Lesson 1: Understanding User Accounts

Lesson 1:?Understanding User Accounts

Windows XP Professional uses three types of user accounts: local user accounts, domain user accounts, and built-in user accounts.

  • A local user account allows you to log on to a specific computer to access resources on that computer.
  • A domain user account allows you to log on to the domain to access network resources.
  • A built-in user account allows you to perform administrative tasks or access local or network resources.

After this lesson, you will be able to

  • Explain how to create local user accounts and domain user accounts
  • Describe how to create and disable built-in user acconts

Estimated lesson time: 30 minutes


Local User Accounts

Local user accounts allow users to log on only to the computer on which the local user account has been created and to access resources on only that computer. When you create a local user account, Windows XP Professional creates the account only in that computer's security database, called the local security database, shown in Figure 3.1. Windows XP Professional uses the local security database to authenticate the local user account, which allows the user to log on to that computer. Windows XP Professional does not replicate local user account information to any other computer.

Figure 3.1??Characteristics of local user accounts

Microsoft recommends that you use local user accounts only on computers in workgroups. If you create a local user account in a workgroup of five computers running Windows XP Professional-for example, User1 on Computer1-you can only log on to Computer1 with the User1 account. If you need to be able to log on as User1 to all five computers in the workgroup, you must create a local user account, User1, on each of the five computers. Furthermore, if you decide to change the password for User1, you must change the password for User1 on each of the five computers because each computer maintains its own local security database.

A domain does not recognize local user accounts, so do not create local user accounts on computers running Windows XP Professional that are part of a domain. Doing so restricts users from accessing resources in the domain and prevents the domain administrator from administering the local user account properties or assigning access permissions for domain resources.

Domain User Accounts

Domain user accounts allow you to log on to the domain and access resources anywhere on the network. When you log on, you provide your logon information-your user name and password. Microsoft Windows 2000 Server uses this logon information to authenticate your identity and build an access token that contains your user information and security settings. The access token identifies you to the computers in the domain on which you try to access resources. The access token is valid throughout the logon session.

You can have domain user accounts only if you have a domain.You can have a domain only if you have at least one computer running one of the Windows 2000 Server products that is configured as a domain controller, which has the Active Directory directory service installed.

You create a domain user account in the copy of the Active Directory database (the directory) on a domain controller, as shown in Figure 3.2. The domain controller replicates the new user account information to all domain controllers in the domain. After Windows 2000 Server replicates the new user account information, all of the domain controllers in the domain tree can authenticate the user during the logon process.

Figure 3.2??Domain user accounts

Built-In User Accounts

Windows XP Professional automatically creates built-in accounts. Two commonly used built-in accounts are Administrator and Guest.

Administrator

Use the built-in Administrator account to manage the overall computer. You can perform tasks to create and modify user accounts and groups, manage security policies, create printer resources, and assign the permissions and rights that allow user accounts to access resources.

If you want to log on as Administrator and are using the Welcome screen, you can press Ctrl+Alt+Delete twice. Windows XP Professional displays a logon prompt and you can log on as Administrator. The Administrator account will not appear on the Welcome screen if you are running in a workgroup environment, the Welcome screen is enabled, and you created a user account during Setup. See Chapter 2, "Installing Windows XP Professional," for information about creating a user account during Setup. Lesson 3 in this chapter explains how to configure the computer to use the logon prompt instead of the Welcome screen.

As the administrator, you should create a user account for performing nonadministrative tasks and use your Administrator account only for administrative tasks.

You cannot delete the Administrator account. As a best practice, you should always rename the built-in Administrator account to provide greater security. Use a name that does not identify it as the Administrator account, making it more difficult for unauthorized users to use it to break into your computer.

The Administrator account is enabled by default, but you can configure the Account: Administrator Account Status Security Option to disable it. For more information, see Chapter 13, "Configuring Security Settings and Internet Options."

Guest

Use the built-in Guest account to allow occasional users to log on and access resources. For example, an employee who needs access to resources for a short time can use the Guest account.

Allow Guest access only in low-security networks, and always assign a password to the Guest account. You can rename the Guest account, but you cannot delete it.

Enabling the Guest Account

Log on with a user account that is a member of the Administrators group and use the User Accounts tool in the Control Panel (shown in Figure 3.3) to give access to the Guest account on the computer.

Figure 3.3??The User Accounts tool in a workgroup environment
To access the User Accounts program, click Start, click Control Panel, and then click User Accounts.

The User Accounts program displays the user accounts that can log on to the computer. The User Accounts program in Figure 3.3 indicates that Guest access is off, meaning that the Guest account is disabled.

To enable the Guest account, complete the following steps:

  1. Click Start, click Control Panel, and then click User Accounts.
  2. In the User Accounts window, click the Guest icon to access the Do You Want To Turn On The Guest Account window (see Figure 3.4).
    Figure 3.4??The Do You Want To Turn On The Guest Account window
  3. Click Turn On The Guest Account. The Guest account is now enabled.
  4. Close the User Accounts window and the Control Panel.

Disabling the Guest Account

You can also use the User Accounts program to disable Guest account access. If the Guest account is active, the User Accounts program indicates that Guest Access Is On.

To prevent Guest account access to the computer, complete the following steps:

  1. In the User Accounts window, click the Guest icon.
  2. In the What Do You Want To Change About The Guest Account window, click Turn Off The Guest Account.

    The Guest account is now disabled.

  3. Close the User Accounts window and Control Panel.

Lesson Review

The following questions will help you determine whether you have learned enough to move on to the next lesson. If you have difficulty answering these questions, review the material in this lesson before beginning the next lesson. The answers are in Appendix A, "Questions and Answers."

  1. Where do local user accounts allow users to log on and gain access to resources?
  2. Where should you create user accounts for computers running Windows XP Professional that are part of a domain?
  3. Which of the following statements about domain user accounts are correct? (Choose all that apply.)
    1. Domain user accounts allow users to log on to the domain and gain access to resources anywhere on the network, as long as the users have the required access permissions.
    2. If at least one computer running one of the Windows 2000 Server products is configured as a domain controller, you should use domain user accounts only.
    3. The domain controller replicates the new user account information to all other computers in the domain.
    4. A new domain user account is established in the local security database on the domain controller on which you created the account.
  4. Which of the following statements about built-in accounts are correct? (Choose all that apply.)
    1. You can delete the Guest account.
    2. You cannot delete the Administrator account.
    3. You cannot rename the Guest account.
    4. You can rename the Administrator account.
  5. How do you disable the Guest account?

Lesson Summary

  • Windows XP Professional uses local user accounts, domain user accounts, and built-in user accounts.
  • Local user accounts allow users to log on at and access resources on only the computer on which you create the local user account.
  • When you create a local user account, Windows XP Professional creates the account only in that computer's security database, which is called the local security database.
  • Do not create local user accounts on computers running Windows XP Professional that are part of a domain because the domain does not recognize local user accounts.
  • Domain user accounts allow users to log on to the domain and access resources anywhere on the network.
  • You create a domain user account in the copy of the Active Directory database (the directory) on a domain controller.
  • You can only have domain user accounts if at least one computer is running one of the Windows 2000 Server products configured as a domain controller.
  • Windows XP Professional automatically creates two commonly used built-in accounts: Administrator and Guest.
  • Rename the Administrator account to provide greater security. The Administrator account is enabled by default.
  • You can rename the Guest account, and you can use the User Accounts tool to enable or disable it.
  • You cannot delete built-in accounts.