Configure and Managing Local User and Group

Accounts

System and Network

Administration
(IT – 413)
Objectives

• Understand user accounts on Windows XP

• Understand the default user accounts
• Create and manage local user accounts
• Work with the Local Users and Groups tool
• Use groups
• Understand user rights
Local User Accounts
• User account: Represents all information
defining user’s access to local computer or network
▫ Stored on local computer or in Active Directory
• Local user accounts: Stored in Security
Accounts Manager (SAM) database
▫ Managed using Local Users and Groups snap-in
• Domain user account: Exists in a domain by
virtue of being created on a domain controller
▫ Used to gain access to domain resources
• Provide users with personalized desktop
environments via profiles and policies
Default Local User and Group Accounts
• When Windows XP Professional installed, two
default user accounts created
▫ Administrator and Guest
▫ Also several local group accounts
• Local User Accounts:
▫ Administrator account: Unlimited access and
unrestricted privileges to every aspect of Windows
 Must be protected from misuse
Default Local User and Group Accounts

▫ Administrator account (continued):

 Cannot be deleted
 Cannot be locked out
 Can be disabled
 Can have blank password
 Can be renamed
 Cannot be removed from Administrators local group
▫ Guest account: Limited access to resources and
computer activities
Default Local User and Group Accounts

▫ Guest account (continued):

 Member of Everyone group
 Cannot be deleted
 Can be locked out
 Can be disabled (disabled by default)
 Can have a blank password (blank by default)
 Can be renamed (recommended)
 Can be removed from Guests local group
Default Local User and Group Accounts
• Local Group Accounts: Used to grant rights to local OS
▫ Everyone
▫ Administrators
▫ Backup Operators
▫ Guests
▫ Network Configuration Operators
▫ Power Users
▫ Remote Desktop Users
▫ Replicator
▫ Users
▫ HelpServicesGroup
Creating and Managing Local User Accounts

• Local user accounts can be created and

managed:
▫ With User Accounts applet
▫ Through Local Users and Groups MMC snap-in
• User Accounts Applet: Function differs
depending on whether system part of workgroup
or domain
 9

Creating and Managing Local User Accounts

(continued)

Figure The User Accounts applet

Creating and Managing Local User Accounts
(continued)

• Local Users and Groups Snap-in: Used to

create and manage local users and groups
▫ Console tree has two nodes:
 Users node: Contains all local user accounts
 Groups node: Contains all local group accounts
▫ Use Profile tab to define user profile path, logon
script, and home folder
Creating and Managing Local User Accounts
(continued)

Figure Displaying local user accounts

Creating and Managing Local User Accounts
(continued)

Figure : A user account’s Properties dialog box

Activity
• Activity : Creating a Local Account
▫ Objective: Create a new local user account with
Local Users and Groups
• Activity : Creating a Local Group
▫ Objective: Create a local group by using Local
Users and Groups
• Activity : Changing Built-in Group
Membership for a Local Account
▫ Objective: Change the group membership of a
local account using Local Users and Groups
Creating and Managing Local User Accounts
(continued)

Figure : The Profile tab

Managing Local User Profiles
• User profile: Collection of desktop and
environmental configurations for specific user or
group of users
▫ By default, each Windows computer maintains profile
for each user who has logged on
 Except for Guest accounts
▫ User Profile Info:
 Application Data
 Cookies
 Desktop
 Favorites
 Local Settings
 My Documents
 My Recent Documents
Managing Local User Profiles
• Local Profile: Set of specifications and
preferences for individual user
▫ Stored on local machine
▫ Two ways to create:
 User logs on, arranges information as needed, logs
off
 Assign mandatory profile from existing profile folder
• Roaming Profile: Used in domains to allow
users to have a common desktop on any
Windows XP member of domain
Managing Local Security Policies
• Security policies allow administrators to change
system security configuration settings in local
Windows Registry
▫ Registry provides hierarchical database of info about
system’s software, hardware, and user configuration
• Local Security Policy tool: Used to edit local
policy settings on systems that are not domain
controllers
▫ Applied to Registry during computer startup or
when user logs on
Account Policies
• Improve local user account security
• Password Policy: Defines password restrictions
▫ Enforce strong passwords
▫ Default settings in Password Policy node:
 Enforce password history: 0 passwords
 Maximum password age: 42 days
 Minimum password age: 0 days
 Minimum password length: 0 characters
 Password must meet complexity requirements:
Disabled
 Store password using reversible encryption for all
users in the domain: Disabled
Account Policies (continued)
• Account Lockout Policy: Defines conditions
that result when user account locked out
▫ Default settings for Account Lockout Policy items:
 Account lockout threshold: 0 Invalid logon attempts
 Account lockout duration: (defaults to 30 minutes
after Account lockout threshold defined)
 Reset account lockout counter after: (defaults to 30
minutes after Account lockout threshold defined)
• Activity : Setting Account Policies
▫ Objective: Set account policies by using the Local
Security Policy tool
Local Policies
• Audit Policy: Defines events recorded in
Security log of EventViewer
▫ Default settings for Audit Policy items:
 Audit account logon events: No auditing
 Audit account management: No auditing
 Audit directory service access: No auditing
 Audit object access: No auditing
 Audit policy change: No auditing