Special Edition Using Microsoft Windows XP Professional (3rd Edition)

2017-07-07 02:10:07

The basic User Accounts control panel is adequate for most situations, but if you want to alter the Administrator account, or if you want to assign accounts to custom security groups, you must use the Local Users and Groups management tool.

To run Local Users and Groups on a domain member computer, open the User Accounts control panel. Select the Advanced tab and click the Advanced button. On a workgroup or standalone computer, click Start and right-click My Computer. Select Manage, and open the Local Users and Groups entry.

The utility appears in Figure 28.8.

Figure 28.8. The Local Users and Groups management tool lets you manage group membership and change settings for all user accounts.

TIP

If you can't get to the Local Users and Groups tool any other way, try this trick: click Start, Run, and enter mmc. Click File, Add/Remove Snap-In. Click Add. Select Local Users and Groups. Click Add, Finish, Close, and OK.

If you view Local Users and Groups on your own computer you will see your user accounts plus a few others, as listed in Table 28.1.

Table 28.1. Predefined User Accounts
Account Name	Description
Administrator	The "real" administrator account; can read or change any file on the computer and can alter any user account.
Guest	Used by people without local accounts, also used for network file access by unknown remote users.
HelpAssistant	Used by remote users when you invite them to take control of your computer for Remote Assistance.
IUSR_xxxx	Used to access files if Internet Information Services is installed. Anonymous Web surfers can only see files that IUSR_xxxx is permitted to access.
IWAM_xxxx	Used by Internet Information Services as the user context for CGI programs it runs.
SUPPORT_xxxx	Used by Microsoft to provide online support using the Remote Assistance feature (and probably for a hefty fee).

You should not modify the settings or passwords for HelpAssistant, IUSR_xxxx, IWAM_xxxx, or SUPPORT_xxxx. Windows manages access to these accounts.

Creating Accounts

To create a new local user account, follow these steps:

Navigate to the Users folder in the left pane, click the Action button, and select New User. The New User dialog box then appears, as shown in Figure 28.9.

Figure 28.9. You can use the New User dialog box in Computer Management to create new user accounts.

Enter the desired logon name and other information requested in the form. You may uncheck User Must Change Password if the new user doesn't mind that you know his or her password. You can check Password Never Expires if you don't want to enforce the good practice of frequent password changes.

Click Create to finish. The dialog will stay up and you can continue adding more new accounts, or click Close to remove the dialog.

Changing Passwords

You can change account passwords with this tool. Right-click an account name in the Users list and select Set Password. If you're changing another user's password, you'll be warned that doing this will erase any stored passwords they have, including the key needed to read encrypted files and email. Be sure the other user doesn't have a password reset diskette and can't change his or her own password before using this technique to change it.

(By the way, this is the only way another Computer Administrator can change the Administrator account's password, as Administrator doesn't appear in User Accounts control panel applet.)

User Account Properties

To edit the properties of a user account, do the following:

1.	Select the Users folder in the left pane.
2.	Double-click the user account that you want to edit in the right pane to bring up the properties of the selected user.

In the Properties dialog box, you have the option of adding users to groups, editing logon scripts and profiles, and specifying password options.

There are three tabs on the User Properties dialog box:

General, shown in Figure 28.10, lets you configure the account's password properties. You can make it impossible for the user to change the password, or require frequent password changes. You can also disable the account, and remove the Account Is Locked Out check mark that appears for period of time after a user has failed to supply the correct password three times.
Figure 28.10. The properties interface of a Windows XP Professional user account contains three main tabs that you can configure.

Member Of lets you add and remove the user from User Groups, which I'll discuss in the next section.

Profile lets you assign a User Profile folder, home folder, and logon script. These are described later in the chapter as well.

Assigning Group Memberships

On the Member Of tab of the Properties dialog, you can add the user to any security groups necessary. By default, all user accounts are made members of the Users or Administrators group. I'll discuss groups and group privileges in more detail later in this chapter.

To add a user to a group, follow these steps:

1.	Select the Member Of tab and click Add.
2.	Select the local computer or the user's domain in the Look In drop-down box.
3.	Select a group, click Add, then OK.

CAUTION

Do not add any user accounts to the Administrators group unless the account will be used only to perform administrative tasks. Adding a user account to this group and using it for day-to-day activities would expose you to the same risks as using the Administrator account.

Assigning User Profiles

On the Profile tab of the Properties dialog (see Figure 28.11), you can specify the location in which to store the account's user profile. A user profile is a folder in which a user's My Documents folder, Registry data (hive), temporary Internet files, and other personal folders and settings are kept. I'll discuss user profiles in more detail later in this chapter.

Figure 28.11. Profile properties let you specify an alternate path for the user profile, as well as a logon script and a home (default) folder or drive.

User profiles are normally kept in C:\Documents and Settings, in subfolders with the same name as the user's account. On a domain-member computer, users can have roaming user profiles that are normally kept on a central server, and copied to and from local computers when the user logs in and out.

The following is the procedure to change an account's default profile path, although this is rarely necessary:

1.	View the account's properties in the User Accounts control panel. Select the Profile tab.
2.	Enter an alternative path in the Profile Path text box. You may enter "%USERNAME%" in place of the account name if you are changing multiple accounts at once.

Setting Logon Scripts

You can specify a logon script that runs automatically each time the user logs on. The logon script file is a batch file containing commands to set up the user's environment. One of the primary uses of logon scripts is to map network drives and printers. You can use other startup commands as necessary, though.

If you want to create logon scripts for your local users, you must save them in the local %SYSTEMROOT%\System32\Repl\Import\Scripts directory, where %SYSTEMROOT% is normally \windows or \winnt. Be sure that all users have at least Read and Execute permissions to this directory, or their logon scripts will not run. The script files should be either batch files with a .BAT or .CMD extension, or a Windows Script Host script with a .VBS or other supported extension.

If you want to learn more details about setting file permissions, p. 1090.

TIP

I have found that the directory %SYSTEMROOT%\System32\Repl\Import\Scripts does not exist by default on Windows XP Professional computers. You might have to create the subdirectory Repl\Import\Scripts manually. After you do so, you can create and specify logon scripts to run.

Then follow these steps:

1.	Move your cursor to the Logon Script field (see Figure 28.11).
2.	Type just the name of the logon script file that you want to execute. Do not type the path; it is assumed to be %SYSTEMROOT%\System32\Repl\Import\Scripts.
3.	Click OK or Apply.

If a logon script is specified but does not run, see "Logon Scripts Won't Run" in the "Troubleshooting" section at the end of the chapter.

TIP

For more information about logon scripts, scripting, and batch files, check out my book Windows XP Under the Hood: Hardcore Scripting and Command Line Power, published by Que.

Setting Up Home Directories

On the Profile tab of the user accounts Properties dialog, you also can specify the user's home directory. A home directory is a default directory that applications can use as a starting point for Save As dialog boxes.

On a LAN environment, it's very useful to locate the home directory on a network server, rather than on the local computer. This way, the same folder is always available every time the user logs in, and it can be placed on a computer that is frequently backed up. Roaming User Profiles accomplish this by copying the My Documents folder to and from the server, but the Home Directory mechanism is available on workgroup networks, not just domain networks.

Home directories are very useful in a LAN environment because they allow you to access your files from any computer that you log in to during the course of your day. The Home Directory entry on the Profile tab gives you the option either to

Specify a directory path on the local computer.

Connect a given drive letter to a specified network share name, in UNC format. You can use the string "%USERNAME"% in this field to stand for the user's logon name.

As an example, on a workgroup network you might create a shared folder named \\AMBON\HOME, with a subfolder for each user on your network. You can then set each user's profile to use drive H and path \\AMBON\HOME\%USERNAME% as the home directory. When any user logs in, drive H is automatically set up to use the correct shared folder. You'll have to do this for each user on each of your computers. On a workgroup network, however, all users have access to the other users' home directories, if you use Windows' default Simple File Sharing scheme.