About User Management and Security in Windows XP

by Johannes Helmig [Published on 21 April 2002 / Last Updated on 21 April 2002]

Windows XP Professional Edition is the replacement for Windows NT4 and Windows 2000,
and offers therefore the same level of User Management and security as Windows NT4 and
Windows2000.

You have a choice : You can keep it simple with just 2 levels of Security and use in the
Control-Panel : "User Accounts":


This is the simplified user management as in the Windows XP Home Edition, allowing
the definition of Users and Password (for usage, see the XP Home Edition ).


To be able to use all feature of the Windows XP Professional Usermanagement,
select in the Control-panel :
"Administrative Tools" :

User Management is part of "Computer Management" :

Select in the tree-view on the left : System Tools / Local Users and Groups / Users :

Double click on a Username to display Details:

Tab: General

The security system of Windows XP Professional
defines in the policies the enforcement of password
changes after 42 days
.
to avoid to be forced by your computer to
have to change the password, you can select
here that the "Password never expires"
tab: Profile

you can create a Logon script
( list of commands to be executed )
to be run when you logon to your system
tab : Member of

When Windows XP Professional is installed,
a predefined set of user groups , each with different
level of permissions, is installed on your system.
By being a member of a user-group, a user has
the permissions as defined for the group.

A user can be member of MULTIPLE groups,
getting the permission of each user group.

All Users are automatically member of the
usergroup "Everyone", which is NOT listed here.
Therefore, if there is for a user NO Usergroup
listed, then this user is still allowed all items, which
are defined for the usergroup "Everyone"

For more details on permissions and assigning
permissions, see User Policies.

To become member of an additional
usergroup (to get additional permissions),
click on the button "Add.."
If you know the name of the
usergroup, you can enter it,
otherwise use the button
"Advanced..." to get a Lookup.
When working on a large
network, you would have a
very long list of items, so you
can define here first a search
criteria.
for home use and small networks,
just click on "Find Now" to
get the display of Usergroups.

Select the one to be added.
To know, what permissions
are assigned to a Usergroup,
see the Local Policies.
The full name of a usergroup
includes the name of the computer,
where the usergroup is defined.
This user is now member of
2 Usergroups , having now the
combined permissions of both
usergroups.

The installation of Windows XP Professional has created a predefined set of User groups,
with different levels of permissions :

You can create additional usergroups and then assign permissions to them using policies.


A special word of warning : it is possible to set the password for a user from Computer Management : select a Username and right-click to get the Context/Popup menu and
select : "Set Password" :

But this feature seems to be reserved for cases, where a user has forgotten the password and
the administrator needs to defined a new password.

This warning is displayed :

"Resetting this password might cause
irreversible loss of information.
For security reasons, Windows
protects certain information by
making it impossible to access if
the password is reset
"

Let's check for more information
by selecting/clicking on the
Button "Help":
If a user-account has NO password,
or you like to change it, please use
in the Control Panel the
"User Accounts"
to change passwords
(same as on using XP Home)
.

What is the impact of not being a member of the group Administrators ?

In the Control-Panel, select the
Network Connection icon:

(or right-click "My Network Places" on
the desktop and select Properties)
A Warning is displayed
and the buttons for modifying
the network components are
grayed out.

A "Limited" user (not being member of the group Administrators ) is NOT able to create
a new Connection (like a modem or ADSL connection to the Internet), this has to be done as
"Computer Administrator" : as a user being member of the usergroup Administrators
(or another usergroup, if it has the permission for such activities defined in User Policies)

You can select at that time, whether
the Username and password for
the connection will be used by
all users accounts on the system.

If you have only one user defined with a password, then no Logon screen will be shown.
Once multiple users are defined (or only one user with a password), Windows XP will display
on startup the Logon screen :

You MUST identify yourself, first by selecting the Username by clicking on it and (if required)
having to enter the password for the user account.

Advertisement

Featured Links