Welcome > Part III Security > Ch 16 Authorization and Access Control > User Accounts and Security Groups[/url]
User Account Creation
Every user has an [url=http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/gloss_rk_pro.asp?frame=true#gls_user_account]account containing unique credentials that allow the user to access resources on a local computer or domain. Accounts can be local to a computer or domain based. If the account is specific to a local computer, the user will not be able to access network based resources unless the resources have been configured to allow Anonymous access. If the account is domain based, the user will be able to access network resources from the local computer. However, his or her permissions as a user of network resources might be quite different than his or her rights on the local computer. For more information about how accounts are authenticated, see "Logon and Authentication" in this book.
Two user accounts — Administrator and Guest — are created automatically when Windows XP Professional is installed. The Administrator account can be used to initially log on and configure the computer. For example, the Administrator can install software, configure printers, join the computer to a domain, and so on. After the computer has been configured, it is necessary to log on as Administrator only to perform administrative tasks.
Tip
It is best if the Administrator account has a password that meets complexity requirements. You can also rename the Administrator account to make it more difficult for potential hackers to gain access to your system.
The Guest account can be used to allow different users to log on and access local resources without having to create an account for each user. The Guest account can also be enabled to simplify file and printer sharing with other Windows-based computers that are configured in a workgroup environment. Otherwise, it is recommended that you turn off the Guest account.
Except for the Administrator and Guest accounts, local user accounts are not created automatically when Windows XP Professional is installed. Instead, local user accounts must be created by a member of the Administrators group after the installation is complete. In turn, only domain-level Administrators and Account Operators can create domain accounts.
User accounts, which include information such as the user's name, alias, password, and unique security identifier (SID), enable users to log on to the network or local computer and to access local and network resources. Any domain or local user can then manage permissions on resources on the local computer — as long as the user has change permission rights on the resource.
To create, delete, and manage user accounts, administrators can use User Accounts in Control Panel, the Local Users and Groups snap-in to the Microsoft Management Console (if the user account is local to a particular computer) or the Active Directory Users and Computers snap-in (if the account is to participate in a domain). For more information about creating, deleting, and managing user accounts, see "Local Users and Groups" in Windows XP Professional Help and Support Center.
