Local Users and Groups

The control panels you’ve read about so far in this chapter are designed for simplicity and convenience, but not for power. Windows offers a second way to create, edit, and delete accounts: an alternative window that, depending on your taste for technical sophistication, is either intimidating and technical or liberating and flexible.

It’s called the Local Users and Groups console.

Opening the Console

The quickest way to open up the Local Users and Groups window is to press +R to open the Run dialog box, type out Lusrmgr.msc, and authenticate yourself if necessary. (Microsoft swears that “Lusrmgr.msc” is not short for “loser manager,” even though network administrators might hear that in their heads.)

The Local Users and Groups console appears, as shown in Figure 24-8.

Local Users and Groups is a Microsoft Management Console (MMC) snap-in. MMC is a shell program that lets you run most of Windows’ system administration applications. An MMC snap-in typically has two panes. You select an item in the left (scope) pane to see information about it displayed in the right (detail) pane.

Figure 24-8. Local Users and Groups is a Microsoft Management Console (MMC) snap-in. MMC is a shell program that lets you run most of Windows’ system administration applications. An MMC snap-in typically has two panes. You select an item in the left (scope) pane to see information about it displayed in the right (detail) pane.

In this console, you have complete control over the local accounts (and groups, as described in a moment) on your computer. This is the real, raw, unshielded command center, intended for power users who aren’t easily frightened.

If you’re on a small network, remember that you’ll have to create a new account for each person who might want to use this computer—or even to access its files from across the network. If you use the Local Users and Groups console to create and edit these accounts, you have much more control over the new account holder’s freedom than you do with the User Accounts control panel.

Creating a New Account

To create a new account in the Local Users and Groups console, start by double-clicking the Users folder in the middle of the window. It opens to show you a list of the accounts already on the machine. It includes not only the accounts you created during the Windows installation (and thereafter), but also the Guest and secret Administrator accounts described earlier in this chapter.

To create a new account, choose Action→New User. In the New User dialog box (Figure 24-9), type a name for the account, the person’s full name, and, if you like, a description. (The description can be anything you like, although Microsoft no doubt has in mind “Shipping manager” rather than “Short and balding.”)

When you first create a new user, the “User must change password at next logon” checkbox is turned on. It’s telling you that no matter what password you make up when creating the account, your colleague will be asked to make up a new one the first time he logs in. This way, you can assign a simple password (or no password at all) to all new accounts, but your underlings will still be free to devise passwords of their own choosing, and the accounts won’t go unprotected.

Figure 24-9. When you first create a new user, the “User must change password at next logon” checkbox is turned on. It’s telling you that no matter what password you make up when creating the account, your colleague will be asked to make up a new one the first time he logs in. This way, you can assign a simple password (or no password at all) to all new accounts, but your underlings will still be free to devise passwords of their own choosing, and the accounts won’t go unprotected.

In the Password and Confirm Password text boxes, specify the password your new colleague will need to access the account. Its complexity and length are up to your innate sense of paranoia.

Tip

If you can’t create a new account, it’s probably because you don’t have the proper privileges yourself. You must have an Administrator account or belong to the Administrators group (Built-in groups).

If you turn off the “User must change password at next logon” checkbox, then you can turn on options like these:

User cannot change password. This person won’t be allowed to change the password you’ve just made up. (Some system administrators like to maintain sole control over the account passwords on their computers.)
Password never expires. Using software rules called local security policies, an administrator can make account passwords expire after a specific time, periodically forcing employees to make up new ones. It’s a security measure designed to foil intruders who somehow get hold of the existing passwords. But if you turn on this option, then the person whose account you’re creating will be able to use the same password indefinitely, no matter what the local security policy says.
Account is disabled. When you turn on this box, the account holder won’t be able to log on. You might use this option when, for example, somebody goes on sabbatical—it’s not as drastic a step as deleting the account, because you can always reactivate the account by turning the checkbox off. You can also use this option to set up certain accounts in advance, which you then activate when the time comes by turning this checkbox off again.

Note

When an account is disabled, a circled badge appears on its icon in the Local Users and Groups console. (You may have noticed that the Guest account appears this way when you first install Windows.)

When you click the Create button, you add the new account to the console, and you make the dialog box blank again, ready for you to create another new account, if necessary. When you’re finished creating accounts, click Close to return to the main console window.

Groups

As you may have guessed from its name, you can also use the Local Users and Groups window to create groups—named collections of account holders.

Suppose you work for a small company that uses a workgroup network. You want to be able to share various files on your computer with certain other people on the network. You’d like to be able to permit them to access some folders but not others. Smooth network operator that you are, you solve this problem by assigning permissions to the appropriate files and folders.

In fact, you can specify different access permissions to each file for each person. But if you had to set up these access privileges manually for every file on your hard drive, for every account holder on the network, you’d go out of your mind.

That’s where groups come in. You can create one group—called Trusted Comrades, for example—and fill it with the names of every account holder who should be allowed to access your files. Thereafter, it’s a piece of cake to give everybody in that group access to a certain folder in one swift step. You end up having to create only one permission assignment for each file, instead of one for each person for each file.

Furthermore, if a new employee joins the company, you can simply add her to the group. Instantly, she has exactly the right access to the right files and folders, without your having to do any additional work.

Creating a group

To create a new group, click the Groups folder in the left side of the Local Users and Groups console (Figure 24-8). Choose Action→New Group. Into the appropriate boxes (Figure 24-10), type a name for the group, and a description, if you like. Then click OK.

The New Group dialog box lets you specify the members of the group you’re creating. A group can have any number of members, and a person can be a member of any number of groups.

Figure 24-10. The New Group dialog box lets you specify the members of the group you’re creating. A group can have any number of members, and a person can be a member of any number of groups.

A Select Users dialog box appears. Here you can specify the members of your new group. Type the account holders’ names into the text box, separated by semicolons, and then click Check Names to make sure you spelled them right. (You can always add more members to the group, or remove them, later.)

Finally, click OK to close the dialog box, and then click Create to add the group to the list in the console. The box appears empty again, ready for you to create another group.

Built-in groups

You may have noticed that even the first time you opened the Users and Groups window, a few group names appeared there already. That’s because Windows comes with a canned list of ready-made groups that Microsoft hopes will save you some time.

For example, when you use the User Accounts control panel program to set up a new account, Windows automatically places that person into the Standard or Administrators group, depending on whether or not you made him an administrator. In fact, that’s how Windows knows what powers and freedoms this person is supposed to have.

Here are some of the built-in groups on a Windows 8 computer:

Administrators. Members of the Administrators group have complete control over every aspect of the computer. They can modify any setting, create or delete accounts and groups, install or remove any software, and modify or delete any file.
But as Spider-Man’s uncle might say, with great power comes great responsibility. Administrator powers make it possible to screw up your operating system in thousands of major and minor ways, either on purpose or by accident. That’s why it’s a good idea to keep the number of Administrator accounts to a minimum—and even to avoid using one for everyday purposes yourself.
Note
The Power Users group was a big deal in Windows XP. Power Users had fewer powers than Administrators but still more than mere mortals in the Users group. But Microsoft felt that they added complexity and represented yet another potential security hole. As of Windows 8, this group is abandoned.
Users. Standard account holders are members of this group. They can access their own Start screen and desktop settings, their own Documents folder, the Shared Documents folder, and whatever folders they create themselves—but they can’t change any computer-wide settings, Windows system files, or program files.
If you’re a member of this group, you can install new programs—but you’ll be the only one who can use them. That’s by design; any problems introduced by that program (viruses, for example) are limited to your files and not spread to the whole system.
Figure 24-11. In the Properties dialog box for a User account, you can change the full name or description, modify the password options, and add this person to or remove this person from a group. The Properties dialog box for a group is simpler still, containing only a list of the group’s members.
If you’re the administrator, it’s a good idea to put most new account holders into this group.
Guests. If you’re in this group, you have pretty much the same privileges as members of the Users group. You lose only a few nonessential perks, like the ability to read the computer’s system event log (a record of behind-the-scenes technical happenings).
In addition to these basic groups, there are some special-purpose groups like Backup Operators, Replicators, Cryptographic Operators, Event Log Readers, and so on. These are all groups with specialized privileges, designed for high-end network administration. You can double-click one (or widen its Description column) to read all about it.

Note

You can add an individual account to as many groups as you like. That person will have the accumulated rights and privileges of all those groups.

Modifying users and groups

To edit an account or group, just double-click its name in the Local Users and Groups window. A Properties dialog box appears, as shown in Figure 24-11.

You can also change an account password by right-clicking the name and choosing Set Password from the shortcut menu.