Section 10.1. User Accounts and Computer Management

Component Services: \windows\system32\dcomcnfg.exe

See "Microsoft Management Console," later in this chapter.

Computer Management: \windows\system32\compmgmt.exe

See "Microsoft Management Console," later in this chapter.

Group Policy Object Editor: \windows\system32\gpedit.msc

Refresh group policies and settings.

To open

Command Prompt gpedit.msc (not available in Home versions)


The Group Policy Object Editor (see Figure 10-1) offers tools that go far beyond anything offered in the Control Panelor anywhere else in Windows, for that matteraffecting settings that most users have never even heard of. It gives a system administrator the ability to create a variety of policies for individual machines and users, quickly rolling them out across a network and relying on Windows Vista for enforcement. However, although it was primarily designed for system managers on networks, it can be very useful for single machines as well, not only for creating policies for every user of the single computer, but also for offering access to settings and controls not otherwise accessible.

Figure 10-1. The Group Policy Object Editor, which gives you complete administrator access to Windows Vista's deepest settings

Unlike the Registry, which presents its arcane settings in a mountain of folders and subfolders, the Group Policy Object Editor's options are shown in a handful of folders in (sometimes) plain English, such as "Hide/Add New Programs Page" and "Turn off Windows Sidebar." (And there are obscure ones as well, such as "User Group Policy loopback processing mode.") Although the presentation is different, most settings here are implemented as changes to values and keys in your Registry.

Before applying any option that you don't recognize, make sure you understand exactly what it will do to your system. Double-click the entry in the right window to summon its full Properties dialog box, which is often accompanied by an Explain tab with details. For another good source, select Help Help Topics from the Group Policy Object Editor's menu bar. Failing that, go to Microsoft's Knowledgebase at and search for "Group Policy Object Editor" for a list of articles.

Be very careful when using this tool. It makes it possible to restrict or reconfigure almost every security setting on your computer, which means that it's very easy to break something. And there's no Undo feature.

There are two major folders in the Group Policy Object Editor: Computer Configuration and User Configuration. Computer Configuration lets you set policies computer-wide (or network-wide), and User Configuration lets you set them for individual users. To a certain extent, the folders mirror one another, with the same subfolders and individual settings in each. But that's not always the case, because some settings are available only in Computer Configuration and others only in User Configuration.

Changing a setting is straightforward. Double-click it and select Enabled or Disabled, as you can see in Figure 10-2.

Figure 10-2. Changing settings using the Group Policy Object Editor

Here's a handful of the more entertaining and useful settings you can play with in the Group Policy Object Editor:

Pretty-Up Internet Explorer

Several settings in this subfolder let you do things you most likely never thought possible: change the Internet Explorer title bar, change the Internet Explorer logo, and change the background of the Internet Explorer toolbar. Go to User Configuration\Windows Settings\Internet Explorer Maintenance\Browser User Interface and double-click the Browser Title entry to change the Internet Explorer title bar; the Custom Logo and Animated Bitmaps entry to change the Internet Explorer logo and logo animation; and Browser Toolbar Customization to change the background of the Internet Explorer toolbar. Note that for changing the logo and toolbar background, you'll have to create or find suitable graphics.

Choose Places for your Places Bar

Go to User Configuration\Administrative Templates\Windows Components\Windows Explorer\Common Open File Dialog and double-click the Items Displayed in Places Bar option. Click Enabled, and then type the full pathnames of up to five folders on your hard disk. Click OK, and these folders will appear in the Favorite Links area on the left side of most File Open and File Save dialog boxes.

There aren't any Browse buttons in this dialog, but you can specify folder paths without typing by opening Windows Explorer, navigating to the folders you want, highlighting the text in the Address Bar, copying it, and pasting the text into the Group Policy Object Editor's dialog box. Alternatively, you can use the Places Bar in Microsoft Office file dialogs to customize your Places Bar. Doing that, of course, will affect only Office applications.

Bring Back the Run Command

Were you a big fan of Windows XP's Run command on the Start menu, and sorry to see it bite the dust in Vista? No problemyou can bring it back. Go to User Configuration\Administrative Templates\Start Menu and Taskbar, and then double-click the "Add the Run Command to the Start menu" entry on the right. Click Enabled and then OK, and the Run command will now show up on the Start menu. You can also press the Windows Key-R combination to launch the Run box, or simply type many commands directly into the Start menu Search box.

Hide the Windows Marketplace

The Windows Marketplace shows up on several spots on the Control Panelfor example, in the Programs category. If you think it's little more than a marketing ploy and would like to see it vanish, go to User Configuration\Administrative Templates\Control Panel\Programs, double-click "Hide Windows Marketplace," click Enabled, and then click OK.

Startup and Shutdown Scripts

Go to Computer Configuration\Windows Settings\Scripts (Startup/Shutdown) and then double-click the Startup or Shutdown entry on the right. Click the Add button, choose a .vbs (VBScript) file on your hard disk, and that script will be run every time you start up or shut down your computer, depending on which you've chosen.

You'll also find corresponding settings in User Configuration\Windows Settings\Scripts (Logon/Logoff). These work similarly, except they're activated every time you log on or off (as opposed to when you turn on your computer or shut it down).

Go to User Configuration\Administrative Templates\System\Scripts and Computer Configuration\Administrative Templates\System\Scripts for settings that affect how these scripts work.

Turn Off CD/DVD Autoplay

Go to Computer Configuration\Administrative Templates\Windows Components\AutoPlay Policies and double-click the Turn off Autoplay option on the right. If you enable this option, Windows will no longer play CDs and DVDs automatically when you insert them.

Improve Security Logging

Go to Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy and enable any of the settings here to log the corresponding events. For example, set both the "Audit account logon events" and "Audit logon events" settings to Success, and any failed attempt to log on to your system will be logged. To view these logs, open the Event Viewer (eventvwr.msc). See "Event Viewer," in Chapter 11, for details.

Each setting in this branch has two options, Success and Failure, and this can be somewhat confusing. Choose Success to log instances in which the security policy has been successful, such as when your computer successfully keeps out an intruder. Conversely, select Failure to log instances when security has been compromised.

Disable User Tracking

Go to User Configuration\Administrative Templates\Start Menu and Taskbar, double-click the "Turn off user tracking" entry to the right, and click Enabled. This will stop Windows from recording every program you run, every document you open, and every folder path you view, thus hobbling such features as "personalized" menus and the Recent Documents menu.


  • The Group Policy Object Editor is not actually a standalone tool. Instead, it's a snap-in to the more comprehensive Microsoft Management Console. To run it from there instead of as a standalone tool, first run the Microsoft Management Console (see "Microsoft Management Console," later in this chapter, for details), then choose File Add/Remove Snap-In, and select Group Policy Object Editor.

Group Policy Refresh Utility: \windows\system32\gpupdate.exe

Refresh group policies and settings.

To open

Command Prompt gpupdate (not available in the Home editions)


gpupdate [/target] [/force] [/wait] [/logoff] [/boot] [/sync]


Type gpupdate at the command prompt to refresh Group Policy settings. The Group Policy Refresh Utility accepts the following options:

/target:computer or /target:user

Refresh only user or only computer policy settings; by default, both are refreshed.


Reapply all policy settings; by default, only policy settings that have changed since the last refresh are applied.

/wait: value

Wait a specified number of seconds for policy processing to finish before being returned to the command prompt. The default is 600 seconds; specify 0 (zero) to not wait at all or 1 (one) to wait indefinitely.


Log off the current user after the Group Policy settings have been refreshed.


Restart Windows after the Group Policy settings have been refreshed.


Cause the next foreground policy application (occurring at computer startup and user logon) to be done synchronously. If /sync is specified, /force and /wait parameters will be ignored.

Local Security Policy: \windows\system32\secpol.msc

See "Microsoft Management Console," later in this chapter.

Logoff: \windows\system32\logoff.exe

Log off the current user (or another user).

To open

Command Prompt logoff


logoff [session | id] [/server:name] [/v]


Among other things, Logoff is the quickest way to log off the current user, rather than clicking the Start Menu, then clicking the right arrow on its right edge, then selecting Log Off. In fact, you can create a shortcut to Logoff on your Desktop and simply double-click it to end the current session.

You also can use Logoff to end the session of a remotely connected user, either through Terminal Services or through the Telnet daemon. For example, if someone has connected to a Windows Vista computer using Telnet, you can disconnect her, either from another Telnet session or from the command prompt, by using Logoff and the following options:


The name of the session to end; use either session or id to end a session, but not both.


The ID of the session to end; use either session or id to end a session, but not both.

/server: name

Specifies the terminal server containing the session to end; the default is the current server.


Displays additional information about the actions being performed.

Microsoft Management Console: \windows\system32\mmc.exe

A single interface for dozens of administrative tools in Windows Vista.

To open

Start All Programs Administrative Tools Computer Management

Command Prompt mmc


mmc filename [/a] [/64] [/32]


The Microsoft Management Console (MMC) is a host for most of the administrative tools that come with Windows Vista (see Figure 10-3). Each tool that works with the MMC is called a snap-in; several snap-ins can be shown in the MMC at any given time, and they appear as entries in the Explorer-style tree in the left pane.

Figure 10-3. The Microsoft Management Console, which houses many important troubleshooting and system-maintenance tools

You can save a collection of one or more snap-ins into a Console (.msc) file, which is a small file that simply lists snap-ins to display in the Console window. Double-click any .msc file to open it in the MMC. Windows Vista ships with more than two dozen predefined Console files, and you can modify them (or even create your own) by adding or removing snap-ins or creating custom Taskpad Viewspages with lists of shortcuts to programs or other snap-ins.

To add a snap-in to the current Console file (select File New to start a new Console), go to File Add/Remove Snap-in and click Add (see Figure 10-4). Then, choose one of the available snap-ins (note that not all snap-ins described here are available in all versions of Windows Vista), and click Add to add it to the list in the previous window. A wizard or other dialog may appear when certain items are added, and is used to configure this instance of the snap-in being added; any preferences set here are saved into the Console file. You can continue to add additional items as needed; when you're done, click Close. Note that it's possible to add the same snap-in more than once, so you may want to position the windows side by side so that you can see what has been installed.

Figure 10-4. Adding tools to the current view by installing snap-ins

Following are all of the most important snap-ins included with Windows Vista; most of them are documented further in the MMC online help. Note that all Console (.msc) files mentioned are in the \windows\system32 folder unless otherwise noted.

ActiveX Control

Use this snap-in to add an ActiveX control to your Console file. Although Windows Vista ships with a number of ActiveX controls, most of them aren't appropriate for the MMC. More advanced users may want to use this feature to install custom snap-ins they have written themselves or obtained from a third party. Most users are likely to find the System Monitor Control to be the only useful ActiveX snap-in included with Windows Vista.


Installed by default in certmgr.msc.

Use this snap-in to browse all the security certificates used by Internet Explorer.

Component Services

Installed by default in comexp.msc.

Use this snap-in to manage installed component object model (COM) components.

Computer Management

Installed by default in compmgmt.msc.

Computer Management doesn't have any functionality by itself; rather, it is a collection of the following 13 snap-ins: Event Viewer, Shared Folders, Local Users and Groups, Performance Logs and Alerts, Device Manager, Removable Storage, Disk Defragmenter, Disk Management, Services, WMI Control, Indexing Service, Message Queuing, and Internet Information Services.

Device Manager

Installed by default in devmgmt.msc and compmgmt.msc. See "Device Manager," in Chapter 9.

Disk Defragmenter

Installed by default in compmgmt.msc. See "Disk Defragmenter," in Chapter 11.

Disk Management

Installed by default in diskmgmt.msc and compmgmt.msc.

The Disk Management snap-in lists all the installed drives, including hard disks, CD and DVD drives, and other removable storage devices (floppies are not included). Right-click on any drive (except the one on which Windows is installed) to change its drive letter. Go to View Top and View Bottom to configure the view for the top and bottoms panes; you can choose whether drives are viewed as disks (physical devices), volumes (local drives, including partitions), or disks using a graphical view. Disk Management also has the capability to create, resize, and delete partitions (see also "DiskPart," in Chapter 11), but it cannot make any modifications that affect the volume on which Windows is installed.

Among the features of the Disk Management console is the ability to change drive letters of your CD or DVD drive, removable cartridge drive, and even hard-disk partitions. Just right-click a volume in the upper pane (for hard-disk partitions) or one of the large buttons on the left side of the lower pane (for CD drives and the like) and select Change Drive Letter and Paths. Then, click Change to choose a new drive letter. If there's a drive letter conflict, you may have to click Remove first, resolve the conflict, and then return to the Change Drive Letter and Paths dialog and click Add to choose a drive letter.

Event Viewer

Installed by default in eventvwr.msc and compmgmt.msc.

Use this snap-in to view a wide variety of system event logs, including the application log, security log, system log, setup log, applications and services logs, and others. The application log lists every application crash, status reports and warnings generated by services (see "Services," later in this list), and other events logged by some applications. The security log records events such as valid and invalid logon attempts, as well as events related to the use of shared resources. The system log contains events logged by Windows Vista system components, such as driver failures and system startup errors. Individual programs may have their own logs as well.

The setup log records setup events in computers configured as domain controllers, and it includes two additional logs: Directory service and File Replication service. A computer running Windows configured as a Domain Name System (DNS) server records events in an additional log, DNS server.

Event Viewer logs contain five types of events: Errors (driver and service failures), Warnings (indications of possible future problems), Information Entries (the successful operation of an application, driver, or service), and Success Audits and Failure Audits (audited security access attempts that succeed and fail, respectively).


A folder is used to organize snap-ins in the tree display. To use a folder, first add it using the procedure explained earlier in this section. Then, close the Add Standalone Snap-in dialog, select the new folder from the "Snap-ins added to" list, and click Add again; this time, added items will appear in the new folder. Unfortunately, you can't drag and drop items from one folder to another, so the only way to move an item is to remove it from one folder and then add it to another. You can rename folders only from the main MMC window.

Group Policy Object Editor

Installed by default in gpedit.msc.

This snap-in is a collection of policy settings controlling startup and shutdown scripts, security settings for Internet Explorer, and user account policies. See "Group Policy Object Editor," earlier in this chapter, for more information.

Group Policy

Installed by default in gpmc.msc.

This snap-in is the equivalent of Group Policy Object Editor but for computers with domain user accounts.

IP Security Monitor

Use this snap-in to monitor the IP Security status; see "IP Security Policy Management" next, for more information.

IP Security Policy Management

Manage Internet Protocol Security (IPsec) policies for secure communication with other computers. You can think of IPsec as a kind of Virtual Private Network (VPN) infrastructure, allowing and disallowing certain communications over an Internet connection.

Internet Information Services (IIS) Manager

Installed by default in compmgmt.msc (only if you first enable IIS; see the following note).

IIS is the web/FTP/SMTP server available in Windows Vista, and the IIS Manager snap-in allows you to administer the various functions associated with the server service. For example, you can configure how CGI scripts are run on the server.

By default, IIS is not available in Windows Vista. You'll first have to turn it on by going to Control Panel Programs Turn Windows features on or off and selecting Internet Information Services. You'll have to enable individual features one at a time. Click the + button next to Internet Information Services and then select which to turn on and off. Make sure you enable IIS Management Console under Web Management Tools.

Link to Web Address

The Link to Web Address snap-in allows you to insert, not surprisingly, the web site as an entry in the tree. For example, you may want to include a link to a software downloads site, an HTTP-based administration page for a web site, or another troubleshooting web site.

Local Computer Policy

See "Group Policy" (also known as Local Computer Policy), earlier in this list.

Local Security Policy

Installed by default in secpol.msc.

This plug-in lets you set a variety of security policies relating to user accounts, passwords, encryption, IP security, use of the Windows Firewall, and other similar matters.

Local Users and Groups

Installed by default in lusrmgr.msc and compmgmt.msc.

This plug-in provides more advanced settings, using a simpler and more direct interface, than Control Panel User Accounts. Here, you can set preferences relating to the expiration of passwords, the assignment of certain users to groups, logon scripts, the location of a user's home folder, and other advanced options.

NAP Client Configuration

Installed by default in napclcfg.msc.

This plug-in configures and manages rules and settings for Windows Vista's Network Access Protection (NAP) client. NAP, new in Windows Vista, allows IT administrators to create security specifications that all PCs trying to connect to a network must meet before they are allowed to connect. This ensures that a PC infected by a worm, virus, or other malware can't connect to a network and then infect other PCs. For example, you can create rules that won't allow PCs to connect unless antivirus software is installed and the virus definitions are up-to-date.

Print Management

Installed by default in printmanagement.msc.

This snap-in controls installed printers in Windows Vista, including managing drivers, printer sharing, port use, and so on. It also lets you view and manage current jobs in the print queue for any printer.

Reliability and Performance Monitor

Installed by default in perfmon.msc and compmgmt.msc.

Reliability and Performance Monitor (see Chapter 11 for more information) displays information about the performance and reliability of your PC, both currently and over time. It allows you to collect performance data automatically from certain applications and then create logs that can be exported and analyzed. See the online Help for more information on setting up performance data.

Resultant Set of Policy

Installed by default in rsop.msc.

This snap-in allows you to view and change the policy settings for a particular user. See "Group Policy" (also known as Local Computer Policy), earlier in this section, for more information.

Security Configuration and Analysis

You use this snap-in to view and manage security databases for computers using Security Templates (discussed next). It is especially helpful for tracking changes to security.

Security Templates

Installed by default in secpol.msc.

You use Security Templates to create a security policy for computers. They are used mostly by administrators for Windows-based servers. See the online Help for detailed information.


Installed by default in services.msc and compmgmt.msc.

A service is a program that runs invisibly in the background, usually started when Windows starts. You can set up any program to run automatically when Windows starts by placing a shortcut in your Startup folder, but such a program would be run only when you log in. A service is run when Windows starts and is already running when the login prompt is shown. Windows XP comes with nearly 80 preinstalled services, some of which are active by default (called Started in the Services window), and some of which are not.

Double-click any service in the list to view its properties, such as its status (Started or Stopped), whether it's started automatically, under which user accounts it is enabled, what actions to take if the service encounters a problem, and which other components the service depends on (if any). Common services include the plug-and-play manager, the task scheduler, the print spooler, automatic updates, the autoconfiguration services for wired and wireless networks, a web server, and many other programs responsible for keeping Windows Vista running. You can start or stop any service by right-clicking on it and selecting Start or Stop, respectively. Stopping unnecessary services will not only increase system performance, but it will also close potential security "backdoors" that could be used to break into a computer. Naturally, you should use caution when disabling any enabled service, but most home users won't need the World Wide Web Publishing service to be running all the time.

See Appendix E for a list of the default services in Windows Vista, their corresponding filenames, and their descriptions.

Shared Folders

Installed by default in fsmgmt.msc and compmgmt.msc.

As described in Chapter 4, any folder or drive can be shared, allowing access to it from another computer on the network. The Shared Folders snap-in lists all of the shared resources in one place, as well as any open connections to those resources from other computers. Rather than "sharing and forgetting," this tool allows you to keep a more active watch on how shared resources are being used.

One thing to note is the existence of administrative shares, those items listed in the Shares portion of the Shared Folders snap-in, denoted by a dollar sign ($) at the end of the share name. Administrator shares cannot be disabled, and if you've permitted others to share these folders, they can even be a security risk, in which someone else with your username and password can access any file or folder on your computer without ever sitting in front of it. Suffice it to say, if you're on a network or even an Internet connection, you should investigate the security settings in your computer and try to close as many backdoors as you can without disabling functions that you still need. If you're concerned about security, you may want to use Windows Vista's built-in firewall (see Chapter 8) or invest in third-party firewall software such as Norton Personal Firewall (, each of which actively helps prevent unauthorized access to your computer.

Task Scheduler

Installed by default in taskschd.msc.

This plug-in offers the same functionality as the Task Scheduler built into Windows Vista, allowing you to automate the running of tasks. See "Task Scheduler," in Chapter 11, for more details.

Trusted Platform Module (TPM) Management

Installed by default in tpm.msc.

This plug-in works only on computers whose hardware meets the TPM requirements. TPM allows PCs to use Windows Vista's BitLocker Drive Encryption to encrypt entire hard drives for security purposes.

WMI Control

Installed by default in wmimgmt.msc and compmgmt.msc.

Windows Management Instrumentation (WMI) is a set of standards for accessing and sharing management information over an enterprise network. WMI will be of little use to most users; for more information, see the online Help.

One of the most interesting features of the MMC is its capability to access most of these tools remotely. For example, you can use it to run Device Manager on a machine other than the one you're using. Naturally, this would be most useful to an administrator, who can now configure and maintain a whole group of computers from a single machine. However, as home networks become more common, ordinary users are being turned into administrators. For instance, if you were responsible for setting up a network between the two or three computers used by the members of your family, you'd be able to run Disk Defragmenter on all the machines without having to jump around between them.

Connecting to another computer with MMC depends on the particular snap-in you're using. Most snap-ins that support remote administration will prompt you when you first add them, asking whether the snap-in should be used with the current computer or with another on the network. In the case of Computer Management (compmgmt.msc), just right-click on the Computer Management root entry of the tree, select "Connect to another computer," and type the name of the computer in the box that appears. When connected to another computer, the root entry will be named Computer Management (computername).

The MMC also has a few command-line options:


Some Console (.msc) files have been configured so that the snap-in tree normally shown is not only hidden, but also inaccessible. Furthermore, you may not have access to the standard MMC menus, meaning that you will not be able to add or remove snap-ins as desired. The /a option opens the MMC in "author" mode, allowing you to treat any saved Console file as though you created it, giving you power to modify the Console by adding or removing snap-ins.


The /s parameter is included with some shortcuts to .msc files in the Start menu, but it does not appear to have any effect.

/32 or /64

Run the MMC in 32-bit or 64-bit mode, respectively; these options are available only on 64-bit systems.


  • Eventually, you'll probably want to create your own Console file with the snap-ins you use most. Although the MMC can create a new Console file from scratch, it may be easier to modify one of the supplied .msc files and then save it with a new name. To modify a saved Console file, start the MMC with the /a switch, as described earlier.

  • Programmers who want to learn how to create custom snap-ins can find more information at

Run As: \windows\system32\runas.exe

Run a program under a different user's account.

To open

Command Prompt runas program


runas [/noprofile] [/env] [/netonly] /user:username program
runas [/noprofile] [/env] [/netonly] /smartcard
 [/user:username] program


Windows Vista is a multiuser environment. When you open an application, Windows runs that program in a "user context," which means that the settings and capabilities imposed upon an application are those associated with your user account. Use Run As to instruct Windows to open an application in another user's context. This is especially useful when running services or other background applications, where you can't always assume which user will be logged on at any time but you want to make sure the settings and permissions are correct.

Run As takes the following parameters:


The full path, filename, and optional command-line parameters for the .exe file to run.

/user: username

The username under which to run program; username should be of the form user@domain or domain\user.


Specifies that the user's profile should not be loaded. This causes the application to load more quickly, but it can cause applications that rely on settings stored in the HKEY_CURRENT_USER Registry key to malfunction.


Uses the current environment instead of username's.


Specifies that the credentials specified are for remote access only.


Uses credentials previously saved by the user. This option is not available on the Home editions and will be ignored.


Specifies that the credentials are to be supplied from a smart card.


  • Scheduled Tasks, discussed in Chapter 11, also lets you run programs under different user accounts.

User Accounts and Family Safety Control Panel

Add or remove user accounts and change the privileges of existing users.

To open

Control Panel [User Accounts and Family Safety]


The User Accounts and Family Safety Control Panel (Figure 10-5) gives you quick access to most common tasks related to user accounts, including changing your account picture, changing your password, and adding or removing accounts. It also includes links to Parental Controls (see "Parental Controls," in Chapter 8) and Windows CardSpace, formerly known as InfoCard, which is used to log on to web sites (see "Windows CardSpace," later in this chapter).

Figure 10-5. The User Accounts and Family Safety Control Panel, which gives you quick access to the most common tasks related to user accounts

In the User Accounts portion of the screen, most links take you directly to the User Accounts Control Panel subcategory (covered in the next entry in this chapter), with the exception of "Add or remove user accounts," which takes you directly to the applicable screen.

User Accounts

Add, remove, and customize user accounts and change the privileges of existing users.

To open

Control Panel [User Accounts and Family Safety] User Accounts

Command Prompt control userpasswords


Windows Vista fully supports multiple users, each with his own Start menu, Desktop, color and display theme preferences, application settings, folder for documents, music, downloads, pictures, saved games, and a variety of other odds and ends. Each user has a password and a home directory (located in \Users\username), under which his personal files and folders are stored by default. The user, of course, can create folders outside of that home directory if he wants.

Windows Vista lets you create separate accounts not only as a way to let multiple people share the same PC, but also for security reasons. It has several different kinds of user accounts, each with its own level of privileges for performing tasks such as installing and uninstalling software, changing system settings, and so on, and Windows Vista uses these differences in privileges for security purposes with its User Account Control (UAC) feature. More on that a little later, though.

There are two basic kinds of user accounts in Windows Vista:


An administrator has control over the entire system and can run programs, install or remove hardware and software, change system settings, and create, remove, and modify other user accounts. There doesn't have to be just one administrator; there can be multiple administrators on a single PC.

Standard user

A standard user is more limited in what he can do on the computer than an administrator and may not be able to change various system settings, install and uninstall hardware and software, access certain files and folders, and so on. There can be multiple standard users on a single PC.

In addition, there is a built-in Guest account; users with this account have even fewer privileges than standard users and cannot make any changes to the system, install or uninstall software, or read or modify password-protected files and folders. There is only one Guest account, and it is supposed to be used to give someone access to your PC on a temporary basis. By default, the Guest account is turned off, although as you'll see, it can easily be turned on.

How does the use of different types of user accounts help security? Microsoft suggests that people not use an administrator account unless they need to make system changes. In that way, access to the system is limitedan administrator has access to many features and areas of the PC that a standard user doesn't have, so when that standard account is being used, dangerous changes can't be made. But even if you are a standard user, the UAC feature can let you run commands as an administrator, but you'll need to know the administrator password to do this.

There's a lot more to UAC than this, though. For details, see "User Account Control," in Chapter 8.

In addition to normal administrator accounts, there is a kind of super Administrator account that, by default, is hidden and turned off and has even more privileges than the administrator accounts you create. A PC can have only one of these super Administrator accounts. This super Administrator has UAC turned off and pretty much has the run of the entire PC. By contrast, administrator accounts that you create are subject to UAC. With some dedicated tweaking, you can turn on the hidden super Administrator account, but you need to be careful when doing so, because if you make a mistake, you can end up locking yourself out of your system. For details on how to turn it on, see Scot Finnie's excellent article in Computerworld, "How to access the true Administrator account in Windows Vista," located at

The User Accounts Control Panel subcategory (Figure 10-6) lets you create, edit, and manage accounts on your PC. The main pane, which takes up most of the screen, lets you make changes to your account, manage another account, and turn UAC off (or on). Listed on the lefthand side are other tasks you can accomplish.

Figure 10-6. Editing your account in the User Accounts window

Here are all of your options for the main pane:

Change your password

This brings you to a screen that asks for your old password, asks you to type in a new password, and then lets you type in a hint for the password in case you forget it. If a user account has no password defined, you'll see "Create a password" here instead of the standard "Change your password." Administrators can change any account, but standard users can make changes only to their own accounts.

Remove password

Click here, and your password won't be immediately removed. Instead, you'll be prompted again, just to make sure you really want to remove it. As a general rule for security purposes, it's not a good idea to remove a password from an account.

Change your picture

A picture is associated with every user account. It's the picture you see on top of the Start menu, and it appears in other places as well. You'll be able to choose from 13 different built-in pictures (Figure 10-7) for your account, including the inevitable kitten, puppy, and flower, when you choose this option. But you're not limited to just those pictures. Click Browse for more pictures at the bottom of the screen that appears, and use any picture on your hard disk in a variety of graphics formats, including .bmp, .gif,. jpg, .png, .dib, and .rle.

Figure 10-7. Choosing a new picture for your user account

Change your account name

As the name says, this changes your account name.

Change your account type

This changes the account from an administrator to a standard user, and vice versa. If you have only one administrator account on the PC, you won't be able to change it to a standard user, because Windows Vista requires that there be at least one active administrator account on the computer. If you're a standard user, you won't be able to change your account to an administrator; to do so requires an administrator or the use of an administrator's password.

Manage another account

This lets administrators manage other accounts on the PC, including changing the account name, password, picture, and type; setting up Parental Controls; and deleting the account. It also lets you create new accounts. You'll be shown a screen of all users on the PC (see Figure 10-8); click an account to be brought to a screen to let you manage it.

Figure 10-8. Managing another account

Turn User Account Control on or off

This lets you turn UAC off or turn it back on. Although UAC can be annoying, it's not a good idea to turn it off because it offers your PC an extra layer of security.

Here are all of your options for the Tasks pane:

Create a password reset disk

What if you've created an account with a password, and then forgotten your password? How to get back into that account? Create a password reset disk. The disk will let you create a new password for the account so you can log back in. A wizard helps you create the disk, which can be a floppy disk (remember those?), CD, DVD, Universal Serial Bus (USB) flash drive, or other type of removable media.

Manage your network passwords

Many web sites and services require that you log on with a username and password. This option lets you create logon credentials for each account so you can log on automatically.

Manage your file encryption certificates

This lets you create and back up file encryption certificates and keys, and update previously encrypted files to use a different certificate and key. It also lets you set up the Encrypting File System to use a smart card for authentication. For details about the Encrypting File System and encryption in general, see Chapter 8.

Configure advanced user profile properties

A user profile stores settings related to user accounts, such as desktop setup and items. If you're connected to a domain via Active Directory, you have a roaming profile that will let you use that same user accountwith all its settingson other computers on the network. "Configure advanced user profile properties" lets you control whether your account should use your local profile or a roaming profile.

Change my environment variables

Environment variables control a variety of settings in Windows, such as the Windows drive and directory, where temporary files should be stored, the path along which the operating system should look for executable files, and so on. This option lets you edit and create environment variables.


  • There are several ways to create a new account. The fastest is to click "Add or remove user accounts" just underneath User Accounts and Family Safety in the Control Panel. Usernames can be anything, as long as they're not the same as pre-existing usernames.

  • You can find more user account options in the Local Users and Groups console (lusrmgr.msc; see "Microsoft Management Console," earlier in this chapter).

  • To quickly switch among different user accounts, click the right arrow at the bottom right of the Start menu and select Switch User.

See also

"Control Panel," in Chapter 3, and "User Account Control" and "Encrypting File System (EFS)," in Chapter 8

Part II: Nutshell Reference