Local User and Group Accounts
Back to top
Windows XP allows you to create local user
and group accounts for which you can assign permissions to
resources and to which you can assign rights to perform certain
tasks. When you create a local user or group account on Windows
XP, it is stored in the local security database and
can be used only on the local computer. If the computer is
a member of a domain, you need a domain user account instead
of a local user account to be able to access resources in
the domain. If the computer is a member of a workgroup and
you want to be able to log on to other computers using a single
user name, you need to create an identical user account on
each of the computers you want to access.
Windows XP provides two built-in users, Administrator
and Guest. The Administrator account is a member
of the local Administrators group and has full permissions
to all local resources by default. This is the account you
use to configure your computer, i.e. create other user accounts
and assign permissions and rights. You cannot delete or disabled
the Administrator account. The Guest account is disabled by
default. The Administrator can enable it to allow guests,
people who do not have a user account, to logon to the computer.
You should rename the built-in accounts to make it more difficult
for a malicious individual to gain access by guessing account
names and password.
The main purpose of a local group account
is to simplify administration by allowing permissions and
rights to be assigned to a collection of users instead of
an individual user. When you assign or change permissions
or rights to a group, all the members in that group will inherit
those permissions or rights. Local groups cannot have other
local groups as members, only user accounts. Windows XP includes
the following groups by default:
• Administrators – Have
full permissions by default and can change their own permissions
and rights as well as those of other users and groups. Can
also take ownership of files.
• Backup Operators – Can back up or restore
files without being limited by file permissions. Backup Operators
can also log on locally and shutdown the system.
• Guests – Have the same permissions
and right as the Users group by default. The Guest user account
is the only member and is disabled by default.
• Network Configuration Operators – Have
limited administrative access to configure network settings.
• Power Users – Have limited administrative
access. They can create new user accounts, not modify or delete
existing accounts, and they can remove users from the Power
Users, Users, and Guests groups but
cannot modify the Administrators or Backup Operators
• Remote Desktop Users – Have the right
to logon remotely, to be able to use the Remote Desktop
feature to connect and logon to this computer.
• Replicator – Group account used for
file replication in a domain. Do not add regular user accounts
to this group.
• Users – Have sufficient permissions
and rights to run certified Windows applications, but cannot
run most legacy applications. This prevents regular users
from making system-wide changes. Members of the Users group
can create new groups, not modify or delete other groups.
• HelpServicesGroup – Group for the Help
and Support Center.
Following are some of the special identities
in Windows XP that are similar to groups, but to which users
are automatically added depending on how they access the computer.
You cannot add users to these groups manually, but you can
assign permissions to them.
• Anonymous Logon –
Users that connected without logging on to the computer.
• Authenticated Users – Users that connected
and are authenticated by the local computer. Does not include
the Guest account.
• Everyone – Includes Authenticated
Users and Guest.
• Interactive – User that logged on locally
or through a Remote Desktop connection.
• Network – Users that connected over
the network and are logged on to the local computer.
Back to top
You can manage users and groups on you local
computer by using the Local Users and Groups snap-in
of Computer Management, shown below. To create a
new account, right-click the Users or Groups
container and select New User or New Group.
To rename, delete, or set a password for the user account,
right-click it in Local User and Groups and select
the corresponding task.
To change the settings of a user or group
account, double-click it to open its properties. On the General
tab of a user account’s properties, shown below, you
can enter a full name and a description for the user account.
Additionally, the General tab provides
the following account settings:
• User must change password at
next logon – When this setting is enabled, the
user will be required to change the password the next time
he or she logs on.
• User cannot change password – When
this setting is enabled, the user cannot change the password.
• Password never expires – When this
setting is enabled, the password will not expire even if it
is older than specified in the Maximum password age
• Account is disabled – When this setting
is enabled, the user account will be disabled and cannot be
used to logon.
• Account is locked out – This setting
will be enabled automatically when a user enters an incorrect
password for the number of times specified in the Account
lockout threshold policy. The account will be locked
out for the duration specified in the Account lockout
duration policy, or until an Administrator disables this
setting manually. Both these Account Lockout Policy
settings will be discussed in the next section.
The Member Of tab of a user account’s
Properties sheet lists the local groups of which
the user is a member. If you want to add a user to a group,
you can click the Add button on the Member Of
tab of a user account, or the Members tab of the
group account’s Properties.
The Profile tab allows you to provide
a path to the profile (discussed in the Desktop
Environment TechNotes) and a login script. You can
also provide a path for a user’s home folder, and optionally
map it to a drive letter. These options are typically only
used when the computer is a member of a domain.
Another, limited way to manage local users
is by using User Accounts from the control panel.
One option of User Accounts that is worth mentioning
is the Manage my network passwords, available under
Related Tasks, which provides access to the Stored
User Names and Passwords dialog. The latter will be discussed
in more detail in the Local Security Configuration TechNotes.
Back to top
Account policies are group policy settings
that can be used to enforce a password and account lockout
policy for the local computer. You can access the account
policy settings in the Account Policies section of
the Local Security Policy, which is available in
the Administrative Tools section and in the Windows
Settings section under Computer Configuration
in the Group Policy editor (gpedit.msc). You must
be a member of the Administrators group to be able to configure
account policy settings. Windows includes the following account
• Enforce password history – Specifies
how many different passwords have to be used before an old
password can be reused. The default value is 1. If you set
the value to 0 Windows XP won’t maintain a password
• Maximum password age – Specifies the
maximum number of days the same password can be used before
requiring the user to change it. The default value is 42.
The password will not expire if you set the value to 0.
• Minimum password age – Specifies how
many days a password must be used before the user can change
it. The default value is 0.
• Minimum password length – Specifies
the minimum password length. MS recommends a minimum of 8.
A password won’t be required if you set the value to
• Passwords must meet complexity requirements
– Enable this policy to enforce the following minimum
requirements for passwords:
o Cannot contain the user's account name
or part of it
o Must be 6 characters in length or longer
o Must contain characters from three
of the following four categories:
- Uppercase characters
(A through Z)
- Lowercase characters
(a through z)
- 0 through 9
characters (e.g., !, $, #, %)
• Store password using reversible encryption for
all users in the domain – Enabling this policy
allows applications using authentication protocols that require
plaintext passwords, such as CHAP, access to the password.
Never enable this option.
Account Lockout Policy
• Account lockout duration – Specifies
the number of minutes a locked-out account remains locked
out before automatically being unlocked. If you set the value
to 0, the account will remain locked out until an administrator
manually unlocks it (by disabling the Account is locked
out user account setting in Local Users and Groups).
• Account lockout threshold – Specifies
the number of failed logon attempts that result in a user
account becoming locked out. Accounts will never be locked
out by if you set this value to 0. This setting does not apply
to failed password attempts on a computer locked using Ctrl+Alt+Delete
or a screen saver.
• Reset account lockout counter after –
Determines the number of minutes that must elapse after a
failed logon attempt before the failed logon attempt counter
is reset to 0 bad logon attempts.
User Rights Assignments
Back to top
Windows XP allows you to assign rights to
users and groups, which authorize users to perform specific
tasks on the local computer. Rights are not the same
as permissions; the latter is used to authorize access
for groups and users to objects such as files and printers.
You can assign these rights to user or group accounts in the
User Rights Assignments section of the Local
Security Policy, which is available in the Administrative
Tools section. You can also find them under Local
Policies in the Windows Settings section under
Computer Configuration in the Group Policy
editor (gpedit.msc).There are two different types of user
rights: logon rights and privileges. The
following list shows some of the common user rights for both
• Log on locally – Allows a user to log
on to the local computer
• Log on as a service – Allows you to create a
system account for services
• Access this computer from a network – Allows
a user access to this computer through a network connection.
• Allow logon through terminal services – Allows
a user to log on to this computer through a Remote Desktop
• Deny local logon – Allows you to explicitly
deny local logon to users who are assigned the right to Log
on locally through group membership.
• Deny logon through terminal services – Allows
you to explicitly deny Remote Desktop access to users
who are assigned the right to Allow logon through terminal
service through group membership.
• Load and unload device drivers – Specifies
which users can load and unload device drivers for Plug and
• Change the system time – Specifies
which users can change the system time.
• Manage auditing and security log –
Specifies which users are allowed to specify object access
auditing options for individual resources. A user who has
this privilege also can view and clear the security log from
• Remove computer from docking station –
Specifies which users are allowed to remove their portable
computer from a docking station by selecting Eject PC
from the Start menu.
• Restore files and directories – Specifies
which users are allowed to bypass permission to be able to
• Shut down the system – Specifies which
users are allowed to shut down the computer.
Click the following the link for a more complete
and detailed overview of the available user rights in Windows