Windows Vista: The Complete Reference (Complete Reference Series)
What Is a User Account?
When two or more users share a computer, they don't have to argue about what color the background should be, what programs should be on the Start menu, or whether to use single-click or double-click style. Instead, each user can have a user account (called a user profile in versions of Windows prior to Windows XP). User accounts can be stored in one of two places:
-
Local user accounts Information about a local user account is stored r in the C:\ Users folder that contains files that describe each user's preferences. Each time a user logs on, Windows finds the appropriate user account and makes the appropriate changes. If you change any of your preferences (for example, choose a new wallpaper), that information is stored in your user account, so that the change will still be there the next time you log on, but not the next time someone else logs on. Whenever your computer acquires a new user, you should establish a new user account (see "Setting Up a Computer for Multiple Users" later in the chapter). User accounts enable several people to share one computer, or to share folders and other resources on a LAN.
-
Domain accounts Information about domain accounts is stored by the Active Directory (AD) program running on Windows NT, 2000, .NET Server, or Windows 2003 Server. When you log in using a domain, your computer gets information from Active Directory about what your settings are and what you have permission to do. Domain accounts are used on larger networks where maintaining accounts stored in each individual computer would be impractical . Domain accounts can use roaming user profiles , which allow people to use their own user account from any computer on a LAN, or mandatory user profiles , in which only administrators can make changes.
Windows Vista enables you to password-protect the files in your Documents folder, so that other people using the same computer later won't be able to read them (see "Keeping Your Files Private"). Each user's Documents folder can be protected from view from the other users.
Another feature protects your computer if you don't assign passwords to your user accounts. If your user account doesn't have a password, you can log on to your account only at your own computer; you can't use Run As (described in "Running a Program as Another User" later in this chapter) or Remote Desktop Connection to use the computer with your user account (see "Accessing Other Computers with Remote Desktop Connection" in Chapter 16).
If your computer is on a small LAN, you can set up local user accounts on all the computers on the LAN so that people can use any computer and see their own files and desktop. See Chapter 31 for details.
Tip | If you are wondering which user account you are logged on as, click the Start button. The user account name appears at the top right of the menu. |
User Account Control when Starting Programs
User Account Control (UAC) is a new technology provided in Windows Vista. It enables users and organizations to better secure desktop environments against potential security breaches and malicious threats. UAC also provides a better way to manage desktops in an enterprise environment. UAC enables you to allow a nonadministrator to log in as an administrator with limited rights and access. When a user logs into Vista using an administrator account, the account is "split" into two accounts-administrator and standard user. As the user is performing nonadministrator tasks, such as running applications, using items on the desktop, and so forth, a user token is created. When an administrator task is performed, such as installing a program, Vista creates a second token, an administrator token, so the user can perform those tasks . The user is required to click a Continue button to allow the action to happen. This reduces the amount of security problems that previous versions of Windows had when a user could log in as an administrator and perform any task without restrictions.
When a standard user logs into Vista, only one type of token is created-a standard user token. This restricts the user from performing system-wide changes to the computer. A standard user trying to perform an administrator-level task is required to sign on with a username and password for a valid administrator account.
Vista segregates tasks into administrator and standard user tasks. For example, the following are tasks that are administrator level:
-
Installing programs
-
Changing system times
-
Changing firewall settings
-
Configuring security policies
-
Accessing some Control Panel applets
On the other hand, the following tasks are standard user-level tasks:
-
Changing desktop wallpaper
-
Adding a printer
-
Changing time zones
Vista displays the Windows Shield icon on user interface items, such as a button on a dialog box, to indicate UAC items.
Vista automatically turns on User Account Control when you install Vista. You can, however, turn it off if you determine you do not need the level of security it provides. For example, a home user that is using Vista in a nonnetworked or nonshared environment would probably not require UAC turned on. However, to turn off UAC, you do need administrator privileges, so a user in a corporate environment would probably not have the rights to shut off UAC.
To quickly turn off UAC for an account, do the following:
-
Choose Start Control Panel.
-
Click User Accounts And Family Safety.
-
Click User Accounts.
-
Click Change Security Settings. The User Account Control message window appears, as shown in Figure 6-1.
Figure 6-1: The User Account Control window -
Click Continue.
-
Click to deselect the Use User Account Control (UAC) To Help Protect Your Computer option.
-
Click OK.
-
Click Restart to shut down and restart Windows. When Windows restarts, the UAC feature is turned off.
To enable UAC, use the preceding steps, except click to select the option in Step 6. You will need to shut down and restart the system to activate the UAC feature.
UAC is an advanced technology that can be configured in a number of different ways. The way just described is one way, albeit simple and per user-the changes you make are only for the currently logged-in user. For computer-wide changes to UAC, you must use the Security Policy tool, available from the Administrative Tools section of the Control Panel. However, using the Security Policy tool is something most end users will not have to bother with.
Note | The Security Policy tool is a powerful tool. Do not use it if you are not comfortable making system-wide changes to Windows Vista. Incorrect settings you make can render Vista or your computer unusable without reinstalling Windows Vista. |
What Types of Users Can You Create?
Windows Vista enables you to set up local user accounts. If you are logged into a Windows 2003 Server, Windows .NET, 2000, or NT server with administrative privileges, you can create and maintain domain accounts on a domain-based LAN, but you should talk to your LAN administrator before doing so.
Table 6-1 lists and briefly explains the types of users Vista can have.
Account Type | Description |
---|---|
Administrator | Enables access to all accounts. Each computer needs at least one administrator account at all times. You can have more than one, if you like. When using an administrator account, you can give commands to create, edit, and delete all user accounts, and you can install software. Windows Vista comes with one administrator account named Administrator. Microsoft recommends that you use it only for installing programs and managing the system. |
Standard | Enables access to your own account. When using a standard account, you cannot perform tasks that affect other users' accounts on the computer, such as install software, open files in other people's Documents folders, change system settings, or change other people's user accounts. You can run programs that are already installed, and you can modify your own user account (except that you can't change it into an administrator account). You should log on with a standard account for day-to-day work, to avoid viruses and other programs that might try to install themselves when you aren't looking. |
Guest | Enables access only to programs that are installed on the computer. Each computer running Windows Vista has one guest account (named Guest). When using the guest account, you cannot change any user accounts, open files in other people's Documents folders, or install software |
You can create as many administrator or standard accounts as you want. You can't create guest accounts.
Table 6-2 lists some of the files and folders that are stored separately for each local user account. These items are stored in the user account's user profile -the folder that contains all the settings for the user. A user profile is usually in the C:\Users\username folder, where username is replaced by the name of the user account. (If Windows is installed on a partition other than C:, so is this folder.) You need to configure Windows Explorer to display hidden files and folders to see them (see "What Are Hidden Files and Folders?" in Chapter 9).
Item | Contents |
---|---|
Ntuser.dat, Ntuser.dat.log, and Ntuser.ini files | This user's configuration settings and other information. |
Application Data folder | This user's application program configuration settings. |
Cookies folder | The cookies stored by Internet Explorer while run by this user (see "What Are Cookies?" in Chapter 26). |
Desktop folder | The items that appear on this user's desktop. |
Favorites folder | Items this user has added to the Favorites folder. |
Local Settings\History folder | Shortcuts to web sites this user has viewed recently. |
Local Settings\Temporary Internet Files folder | Recently viewed web pages. |
Documents folder | The files and folders that appear in this user's Documents folder when the user is logged on. You can tell Windows to look in a different location for your Documents folder; see "Modifying User Accounts" later in this chapter. |
NetHood folder | This user's network shortcuts, which appear in the Network folder when the user is logged on. |
PrintHood folder | This user's shared printers. |
Recent Items folder | Shortcuts to files this user has opened recently. |
Send To folder | Shortcuts to folders and devices that appear on the Send To menu when the user right-clicks a file or folder. |
Start Menu folder | The shortcuts and folders that Windows uses to display the Start and More Programs menus for this user. |
Templates folder | Template files for word processors and other programs, used when this user creates a new document. |
Fast User Switching allows you to switch from one user account to another without the first user logging off. For example, suppose that a user named Jordan is running Windows Mail and Microsoft Office Access 2007. Another user, named Meg, needs to check her mail and asks Jordan if she can use his computer to do so. Fast User Switching lets Jordan step aside and Meg switch the computer to her user account. Jordan's programs are on hold until Meg is done using the computer. When Jordan switches back to his account, his programs are just where he left them.
Fast User Switching is enabled by default if your Windows system has at least 64MB of RAM. With less RAM, the system doesn't have enough space to store one user's environment, including its running programs and open files, while another user is active.
Note | You can't use Fast User Switching if your computer is part of a domain (that is, connected to a domain-based LAN). You also can't use it if you use the Classic logon screen instead of the Welcome screen for logging on. |