Home > Articles > Certification > Microsoft Certification

MCSE Prep: Setting Up, Managing, and Troubleshooting Security Accounts and Policies

This chapter covers everything you need to know about security accounts in Windows XP Professional with sample questions to help you prepare for the MCSE 70-270 exam.
This chapter is from the book

Terms you'll need to understand:

  • Local user account

  • Local group

  • Complex password

  • Domain user account

  • Global, Universal, and Domain Local groups

  • Security Identifier (SID)

  • Authentication

  • Security Center

  • Local Group Policy

  • Group Policy Object (GPO)

  • Resulting Set of Policies (RSoP)

  • Software Restriction Policy

  • Microsoft Passport

Techniques you'll need to master:

  • Adding and configuring new local user accounts

  • Adding users and groups from a Domain to a Local group

  • Properly renaming user accounts to maintain resource access

  • Configuring the Local Security Policy and the Local Group Policy

  • Understanding the order in which Group Policies apply to a user and computer when the computer is a member of the domain

  • Analyzing and configuring computers with the security templates

  • Using and configuring a Microsoft Passport

The Local Users and Groups snap-in enables you to manage local users and groups. You can get to the snap-in by choosing Start, Control Panel, Performance and Maintenance Category, Administrative Tools, Computer Management, and then by expanding the tree pane of the Computer Management Console until you see the snap-in. In this snap-in, you can create, modify, duplicate, and delete users (in the Users folder) and groups (in the Groups folder).

Built-in User and Group Accounts

The three primary built-in user accounts are Administrator, Guest, and HelpAssistant. The Administrator account is a critical account for your computer and has some essential characteristics, including the following:

  • Cannot be deleted.

  • Can be disabled. Be sure to create another user account with administrator privileges before disabling the default Administrator account.

  • Through its membership in the Administrators group, has all privileges required to perform system administration duties.

  • Can be renamed.

The Guest account is on your system for rare and infrequent use and should be kept securely disabled. This account also has some distinct characteristics, including the following:

  • Is disabled by default. Only an administrator can enable the account. If it is enabled, it should be given a password, and User Cannot Change Password should be set if multiple users will log on with the account.

  • Cannot be deleted.

  • Can be locked out.

  • Does not save user preferences or settings.

The HelpAssistant account is on your system for use when the Remote Desktop Assistance functions are used. This account’s characteristics include the following:

  • Disabled by default.

  • Is automatically enabled when an invitation is created for Remote Assistance.

  • Can be deleted.

  • Can be renamed.

Built-in Local groups have assigned to them specific privileges (also called user rights) that enable them to perform specific sets of tasks on a system. The default local group accounts on a Windows XP Professional system are the following:

  • Administrators—Users in this group have all built-in system privileges assigned. They can create and modify user and group accounts, manage security policies, create printers, and manage permissions to resources on the system. The local Administrator account is the default member and cannot be removed. Other accounts can be added and removed. When a system joins a domain, the Domain Admins group is added to this group, but it can be removed.

  • Backup Operators—Users in this group can back up and restore files and folders regardless of security permissions assigned to those resources. They can log on and shut down a system, but cannot change security settings.

  • Power Users—Users in this group can share resources and create user and group accounts. They cannot modify user accounts they did not create, nor can they modify the Administrators or Backup Operators groups. They cannot take ownership of files, back up or restore directories, load or unload device drivers, or manage the security and auditing logs. They can run all Windows XP-compatible applications, as well as legacy applications, some of which members of the Users group cannot execute.

  • Users—Users in this group can log on, shut down a system, use local and network printers, create local groups, and manage the groups they create. They cannot create a local printer or share a folder. Some down-level applications do not run for members of the Users group because security settings are tighter for the Users group in Windows XP than in Windows NT 4. By default, all local user accounts you create are added to the Users group. In addition, when a system joins a domain, the Domain Users group is made a member of that system’s local Users group.

  • Guests—Users in this group have limited privileges but can log on to a system and shut it down. Members cannot make permanent changes to their desktop or profile. By default, the Built-in Local Guest account is a member. When a system joins a domain, the Domain Guests group is added to the Local Guests group.

  • Network Configuration Operators—Users in this group have administrative privileges to manage the configuration of networking features.

  • Remote Desktop Users—Users in this group have the added privilege of logging on through Terminal Services, which in Windows XP is established through a Remote Desktop connection.

Built-in System groups also exist, which you do not see in the user interface while managing other group accounts. Membership of system groups changes based on how the computer is accessed, not on who accesses the computer. Built-in System groups include the following:

  • Everyone—Includes all users who access the computer, including the Guest account.

  • Authenticated Users—Includes all users with a valid user account in the local security database or (in the case of domain members) in Active Directory’s directory services. You use the Authenticated Users group rather than the Everyone group to assign privileges and group permissions, because doing so prevents anonymous access to resources.

  • Creator Owner—Contains the user account that created or took ownership of a resource. If the user is a member of the Administrators group, the group is the owner of the resource.

  • Network—Contains any user with a connection from a remote system.

  • Interactive—Contains the user account for the user logged on locally at the system.

  • Anonymous Logon—Includes any user account that Windows XP did not authenticate.

  • Dial-up—Contains all users who currently use a dial-up connection.

Creating Local User and Group Accounts

To create a local user or group account, right-click the appropriate folder (Users or Groups) and choose New User (or New Group), enter the appropriate attributes, and then click Create.

User account names:

  • Must be unique.

  • Are recognized only up to 20 characters, although the name itself can be longer.

  • Cannot contain the following characters: " / \ [ ] ; : | = + * ? < >

  • Are not case sensitive, although the user account’s name property displays the case as entered.

User account passwords:

  • Are recommended.

  • Are case sensitive.

  • Can be up to 127 characters, although down-level operating systems such as Windows NT 4 and Windows 9x support only 14-character passwords.

  • Should be a minimum of seven to eight characters.

  • Should be difficult to guess and, preferably, should mix uppercase and lowercase letters, numerals, and nonalphanumeric characters.

  • Can be set by the administrator (who can then determine whether users must, can, or cannot change their password) or the user (if the administrator has not specified otherwise).

Select the option User Must Change Password at Next Logon to ensure that the user is the only one who knows the account’s password. Select User Cannot Change Password when more than one person (such as Guest) uses the account.

The Password Never Expires option is helpful when a program or a service uses an account. To avoid having to reconfigure the service with a new password, you can set the service account to retain its password indefinitely.

Configuring Account Properties

The information you can specify when creating an account is limited in Windows XP. Therefore, after creating an account, you often need to go to the account’s Properties dialog box, which you can access by right-clicking the account and choosing Properties. After the creation of a user, you can specify the groups the user belongs to and the profile settings for the user, as shown in Figure 3.1.

Figure 3.1

Figure 3.1 The Properties dialog box of a typical user.

Managing Local Group Membership

To manage the membership of a Local group, right-click the group and choose Properties. To remove a member, select the account and click Remove. To add a member, click Add and select or enter the name of the account, as shown in Figure 3.2.

In a workgroup, Local groups can contain only accounts defined in the same machine’s local security database. When a system belongs to a domain, its Local groups can also include domain accounts, including user accounts, Universal groups, and Global groups from the enterprise’s Active Directory, as well as Domain Local groups from within the system’s domain.

Figure 3.2

Figure 3.2 Interface for adding a user or group to a Local group.

Renaming Accounts

To rename an account, right-click the account and choose Rename. Type the new name and press Enter. Each user and group account is represented in the local security database by a long, unique string called a Security Identifier (SID), which is generated when the account is created. The SID is assigned permissions and privileges. The user or group name is just a user-friendly interface name for humans to interact with the computer. Therefore, when you rename an account, the account’s SID remains the same and the account retains all its group memberships, permissions, and privileges.

Two situations mandate renaming an account. The first occurs when one user stops using a system and a new user requires the same access as the first. Rather than creating a new local user account for the new user, rename the old user account. The account’s SID remains the same, so its group memberships, privileges, and permissions are retained. You should also specify a new password in the account’s Properties dialog box and select the User Must Change Password at Next Logon option.

The second situation that warrants renaming a user account is the security practice of renaming the built-in Administrator and Guest accounts. You cannot delete these accounts, nor can you remove the Administrator account from the Local Administrators group, so renaming the accounts is a recommended practice for hindering malicious access to a system.

Disabling or Enabling User Accounts

To disable or enable a user account, open its Properties dialog box and select or clear the Account Is Disabled check box. If an account is disabled, a user cannot log on to the system using that account. Only Administrators can enable the Guest account.

Deleting Accounts

You can delete a local user or group account (but not built-in accounts such as Administrator, Guest, or Backup Operators) by right-clicking the account and choosing Delete. When you delete a group, you delete the group account only, not the members of the group. A group is a membership list, not a container.

Using the User Accounts Tool

Another tool for administering local user accounts is the User Accounts tool in Control Panel, shown in Figure 3.3. This tool enables you to create and remove user accounts, as well as specify specific configurations for those users. It is wizard driven and is useful for novice administrators and home users.

The User Account tool changes functions as the computer joins a domain from a workgroup. These changes are to control the access to the computer from other domain users. The following is a list of configurations that can be completed after the computer has become a member of a domain:

  • Manage the users that can access the local computer.

  • Modify the type of access a user has on the computer. This would include Standard user, Limited user, or a custom type of user, such as an Administrator.

  • Manage passwords that are stored on the local computer.

  • Manage .NET Passport.

  • Access advanced user and computer settings.

  • Change the local administrator password.

  • Modify the secure logon preferences—basically, whether a user is required to press Ctrl+Alt+Delete to log on.

For machines that do not participate in a domain in Windows XP, two categories of user accounts exist: Limited and Administrator. By default, the person installing the operating system is an administrator. An account that is an administrator can perform any and all functions on the computer. By contrast, an account designated as Limited cannot create shares or install software. Table 3.1 lists several of the differences between the accounts.

Figure 3.3

Figure 3.3 User Accounts tool for administering local users.

Table 3.1 Different Functionality Among Windows XP Accounts

Function

Limited

Administrator

Create shares

 

X

Create printers

 

X

Install software

 

X

Create other accounts

 

X

Change network settings

 

X

Change passwords

X

X

Change account picture

X

X

Set up .NET Passport

X

X

Access programs

X

X

Change background

X

X

Request Remote Assistance

X

X


Passwords

Passwords are not required, but are highly recommended. If your system has accounts that don’t require any form of password, virtually anyone will be able to access your files and folders, even if you don’t want them to. It is always recommended to have a password; even a simple password is better than no password at all.

Forgotten Passwords

If you forget your password, you can recover your settings and user account with the Forgotten Password Wizard. The wizard enables you to create a Password Reset Disk to help you open your account and create a new password. The Password Reset Wizard also enables you to change your password.

To protect user accounts in the event that the user forgets the password, every local user can make a Password Reset Disk and keep it in a safe place. Then, if the user forgets his or her password, the password can be reset using the Password Reset Disk, enabling the user to access the local user account again.

If you already made a Password Reset Disk for your local user account through the Forgotten Password Wizard, you can use it to access the computer, even if you have forgotten your password.

Fast User Switching

Fast User Switching is a special feature of Windows XP Professional. Don’t be fooled with this option, though, because it is available only when the computer is in a workgroup. The option is removed as soon as the computer is joined to a domain. Fast User Switching makes it possible for users to switch quickly between other users without actually logging off from the computer. Multiple users can share a computer and use it simultaneously, switching back and forth without closing the programs they are running. To switch to another user, click Start, click Log Off, click Switch User, and then click the user account you would like to switch to. The following caveats apply when using Fast User Switching:

  • It will not appear if it has not been turned on in User Accounts in Control Panel.

  • It is not available on computers that are members of a network domain.

  • It can be turned on or off only by users who have administrative privileges on the computer.

  • It cannot be turned off while multiple users are logged on to the computer.

  • When it is not turned on, programs shut down when a user logs off, and the computer runs faster for the next user who logs on.

Authentication

When a user wants to access resources on a machine, that user’s identity must first be verified through a process called authentication. For example, when a user logs on, the security subsystem evaluates the user’s username and password. If they match, the user is authenticated. The process of logging on to a machine where you are physically sitting is called an interactive logon. Authentication also happens when you access resources on a remote system. For example, when you open a shared folder on a server, you are being authenticated as well, only this time, the process is called a remote or network logon, because you are not physically at the server.

The Security Dialog Box

The Security dialog box allows for interactive logon to a Windows XP system. You can access the Security dialog box shortly after a system has started, and at any time after logon, by pressing Ctrl+Alt+Delete. If you are not currently logged on, you can enter a username and password. If the system belongs to a domain, you need to be certain that the domain in which your account exists is selected in the Log On To text box. You can either select the domain from the drop-down list or enter your User Principal Name (UPN) in the Username text box. The UPN is an attribute of an Active Directory user object and, by default, is of the form username@domain.name, where domain.name is the Windows 2000 domain for which your user account resides (for example, braincore.net). The suffix following the @ symbol indicates the domain against which to authenticate the user.

If you are currently logged on to a system, pressing Ctrl+Alt+Delete takes you to the Windows XP Security dialog box, at which point you can do the following:

  • Log off the system, which closes all programs and ends the instance of the session.

  • Lock the system, which allows programs to continue running but prevents access to the system. When a system is locked, you can unlock it by pressing Ctrl+Alt+Delete and entering the username and password of the user who locked the system, or an administrator’s username and password.

  • Shut down the system.

  • Change your password.

  • Access Task Manager.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020