Managing user accounts passwords and logons
This presentation is the property of its rightful owner.
Sponsored Links
1 / 94

CHAPTER 16 PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Managing User Accounts, Passwords, and Logons. CHAPTER 16.

Download Presentation


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Managing user accounts passwords and logons

Managing User Accounts, Passwords, and Logons


Inside windows 7 user account control

Standard user accounts provide for better security and lower total cost of ownership in both home and corporate environments. When users run with standard user rights instead of administrative rights, the security configuration of the system, including antivirus and firewall, is protected. This provides users a secure area that can protect their account and the rest of the system.

Inside Windows 7 User Account Control

Chapter 16

Windows Vista introduced User Account Control (UAC). UAC is a collection of technologies that include file system and registry virtualization, the Protected Administrator (PA) account, UAC elevation prompts, and Windows Integrity levels that support these goals.

Chapter 16

The most basic element and direct benefit of UAC's technology is simply making Windows more standard-user friendly.

The primary goal of UAC is to enable more users to run with standard user rights. However, one of UAC's technologies looks and smells like a security feature: the consent prompt.

Chapter 16

The user account, which uniquely identifies each person who uses the computer, is an essential component in security and in providing a personalized user experience in Windows. Windows 7 allows you to restrict access to your computer so that only people you authorize can use the computer or view its files.

User accounts in windows 7 provide the means by which you can

Require each user to identify himself or herself when logging on

Control access to files and other resources that you own

Audit system events, such as logons and the use of files and other resources

User accounts in Windows 7 provide the means by which you can:

Introducing access control in windows

The Windows approach to security is discretionary: each securable system resource—each file or printer, for example—has an owner, who has discretion over who can and cannot access the resource. Usually, a resource is owned by the user who created it. If you create a file, for example, you are the file’s owner under ordinary circumstances. (Computer administrators, however, can take ownership of resources they didn’t create.)

Introducing Access Control in Windows

Chapter 16

  • To exercise full discretionary control over individual files, you must store those files on an NTFS volume. For the sake of compatibility, Windows 7 supports the FAT and FAT32 file systems used by early Windows versions and many USB flash drives, and the exFAT file system used on some removable drives. However, none of the FAT-based file systems support file permissions. To enjoy the full benefits of Windows security, you must use


Chapter 16

With Vista SP1 Microsoft has introduced a new file system. Extended File Allocation Table (exFAT) is the successor to the old FAT32 file system. What are the advanatages and disadvantages to this new file system? What are the differences between exFAT and FAT32? When is exFAT preferred over NTFS?

Chapter 16

FAT32 is the file system with which most windows users are most familiar. Windows first supported FAT32 with Windows 95 OSR2 and has increased support for it through XP.

Fat32 has multiple issues that modern systems can experience

  • - By default windows systems can only format a drive up to 32 GB. Additional software works around this issue. When formatted at these bigger sizes, FAT32 becomes increasingly inefficient.

  • - The maximum file size on a FAT32 formatted drive is around 4 GB. With DVD and high resolution DVD formats now available, this limit is commonly noticed.

  • - Dealing with fragmentation and free disk space calculations can become painfully resource intensive in large FAT32 systems.

  • - A FAT32 directory can have 65,536 directory entries. Each file or subdirectory can take up multiple entries; therefore, FAT32 directories are limited with how many files it can hold.

FAT32 has multiple issues that modern systems can experience:

Exfat has several advantages over fat32

  • -File size limit is now 16 exabytes.

  • - Format size limits and files per directory limits are practically eliminated.

  • - Like HPFS, exFAT uses free space bitmaps to reduce fragmentation and free space allocation/detection issues.

  • - Like HTFS, permission systems should be able to be attached through an access control list (ACL). It is unclear if or when Vista will include this feature, however.

exFAT has several advantages over FAT32:

Windows security identifier

  • To determine which users have access to a resource, Windows assigns a security identifier (SID) to each user account. Your SID (a gigantic number guaranteed to be unique) follows you around wherever you go in Windows. When you log on, the operating system first validates your user name and password. Then it creates a security access token. You can think of this as the electronic equivalent of an ID badge. It includes your user name and SID, plus information about any security groups to which your account belongs. Any program you start gets a copy of your security access token.

Windows security identifier

User account control

With User Account Control (UAC) turned on, administrators who log on get two security access tokens—one that has the privileges of a standard user, and one that has the full privileges of an administrator.

User Account Control

What are acls

Each folder and each file on an NTFS-formatted volume has an ACL(access control list ). An ACL comprises an access control entry (ACE) for each user who is allowed access to the folder or file. With NTFS permissions, you can control access to any file or folder, allowing different types of access for different users or groups of users.

What Are ACLs?

Chapter 16

To view and edit NTFS permissions for a file or folder, right-click its icon and choose Properties. The Security tab lists all the groups and users with permissions set for the selected object, as shown below. Different permissions can be set for each user, as you can see by selecting each one.

The access granted by each permission type is as follows

Full Control: Users with Full Control can list contents of a folder, read and open files, create new files, delete files and subfolders, change permissions on files and subfolders, and take ownership of files.

Modify Allows the user to read, change, create, and delete files, but not to change permissions or take ownership of files.

Read & Execute Allows the user to view files and execute programs.

List Folder Contents (folders only) Provides the same permissions as Read & Execute, but can be applied only to folders.

The access granted by each permission type is as follows:

Chapter 16

  • Read Allows the user to list the contents of a folder, read file attributes, read permissions, and synchronize files.

  • Write Allows the user to create files, write data, read attributes and permissions, and synchronize files.

  • Special Permissions The assigned permissions don’t match any of the preceding permission descriptions. To see precisely which permissions are granted, click Advanced.

Chapter 16

With UAC turned on, applications are normally launched using an administrator’s standard user token. (Standard users, of course, have only a standard user token.) If an application requires administrator privileges, UAC asks for your consent (if you’re logged on as an administrator) or the credentials of an administrator (if you’re logged on as a standard user) before letting the application run. With UAC turned off, Windows works in the same (rather dangerous) manner as previous versions: administrator accounts can do just about anything (sometimes getting those users in trouble), and standard accounts don’t have the privileges needed to run many older programs.

Permissions and rights

Windows distinguishes two types of access privileges: permissions and rights. A permission is the ability to access a particular object in some defined manner—for example, to write to an NTFS file or to modify a printer queue. A right is the ability to perform a particular systemwide action, such as logging on or resetting the clock.

Permissions and Rights

User accounts and security groups

  • The backbone of Windows security is the ability to uniquely identify each user. While setting up a computer—or at any later time—an administrator creates a user account for each user. The user account is identified by a user name and is (optionally) secured by a password, which the user provides when logging on to the system.

User Accounts and Security Groups

Chapter 16

Windows then controls, monitors, and restricts access to system resources based on the permissions and rights associated with each user account by the resource owners and the system administrator.

Chapter 16

Account type is a simplified way of describing membership in a security group, a collection of user accounts. Windows classifies each user account as one of three account types:

Administrator , Standard user, Guest

Chapter 16

  • Security groups allow a system administrator to create classes of users who share common privileges. For example, if everyone in the accounting department needs access to the Payables folder, the administrator can create a group called Accounting and grant the entire group access to that folder.

Chapter 16

If the administrator then adds all user accounts belonging to employees in the accounting department to the Accounting group, these users will automatically have access to the Payables folder. A user account can belong to one group, more than one group, or no group at all.

Chapter 16

Permissions and rights for group members are cumulative. That means that if a user account belongs to more than one group, the user enjoys all of the privileges accorded to all groups of which the user account is a member.

Local accounts and groups vs domain accounts and groups

Windows stores information about user accounts and security groups in a security database. Where the security database resides depends on whether your computer is part of a workgroup or a domain.

Local Accounts and Groups vs. Domain Accounts and Groups

Chapter 16

A workgroup setup (or a standalone computer) uses only local user accounts and local groups—the type described in this chapter. The security database on each computer stores the local user accounts and local groups that are specific to that computer.

Chapter 16

Local user accounts allow users to log on only to the computer where you create the local account. Likewise, a local account allows users to access resources only on that same computer.

Chapter 16

The alternative is to set up the network as a domain. A Windows domain is a network that has at least one machine running Windows Server as a domain controller. A domain controller is a computer that maintains the security database, including user accounts and groups, for the domain.

Chapter 16

With a domain user account, you can log on to any computer in the domain (subject to your privileges set at the domain level and on individual computers), and you can gain access to permitted resources anywhere on the network.

Chapter 16

In general, if your computer is part of a Windows domain, you shouldn’t need to concern yourself with local user accounts. Instead, all user accounts should be managed at the domain controller. But you might want to add certain domain user accounts or groups to your local groups.

Chapter 16

By default, the Domain Admins group is a member of the local Administrators group, and Domain Users is a member of the local Users group; members of those domain groups thereby assume the rights and permissions afforded to the local groups to which they belong.

Learning about your own account with whoami

You can use Whoami to find out the name of the account that’s currently logged on, its SID, the names of the security groups of which it’s a member, and its privileges. To use Whoami, open a Command Prompt window. (You don’t need elevated privileges.)

Learning About Your Own Account with Whoami

Chapter 16

If you’re curious about your SID, type whoami /user, type whoami /?.

Working with user accounts

When you install Windows 7 on a new computer, you create one user account, which is an administrator account. If you upgrade to Windows 7 from Windows Vista and you had local accounts set up in your previous operating system, Windows migrates those accounts to your Windows 7 installation.

Working with User Accounts

Chapter 16

Accounts that you migrate from Windows Vista maintain their group memberships and passwords.

Chapter 16

Through User Accounts in Control Panel, Windows provides a simple method for creating new accounts, making routine changes to existing accounts, and deleting accounts.

Access user accounts quickly

You can jump straight into User Accounts without going through Control Panel. Simply open the Start menu and click the account picture in the upper right corner of the Start menu.

Access User Accounts quickly

Creating a new user account

Creating a New User Account

Figure 16-2 Manage Accounts shows all local user accounts that are a member of the Administrators, Users, or Guests groups.

Figure 16 3 creating an account couldn t be much easier just specify a name and account type

Figure 16-3 Creating an account couldn’t be much easier; just specify a name and account type.

Changing account settings

To change your own account, start at the main User Accounts page, shown in Figure 16-1.To change another user’s account (you must have administrative privileges to do so), click Manage Another Account to display the page shown in Figure 16-2, and then click the name of the account you want to change. You’ll see links to options similar to those you can make to your own account.

Changing Account Settings

Chapter 16

Account name , Password , Picture ,

Using the guest account for visitors

The Guest account is designed to allow an infrequent or temporary user such as a visitor to log on to the system without providing a password and use the system in a restricted manner. By default, the Guest account is disabled; no one can use an account that’s disabled.

Using the Guest Account for Visitors

Chapter 16

To enable the Guest account, open User Accounts, click Manage Another Account, and click the Guest account icon. In the window that appears, click Turn On. The Guest account thereafter shows up on the Welcome screen, and anyone can use it. Users of the Guest account have access to items in the Public folder as well as those in the Guest profile.

Deleting an account

You can delete any account except one that is currently logged on. To delete an account, open User Accounts, click Manage Another Account, and click the name of the account you want to delete. Then click Delete The Account.

Deleting an Account

Chapter 16

User Accounts won’t let you delete the last local account on the computer, even if you’re logged on using the account named Administrator. This limitation helps to enforce the sound security practice of using an account other than Administrator for your everyday computing.


Chapter 16

After you delete an account, of course, that user can no longer log on. Deleting an account also has other effects you should be aware of. You cannot restore access to resources that currently list the user in their access control lists simply by re-creating the account. This includes files to which the user has permission and the user’s encrypted files, personal certificates, and stored passwords for websites and network resources.

Chapter 16

That’s because those permissions are linked to the user’s original SID—not the user name. Even if you create a new account with the same name, password, and so on, it will have a new SID, which will not gain access to anything that was restricted to the original user account.

Effectively implementing user accounts on a shared computer

Whether you’re setting up a computer for your family to use at home or to be used in a business, it’s prudent to set it up securely.

Control who can log on

Change all user accounts except one to standard accounts.

Effectively Implementing User Accounts on a Shared Computer

Effectively implementing user accounts on a shared computer1

Be sure that all accounts are password protected

Restrict logon times.

Restrict access to certain files.

Turn on the Guest account only when necessary.

Effectively Implementing User Accounts on a Shared Computer…

Using other account management tools

Windows 7 includes no fewer than four different interfaces for managing users and groups:

User Accounts

Advanced User Accounts

Local Users And Groups

Command-line utilities

Using Other Account Management Tools

Setting a logon password

Associating a password with your user account is your first line of defense against those who would like to snoop around in your files. Because the Welcome screen shows every user account, if you don’t set passwords, anyone who has physical access to your computer can log on by simply clicking a name on the Welcome screen.

Setting a Logon Password

Chapter 16

If the chosen name belongs to an administrator account, the person who clicks it has full, unfettered access to every file and setting on the computer. Requiring a password for each account (particularly administrator accounts) goes a long way toward securing your computer.

Creating a secure password

A password is of little value if it’s easily guessed by an intruder. Obviously, you shouldn’t use your name or something equally transparent. However, even a random word provides little security against a determined intruder—some hackers use tools that try every word in the dictionary.

Creating a Secure Password

Chapter 16

●Use at least eight characters. Longer is better, which is why some security experts suggest using a pass phrase. A password or phrase can (and should) include spaces and punctuation; the maximum length is 127 characters.

●Use a mixture of uppercase letters, lowercase letters, numbers, and punctuation.

●Avoid including your name or user name in the password.

Use random sequences instead of words, or intersperse numbers and punctuation within words—W!nd()wS 7 1ns!dE ()uT for example.

Setting a password

The simplest way to set a password for yourself or for another user (if you have administrator privileges) is with User Accounts in Control Panel. Click the name of the user for whom you want to set a password and then click Create A Password.

Setting a Password

Chapter 16

Figure 16-6 User Accounts allows you to provide a password reminder hint that becomes available on the Welcome screen.

Inside out

Use Ctrl+Alt+Delete to access password options

  • The fastest path to a password-setting screen for your own account is to press Ctrl+Alt+Delete and then click Change Password. There you can set a password along with an updated hint.


Recovering from a lost password

Windows offers two tools that help you to deal with this dilemma:

Password hint Your hint (if you’ve created one) appears below the password entry box after you make an incorrect entry and then click OK. You can create a hint when you set a password with User Accounts.

Recovering from a Lost Password

Password reset disk

A password reset disk allows you (or anyone with your password reset disk) to change your password—without needing to know your old password. As standard practice, each user should create a password reset disk and keep it in a secure location. Then, if a user forgets the password, he or she can reset it using the password reset disk.

Password reset disk

Chapter 16

You can make a password reset disk only for your local user account. If your computer is joined to a domain, you can’t create a password reset disk as a back door to your domain logon password. However, in a domain environment, a domain administrator can safely reset your password and you’ll still have access to your encrypted files. Also, on a computer joined to a domain, password hints are never shown, even for local user accounts.


Password reset disk1

To create a password reset disk, you’ll need to know your current password and you’ll need to have removable media available. (You can use a floppy disk, USB flash drive, external hard drive, or memory card.) Follow these steps:

Password reset disk

Chapter 16

1. Log on using the account for which you want to create a password reset disk.

2. If you want to use a USB flash drive as a password reset disk, insert it in your computer’s USB slot.

3. In Control Panel, open User Accounts.

4. In the left pane, click Create A Password Reset Disk to launch the Forgotten Password wizard.

  • 5. Follow the wizard’s instructions.

Managing the logon process

By default, on a computer joined to a domain, users must press Ctrl+Alt+Delete before the logon screen appears. This requirement can be removed from domain computers or added to others, as described in the following tip.

Managing the Logon Process

Chapter 16

The Welcome screen for a workgroup or standalone computer shows an icon for each account on the computer, as shown in Figure 16-7.By contrast, after pressing Ctrl+Alt+Delete, a domain user sees only one user account, along with a Switch User button that enables you to log on using an account other than the one shown.

Inside out skip the ctrl alt delete requirement

On a domain-based computer, if you don’t want to be bothered by pressing Ctrl+Alt+Delete to reach the logon screen, make the following change:

1. Open User Accounts in Control Panel, and then click Manage User Accounts to open Advanced User Accounts.

2. In the User Accounts dialog box that appears, click the Advanced tab.

3. Under Secure Logon, clear Require Users To Press Ctrl+Alt+Delete.

  • Be aware that doing so removes a security feature. Because the design of the Windows security system prevents any other application from capturing this particular key combination, pressing Ctrl+Alt+Delete ensures that the next screen that appears, the logon screen, is displayed by the operating system and not by a application that’s trying to capture your password, for example.

INSIDE OUT Skip the Ctrl+Alt+Delete requirement

Inside out hide the name of the last user to log on

On a computer joined to a domain, by default the name and picture of the last user who logged on appears on the logon screen. On a system that’s used primarily by a single user, this is a convenient feature that allows the user to log on again without typing his or her name each time. For a computer that’s shared by many users, you might prefer not to show the last user. You can prevent the last-used name from appearing by typing secpol.msc at an elevated command prompt to open Local Security Policy. In Local Security Policy, open Local Policies\Security Options. Then enable the policy setting named Interactive Logon: Do Not Display Last User Name.

INSIDE OUTHide the name of the last user to log on

Customizing the logon screen setting a custom desktop background

  • In the Start menu search box, type regedit and press Enter to open Registry Editor.

  • 2. In Registry Editor, navigate to the HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background key.

    3. If a DWORD value named OEMBackground does not exist, create one.Set this value’s data to 1.

Customizing the Logon ScreenSetting a Custom Desktop Background

Chapter 16

5. Copy the image you want to this folder, using these guidelines:

●The image must be in .jpg format, and the file size cannot exceed 256 KB.

●Scale the image to the pixel dimensions of your primary monitor’s native (or default) resolution, and name the file Backgroundwwwxhhh.jpg, where www and hhh represent the width and height, in pixels (for example, Background1600x1200.jpg).

  • ●Because this feature doesn’t support all screen resolutions, create a copy of the image file and name it BackgroundDefault.jpg. If Windows is unable to use the resolution-specific image, it uses this one and stretches it to fit.

Chapter 16

If that procedure sounds too daunting, download the Logon Changer, a utility that compresses your image file (to stay under the file-size limit) as well as safely diving into the registry and deeply nested folders for you. Get it from

Making the logon text bigger

1. In the Start menu search box, type regedit and press Enter to open Registry Editor.

2. In Registry Editor, navigate to the HKU\.Default\Control Panel\Desktop key.

3. If a DWORD value named LogPixels does not exist, create one.

  • 4. Double-click the LogPixels value. Be sure that Base is set to Decimal, and then set the value to the desired resolution in dots per inch. The default setting is 96 DPI; larger values increase the text size. For example, setting the value to 120 increases the size by 25 percent.(96 times 1.25 is 120.)

Making the Logon Text Bigger

Chapter 16

Log off to see the changes. The first time each user logs on after making this change, Windows applies the new DPI (Dots per inch ) setting to the user’s desktop as well as the logon screen. Users who want to change to a different text size can do so by visiting Display in Control Panel.

Bypassing the logon screen

  • If your computer is not joined to a domain, you can set it up to log on automatically by following these steps:

  • 1. At a command prompt, type netplwizto open Advanced User Accounts.

  • 2. On the Users tab, clear the Users Must Enter A User Name And Password To Use This Computer check box and then click OK. Note that the Users Must Enter A User Name And Password To Use This Computer check box doesn’t appear if your computer is a member of a domain. Only computers that aren’t part of a network or are part of a workgroup can bypass the logon screen. Domain users must enter a user name and password, even to log on locally.

  • The Automatically Log On dialog box appears.

Bypassing the Logon Screen

Chapter 16

3. Type the user name and password for the account that you want to be logged on each time you start your computer.

Logging off switching users or locking your computer

When you’re finished using your computer, you want to be sure that you don’t leave it in a condition in which others can use your credentials to access your files. To do that, you need to log off, switch users, or lock your computer:

Logging Off, Switching Users, or Locking Your Computer

Chapter 16

●Log Off With this option, all your programs close and dial-up connections are ended. To log off, click the arrow in the lower right corner of the Start menu and click Log Off.

Switch User With this option (sometimes called Fast User Switching), your programs continue to run.

Chapter 16

●With this option, your programs continue to run, but the logon screen appears so that no one can see your desktop or use the computer. Only you can unlock the computer to return to your session; however, other users can log on in their own sessions without disturbing yours. To lock a computer, click the arrow in the lower right corner of the Start menu and click Lock.


Controlling your children s computer access

Parental Controls is a feature that enables parents to help manage how their children use the computer. As a parent, you can set restrictions (different for each child, if you like) on which programs your children can run and which games they can play, and you can set hours of use for the computer.

Controlling Your Children’s Computer Access

Chapter 16

With the addition of controls from Microsoft and other providers, you can specify which websites your children can visit and you can view activity logs that detail each child’s computer activity.

The requirements for using parental controls are simple

You must have at least two user accounts set up on your computer—an administrator account for the parent and a standard account for the child.

All administrator accounts on the computer should be protected by a password.

Your computer cannot be joined to a domain. On domain-joined computers, the Parental Controls feature is disabled, even when you’re connected to your home network (or no network).

The requirements for using Parental Controls are simple:

Configuring parental controls

To begin using Parental Controls, open it in Control Panel. (It’s in the User Accounts And Family Safety category.) After consenting to the User Account Control prompt (or entering an administrator password if you’re logged on as a standard user), you’ll see a window like the one shown in Figure 16-9.

Configuring Parental Controls

Chapter 16

Restricting Logon Hours

Controlling Access to Games

Blocking Programs

Chapter 16

When your child attempts to run a blocked program, a dialog box appears.

  • Login