and, therefore, permissions and user rights in the domain). By default, Windows puts the new user account in the Domain Users group. For some users this is enough, and nothing more to do is not necessary. Other users, such as department heads or IT staff, need to provide such group membership that would enable them to perform the necessary tasks. To set group membership, click Add, then select the appropriate group for the user whose account is being edited. If the built-in groups do not provide a set of permissions that exactly matches the existing requirements, you should create your own groups.

Creating templates

Windows allows you to copy user accounts, which makes the process of creating templates faster and more efficient. The best way to take advantage of this feature is to create a set of user account templates, and then turn those accounts into real ones. Because permissions and rights are the most important (and potentially dangerous) properties, you should create templates in categories according to group membership. You need to start with a template for the standard user (that is, a member of only the Domain Users group), then you need to create templates that have specific membership combinations for groups. For example, you can create a user template named Power with membership in the Power Users group, with no registration hours restrictions or a user template named DialUp with pre-configured dial-up settings. Subsequently, as new accounts are created, you can select a suitable template and modify it.

I found several useful techniques  create and copy templates:

• assign names to the templates that begin with 0, so that they all appear above the list of user files;
• assign all the templates the same password;
• disable all template accounts (right-click the file, then select Disable).

To create an account for a new user from the template, right-click the template list, then select Copy. In the Copy Object-User dialog box, you must enter the user name and login name for the new the created record, then click Next to set the password for the new user, as described below.

1. Enter the company's default password and assign it to the new user.
2. Clear the cells Password never expires (Account validity is unlimited) and Account is disabled (account is disabled).
3. Select the User must change password at next logon check box.
4. Click Next, and then click Finish.

Do not bother with the Member Of tab, because the system has already copied the group membership from the user template. In fact, if you do not need to record the phone and the user's address, you can do nothing on the remaining tabs. The system copies all common attributes. However, you can add other attributes for automatic copying, or make sure that certain attributes are not copied by modifying the AD schema.

Cathy Evans  - editor of Windows 2000 Magazine. She participated in writing more than 40 books on computer subjects, including "Windows 2000: The Complete Reference" (Osborne / McGraw-Hill). You can contact her at: [email protected]

In this article, intended for those who are just beginning to get acquainted with the "Seven", it is told about accounting windows Records  7, on the principles of their creation and use. Accounts  - the tool that is needed if a computer is used by several people. Also, you need to know what the difference between an administrator account and a regular user is.

In Windows 7, working with accounts is not much different from similar actions in Windows XP and Windows Vista. However, in now everything is done in a new interface, which you need to get used to.

As a rule, it makes sense to create a separate account for each member of the family. It is not necessary to give everyone the same opportunities. You can keep the administrator's authority, and the rest will have the authority of the average user - so less will be screwed on;)

Now let's see how you can add a new account.

New user account

Choose a team Start\u003e Control Panel  and in the section User Accounts and Family Security  click on the link Adding and Removing User Accounts.

A window opens in which to enter the user name and account type. Typically, it makes sense to choose a switch Normal accessso that the user can not change system settings, accidentally or intentionally delete important system files  or change the security settings. One computer - one administrator, the golden rule. After entering the name, click the button Creating an account.

Now, if you restart the computer, our new user will appear in the registration window in the system.

If a password is specified for the user account (see below), you will have to enter it to log in.

If an ordinary user tries to go beyond his authority (say, try to change the computer name), then he will be required to enter the administrator's password (in this case, the administrator's "Pimpochka").

As an administrator, you can change other accounts or create passwords for them. As for the passwords, you need to open the window already known to us Managing Accounts, click on the user icon with the usual access and then on the link Create a password.

In the window that opens, enter the password twice, as well as a hint in case the user forgets the password.

Account Types

Let's take a closer look at the types of accounts. There are only three of them:

• Administrator. King and God of Windows, can do absolutely everything without restrictions.
• Normal access. Users with a regular user also have broad opportunities, however, they can not install new programs, delete system files or change system settings. However, all this is also available to them, but only after entering the administrator password.
• Guest access. This is temporary access to the computer. Users with such access can not install programs, make any restrictions, specify passwords, etc. This type of access is useful to those who use the computer only to quickly check e-mail  or work in Word.

If a user with normal access tries to climb, where not, he will not be allowed:

As for the guest access, it is disabled by default. To enable it, in the window Managing Accounts  click on the icon a guest.

Then click the button in the new window Enable.

For a guest account, you can only change the picture and turn off the recording. But you can not set the password or change the type of the guest entry.

When the system administrator installs programs, it is often necessary to choose when installing - whether the program will be available only to him, or to other users of the system, regardless of their access level. Here, decide for yourself, you are the administrator - you and the cards in hand.

Also, do not forget that if you are going to shut down the computer when another user has not yet logged out, then the data that he has not saved can be lost. So do not hurry and finish the session of other users before clicking the "Shut down" button.

Well, this article, designed for beginners, will allow you to grab yourself an administrator account and quickly assign Normal access  all other members of your family (and a harmful younger brother and guest access is enough, hehe).

Laboratory work № 8

Access control system in Windows.

Objective:

To familiarize yourself with the access control system, to study the basic principles of account management

operating system: Windows XP Professional Service Pack 3

Theoretical information

Operating systems of the line of Windows NT, and also older than Windows 98 / Me in its architecture are full multi-user systems, and therefore, in order to ensure security, must have a well-thought-out access control system (RAS). This laboratory work is devoted to the basics of SRS in modern versions of Microsoft  Windows.

user accounts

The basis of the system of access control in the OS is the concept of account. For each registered user, the system creates its own account. An account is a record in a special database of the system containing information about the user, as well as data for user authentication (the way and location of accounts will be discussed in more detail below). Each time the user is authenticated, the data entered by the user is compared with the data from the database, and if the user matches, the user is given appropriate access to the OS.

Note. If the computer is part of a local area network (LAN) based on a Windows domain, the user and group accounts are not stored on the local system, but on the Windows server (domain controller). In this case, the authentication of the authentication is carried out by the domain controller. In this laboratory work this case is not considered.

All OS user accounts can be conditionally divided into three categories:

¨ Built-in user accounts  are created automatically when the OS is installed. They are system accounts, and the management capabilities are limited (for example, they can not be deleted). Such accounts are necessary for the OS itself to distinguish access to system processes.

¨ Standard accounts users are also automatically created when the OS is installed. However, they are not systemic and perform auxiliary functions. The ability to manage such accounts is not limited.

¨ User Accounts  - registered users of the OS. Such accounts are created and managed by the Administrator or a user with the appropriate rights.

All listed account categories are stored in one section the system registry. On the hard disk, the corresponding partition is located in the file % WINDOWS% / system32 / config / sam. Access to this file  (and the corresponding section of the system registry) has only system account. Even the Administrator does not have direct access to the OS database.

Below are the built-in accounts  OS and their purpose:

Below are the standard accounts  OS and their purpose:

Group of users

Each account has certain access rights and privileges in the system. These rights may be imposed Administrator  for each account separately. However, this is not always convenient, because many users have the same access rights, and it is necessary to set the same rights for the corresponding accounts. Therefore, another tool for managing access control in the OS are groups. A group is a collection of accounts that have the same rights. Each individual account can belong to one or more groups, and therefore have the rights of the group.

All groups can be conditionally divided into two categories:

¨ Standard Groups  users are automatically created when the OS is installed. However, they are not systemic, so the management capabilities of such groups are not limited (you can delete, rename, change rights, etc.).

¨ Custom Groups  Registered OC groups. Such groups are created and managed by the Administrator or a user with the appropriate rights. The possibilities for managing such groups are not limited.

Administrators  - membership in this group by default provides the widest set of rights and the ability to change own rights. By default, the member of this group is only the built-in Administrator account. Administrator rights in the system are almost unlimited, although the SYSTEM account has even higher rights.

¨ installation operating system  and its components (for example, device drivers, system services, and so on);

¨ installation of service packs;

¨ Operating system updates;

¨ restoration of the operating system;

¨ configuration of the most important operating system parameters (password policy, access control, audit policy, driver configuration in kernel mode, and so on);

¨ taking possession of files that have become inaccessible;

¨ management of security and audit logs;

¨ archiving and restoring the system.

Advanced Users  - This group is supported, mainly for compatibility with previous versions and for performing non-certified applications. The default permissions granted to this group allow the group members to change the OS settings. Members of the Power Users group have more rights than members of the Users group, and less than members of the Administrators group. Advanced users can perform any tasks with the OS, except for tasks reserved for the Administrators group (for example, installing services and drivers).

Advanced users can:

¨ Install programs that do not modify the operating system files, and system services;

¨ configure resources at the system level, including printers, date and time, power settings and other control panel resources;

¨ stop and start system services that are not started by default.

Advanced users can not add themselves to the Administrators group. They do not have access to data from other users on an NTFS volume if the corresponding permissions of these users are not received.

Members List- members of this group are usually ordinary users of the system. The Users group provides the most secure environment for executing programs. On volume with file system  NTFS default security settings are designed to prevent the violation of the integrity of the operating system and installed programs by members of this group. Users can not modify registry settings at the system level, operating system or program files. They can not organize general access  to directories or create local printers. Users have full access only to their data files and only to their part of the registry (HKEY_CURRENT_USER). User-level permissions are often not allowed by the user different applications. Accounts that are members of the Users group can not install new applications into the system and can only run certified applications.

Archive Operators - members of this group can archive and restore files on the computer regardless of all the permissions that these files are protected. They can also log in and shut down the computer, but they can not change the security settings.

Guests- members of this group have the same rights by default, as users, except for the Guest account, which is even more limited in rights.

Network Configuration Operators  - members of this group may have some administrative rights  to manage the configuration of network parameters.

Remote Desktop Users  - Members of this group have the right to perform remote login to the system.

This article, intended for those who are just beginning to get acquainted with the "seven", tells about the accounts of Windows 7, about the principles of their creation and use .Accounts are the tool that is necessary if a computer is used by several people. , what exactly is the difference between an administrator account and a regular user.

In Windows 7, working with accounts is not much different from similar actions in Windows XP and Windows Vista. However, in Windows 7, everything is now done in a new interface, which you need to get used to.

As a rule, it makes sense to create a separate account for each member of the family. It is not necessary to give everyone the same opportunities. You can keep the administrator's authority, and the rest will have the authority of the average user - so less will be screwed on;)

Now let's see how you can add a new account.

New user account

Click Start\u003e Control Panel, and in the User Accounts and Family Security section, click Add or Remove User Accounts.

A window opens in which to enter the user name and account type. Typically, it makes sense to select the Normal access switch so that the user can not change system settings, accidentally or intentionally delete important system files or change security settings. One computer - one administrator, the golden rule. After entering the name, click the Create Account button.

Now, if you restart the computer, our new user will appear in the registration window in the system.

If a password is specified for the user account (see below), you will have to enter it to log in

If an ordinary user tries to go beyond his authority (say, try to change the computer name), then he will be required to enter the administrator's password (in this case, the administrator's "Pimpochka").

As an administrator, you can change other accounts or create passwords for them. Regarding passwords, you need to open the account management window that is already known to us, click on the user's icon with the usual access and then on the link Create a password.

In the window that opens, enter the password twice, as well as a hint in case the user forgets the password.

Account Types

Let's take a closer look at the types of accounts. There are only three of them:
Administrator. King and God of Windows, can do absolutely everything without restrictions.
Normal access. Users with a normal user also have a lot of features, however, they can not install new programs, delete system files or change system settings. However, all this is also available to them, but only after entering the administrator password.
Guest access. This is temporary access to the computer. Users with such access can not install programs, make any restrictions, specify passwords, etc. This type of access is useful to those who use the computer only to quickly check the email or work in Word.

If a user with normal access tries to climb, where not, he will not be allowed:

As for the guest access, it is disabled by default. To enable it, in the Account Management window, click the Guest icon.

Then click the Enable button in the new window.

For a guest account, you can only change the picture and turn off the recording. But you can not set the password or change the type of the guest entry.

When the system administrator installs programs, it is often necessary to choose when installing - whether the program will be available only to him, or to other users of the system, regardless of their access level. Here, decide for yourself, you are the administrator - you and the cards in hand.

Also, do not forget that if you are going to shut down the computer when another user has not yet logged out, then the data that he has not saved can be lost. So do not hurry and finish the session of other users before clicking the "Shut down" button.

Well, this article, designed for beginners, will allow you to grab yourself an administrator account and quickly assign Normal access to all other members of your family (and a bad younger brother and guest access is enough, hehe)

Now we'll figure out how to change the account image, add another user's account and change your password to log in.

But first let's talk about why you need several accounts. If you use your laptop in splendid isolation, then you do not need a second account. The maximum that is desirable to do is set the password to log in (if, of course, you have not already done so) using the Change command windows passwords. And then no one else but you can use your laptop.

But if the laptop is used by other users (for example, your family), it is highly desirable to create another account. First, each user will have their own settings - you like some background images, and your children - others. Secondly, you work under an account with more rights, allowing you to run programs on behalf of the administrator, install programs and configure the computer. Do not trust such actions to children, so it is desirable to create a regular user account that has the right to only run already installed programs and can only modify their own (user) settings.

To create a new user, run the Add or Remove User Accounts utility.

In the window that appears, click the Create Account button. After that, enter the name of the new account and select the access type:

• Regular access - the user will be able to run already installed programs, change the settings that do not affect the security of the system and other users;
• Administrator - the user will get full access and will be able to do everything he wants with the computer.

After that you will see a new account in the list of accounts. I created an account called User.

Click on the created account, and you can change the password, account icon, delete account, etc.

If you have already created an account with the rights of a normal user, do not forget to set a password for the administrator account, otherwise there will not be any sense in the fact that you created a limited account - anyone will be able to log into the system under it. But for a regular user (for convenience), you can not set a password.