Local Users and Groups

Windows allows for multiple users to log on to a single machine, each user will posses differing access rights to the resources located on the machine. Users and the groups to which they belong form the cornerstone of Windows file and folder security.  For each physical user on a machine, a user account must be created.  Permission to access a resource, such as a file may be granted to an individual user and denied to another. Users can also be given permission to perform differing administrative tasks such as installing drivers.  If multiple users require access to a file, rather than assign permissions to each user, all users who access the file may be placed into a group and permissions to access the file given to that group. Any user who is a member of that group may then access the file.  Users may be members of more then one group thereby building a catalogue of permissions to multiple resources. Groups may also be members of other groups this is known as group-nesting.

Use the buttons below to navigate through the lesson

User accounts are stored in an encrypted database called the SAM (Security accounts Manager). When a user logs on, credentials are verified with the SAM database.

Windows XP has 4 built in user accounts these are as follows:

  • Administrator: The Administrator user account has full access to the system and this account should be secure. An administrator can read and access any other user’s files and change any of the settings on the computer. A good security practice is to rename the Administrator account to something less obvious.
  • Guest: The Guest user account has very limited access to the computer and is disabled by default.
  • HelpAssistant: The HelpAssistant account can be used to allow a user to remotely access the computer via remote assistance for the sole purpose of troubleshooting user problems. This account is disabled by default.
  • Support: The support user account is used by the Microsoft help and support service and is disabled by default.

Windows XP has 9 built in group-accounts these are as follows:

  • Administrators: Members of the administrator group have full access to the system. By default the administrator user account is a member.
  • Backup Operators: Members of the Backup Operators group are allowed to backup and restore the system even if they do not have permission to access the files and folders.
  • Guests: Members of the guests group have very limited access to the operating system. The guest user account is a member by default
  • Network Configuration Operators: Members of the network configuration operators group are allowed to configure network related settings on the local machine.
  • Power Users: Members of the Power Users group have slightly less privileges that members of the administrators group. Power Users cannot install device drivers. Members of the power users group can run legacy software not compatible with Windows XP/2003 security.
  • Remote Desktop Users: Members of the Remote Desktop Users group are allowed to access the local machine remotely by using a Remote Desktop Connection.
  • Replicator: A group account used by the computer to control replication on a domain.
  • Users: Members of the Users group have just enough access to the computer to work, users are not allowed to install and remove software or configure disks and hardware or create new user accounts..
  • HelpServicesGroup: The HelpServicesGroup is used by the Windows Help and Support Centre.

Roaming Profiles

Roaming profiles are a way of allowing a user to log onto any computer in a workgroup or domain and have the same user profile as if he was logging onto his own local machine.

The user’s documents, settings and home folders will be available to him no matter which machine he/she is using.

A user profile is stored on a network share. This profile is then downloaded to the relevant machine when the user logs onto that machine.

User profiles are covered in greater detail later on in this course.