Chapter 10

Managing user accounts, passwords, and credentials

• Creating and managing user accounts

• Making the sign-in process more secure

• Signing out, switching accounts, or locking your computer

• Sharing your PC with other users

• Introducing access control in Windows

Before you can begin working with a device running Microsoft Windows 11, you must sign in with the credentials for a user account that is authorized to use that device. User accounts are an essential cornerstone of Windows security and are important in helping to provide a personalized user experience. As an administrator, you determine which user accounts are allowed to sign in to a specific device. In addition, you can configure user accounts on a Windows 11 device to accomplish the following goals:

• Control access to files and other resources

• Audit system events, such as sign-ins and the use of files and other resources

• Sync files and settings between different computers when signing in with the same account on those computers

• Authenticate automatically to email and other online services

• Require each user to provide additional proof of their identity (also known as multifactor authentication) when signing in for the first time on a new device

The credentials associated with a user account consist of a username and password that serve as identification and, in theory, ensure that no one can use the computer or view files, email messages, and other personal data associated with a user account unless they’re authorized to do so.

If you believe your computer is in a secure location where only people you trust have physical access to it, you might be tempted to allow family members or coworkers to share your user account. We strongly caution against using that configuration and instead recommend that you create a user account for each person that uses the computer. Doing so allows each account to access its own user profile, store personal files and user preferences within that profile, and access cloud-based resources. With fast user switching, a feature described in this chapter, you can switch between user accounts with only a few clicks.

With the right hardware and some initial setup, you can sign in and sign out without having to enter your full credentials. The Windows Hello feature allows you to sign in using biometric information, such as facial recognition or a fingerprint. In this chapter, we also explain how you can install the Microsoft Authenticator app on a trusted mobile device and use it to sign in to a Microsoft account or Azure AD account without having to enter a password.

Creating and managing user accounts

When you configure Windows 11 for the first time on a new computer (or on a PC with a clean installation of Windows), the setup program creates a profile for one user account, which is an administrator account. (An administrator account is one that has full control over the computer. For details, see “Administrator or standard user account?” later in this chapter.) Depending on what type of account you select during setup, that initial account can be a Microsoft account, an Azure Active Directory (Azure AD) account, or a local user account. A fourth user account type—an account on a local Active Directory domain—is available only on a managed network after this initial local account is created and you join the machine to the Windows domain. (For information about the differences between these account types, see the next section, “Choosing how you sign in.”)

If you upgrade to Windows 11 from Windows 10 and you had local accounts set up in your previous operating system, Windows migrates those accounts to your Windows 11 installation. These migrated accounts maintain their group memberships and passwords.

After signing in for the first time, you can go to Settings > Accounts to create new user accounts and make routine changes to existing accounts. The Your Info page enables you to configure your account picture and access Account Settings, as shown in Figure 10-1.

Figure 10-1 The Your Info page displays your account details.

You find different options and settings in Accounts depending on the type of account that you use (Microsoft account, Azure AD account, or local account), whether your account is a member of the Administrators group, and—if your computer is joined to a domain—whether group policies are in effect. On a computer joined to an Active Directory domain, all management of user accounts beyond basic tasks such as selecting a picture is normally handled by a domain administrator.

Some account-related settings are under the User Accounts heading in Control Panel, which is shown in Figure 10-2. Several of these settings duplicate functions that are available in Settings > Accounts.

Figure 10-2 Visiting this Control Panel page is rarely necessary, as most options for creating and managing accounts are available in the Settings app.

You can add a new account only from the Accounts page in Settings. You can remove an account or change its type from that location or its Control Panel counterpart. All the esoteric options along the left side of the User Accounts page, as well as the Change User Account Control Settings option, are available only in Control Panel.

Choosing how you sign in

As we mentioned earlier, Windows 11 supports four different varieties of user accounts, each defined by how they handle authentication.

Microsoft account

When you set up a new account on a device running Windows 11, the default options strongly encourage you to sign in using a Microsoft account. You’ve probably used Microsoft accounts for years, perhaps without even knowing it. If you’ve signed up for a Microsoft service, including Outlook.com (or its predecessor, Hotmail), Microsoft 365 Family or Personal, Skype, or Xbox Live, you already have a Microsoft account. Every email address that ends with hotmail.com, msn.com, live.com, or outlook.com is, by definition, a Microsoft account.

During setup, you can enter the email address associated with an existing Microsoft account, or you can create a new email address in the outlook.com domain. However, you do not need to sign up for a Microsoft email address to create a Microsoft account; you can set up a Microsoft account using an existing personal email address from any email provider, including Gmail and other non-Microsoft services.

Inside OUT

Avoid using a business email address as a Microsoft account

As we noted earlier in this section, you can use any personal email address as a Microsoft account. That includes free Gmail and Yahoo Mail accounts as well as accounts supplied by an internet service provider.

If you have an email address on a custom domain that is hosted on Microsoft 365 Exchange Online or Google Workspace servers, however, Microsoft no longer allows you to use that address as a Microsoft account. The new account creation process detects commercial accounts with custom domains that are hosted on either of those server types and rejects attempts to use them for a Microsoft account.

That is, frankly, a welcome change. Previously, if you used a work email address for a Microsoft account, you were inconvenienced every time you tried to sign in to either service because Windows 11 would ask whether you meant to use your Microsoft account or your work or school account. If you’re saddled with this unfortunate configuration, you can set things right by assigning a new email alias to your Microsoft account, making it the primary address, and then removing the unwanted work address from the Microsoft account. We provide detailed instructions for accomplishing this task later in this section.

Signing in with a Microsoft account enables you to synchronize PC settings between multiple computers. If you use more than one PC—say, a desktop PC at work, a different desktop at home, a laptop for travel, and a tablet around the house—signing in with a Microsoft account lets you effortlessly use the same desktop background, stored passwords, account picture, accessibility configuration, and so on. The synchronization happens automatically and nearly instantly.

Some features in Windows 11, including OneDrive and family settings, require the use of a Microsoft account or an Azure AD account. It’s possible to use OneDrive and other services that depend on a Microsoft account even if you sign in to Windows with a different account type. However, in this configuration, you must sign in to each service individually, and some features might be unavailable or less convenient to use.

Under normal circumstances, you associate a single personal email address with your Microsoft account and use that address to sign in to Windows. But because every Microsoft account supports up to 10 email aliases, you can use any alias associated with your primary address to sign in using your Microsoft account.

To manage Microsoft account aliases, go to https://account.live.com/names/Manage and sign in with your Microsoft account. Under the Account Alias heading, click Add Email Address to create a new alias or use an existing personal email address as an alias. (Click Add Phone Number to use a mobile phone number as a username.) After verifying the added email address, you can make it the primary address and, if you wish, remove the old address. (Every alias uses the same password as the original account.)

Under the Sign-In Preferences heading, you can also change the settings for email aliases so that a specific alias can’t be used to sign in to your Microsoft account. That precaution allows you to use aliases to send and receive email but prevents them from being used to access your Microsoft account.

Local account

A local account is one that stores its sign-in credentials and other account data on your PC. A local account works only on a single computer. It doesn’t require an email address as the username, nor does it communicate with an external server to verify credentials.

This type of account was the standard in Windows for decades. In Windows 11, Microsoft recommends the use of a Microsoft account rather than a local user account for PCs that aren’t part of a managed business network. But using a Microsoft account is not a requirement; local accounts are still fully supported.

You might prefer a local account if your home or small business network includes computers running Windows 7 or earlier (that is, versions that do not explicitly support the use of Microsoft accounts).

• For details, see “Sharing files, printers, and other resources over a local network” in Chapter 11, “Configuring Windows networks.”

In addition, some folks have privacy and data security concerns about storing personal information on the servers of a large corporation, whether that infrastructure is managed by Microsoft, Google, Apple, Amazon, or another cloud provider. Signing in with a local account minimizes the amount of information your PC exchanges with Microsoft’s servers.

Inside OUT

How should you handle the password reset questions for a local account?

When you set up a new, password-protected local account using Windows 11, you’re required to choose three security questions (from a list of six) and provide answers to those questions. The intent of this feature is to help you reset your password if you forget it. (You can skip this step by disconnecting from the Internet before you reach this page when you create the new account.)

The questions on offer aren’t particularly robust. Some of these details, like your first pet’s name or the name of the first school you attended, might be easy pickings for an attacker who knows you. A thief who steals your laptop probably won’t have ready access to that information, but someone in your immediate circle might.

On a home PC in a secure location, this option might be useful, especially if you’re setting up a PC for a forgetful relative. But if you find the idea of answering those questions to be too risky, here’s an alternative approach: Don’t tell the truth. Windows doesn’t make even the slightest effort to check whether your answers are true or even sensible. Instead of answering the questions you’re asked, think of a three-word challenge phrase and use those words in place of the actual answers. If you’d prefer to render the question-based password reset feature completely unusable, by yourself or a would-be attacker, just mash the keys randomly and enter a long stream of gibberish as the “answer” to each question.

As an alternative, consider creating a password reset disk, which you can lock away in a secure location separate from your PC. You need removable media, such as a USB flash drive, external hard drive, or memory card. After signing in to your account, open Control Panel > User Accounts and click Create A Password Reset Disk. Follow the Forgotten Password Wizard’s instructions. You can have only one password reset disk for each local user account. If you make a new one, the old one is no longer usable. We explain how to reset your password using this disk later in this chapter.

You can switch between using a Microsoft account and a local account by going to Settings > Accounts > Your Info. On this page (shown earlier in Figure 10-1), click Sign In With A Local Account Instead. Windows leads you through a few simple steps to create a local account, which you then use for signing in.

If you’re currently signed in using a local account, the link on that page reads Sign In With A Microsoft Account Instead. Click that link to replace your local account with a Microsoft account. As part of making the switch, you need to enter your local password one more time. A few screens later, you’re connected to an existing Microsoft account or a new one you create. From that time forward, you sign in using your Microsoft account.

Azure Active Directory account

The third type of account, available during the initial setup of Windows 11 Pro, Enterprise, or Education, is a work or school account using Azure Active Directory. Azure AD offers some of the advantages of a Microsoft account, including support for two-factor authentication and single sign-on to online services, balanced by the capability of network administrators to impose restrictions using management software. These accounts are most common in medium-size and large businesses and schools.

Organizations that subscribe to Microsoft’s business-focused online services—including Business or Enterprise editions of Microsoft 365 (formerly known as Office 365), Microsoft Intune, and Microsoft Dynamics CRM Online—automatically have Azure AD services as part of their subscription. Every user account in that service automatically has a corresponding Azure AD directory entry.

You can connect an Azure AD account to a new Windows 11 installation during the initial setup of Windows 11, as we explain in “Performing a clean install,” in Chapter 2, “Setting up a new Windows 11 PC.” You can also associate a Windows 11 device with Azure AD after it has been set up to use a local account or a Microsoft account. To accomplish this task, go to Settings > Accounts > Access Work Or School, and then click Connect. The resulting dialog, shown in Figure 10-3, gives you two options.

Figure 10-3 Adding a work or school account using the Settings app offers multiple options. The “Join this device” links give your organization control over the device.

The default option allows you to continue using your Microsoft account or your local account to sign in to Windows and simply adds your Azure AD account for easier access to Microsoft 365 services, including Exchange Online email and OneDrive for Business. If that’s your goal, click Next and follow the prompts.

If you want to reconfigure the PC so that you sign in to Windows using your Azure AD account, don’t enter an email address in the Set Up A Work Or School Account dialog; instead, click the Join This Device To Azure Active Directory link at the bottom of that dialog. That option opens the dialog shown in Figure 10-4. After you sign in using your Azure AD credentials, you have one final chance to confirm that you want to sign in with your organization’s credentials and allow administrators to apply policies to your device.

Figure 10-4 Enter credentials from an Azure Active Directory account, such as a Microsoft 365 Enterprise subscription, to join the device to that organization.

After connecting a Windows 11 PC to Azure AD, you can view and edit your user profile by going to Settings > Accounts > Your Info and clicking Manage My Accounts. You can use the tabs to manage security information, including sign-in methods and multifactor authentication. Depending on organizational settings, you might be able to reset your own password.

Active Directory domain account

In organizations with a Windows domain server running Active Directory services, administrators can join a PC to the domain, creating a domain machine account. (This option is available only with Windows 11 Pro, Enterprise, or Education editions.) After this step is complete, any user with a domain user account can sign in to the PC and access local and domain-based resources. We cover this account type more fully in Chapter 19, “Managing Windows PCs in the enterprise.”

Administrator or standard user account?

The backbone of Windows security is the ability to uniquely identify each user. While setting up a computer—or at any later time—an administrator creates one or more user accounts, each of which is identified by a username and is normally secured by a password. When the user signs in to the PC using these credentials, Windows controls access to system resources on the basis of the permissions and rights associated with each user account by the resource owners and the system administrator.

Windows classifies each user account as one of two account types:

• Administrator Members of the Administrators group are classified as administrator accounts. By default, the Administrators group includes the first account you create when you set up the computer and an account named Administrator that is disabled and hidden by default. Unlike other account types, administrators have full control over the system.

• Standard user Members of the Users group are classified as standard user accounts. Users have limited administrative access, but can perform basic administrative functions, such as modifying the properties of their own account or managing Windows updates.

Assigning an appropriate account type to the people that use a computer is straightforward. At least one user must be an administrator; naturally, that should be the person who manages the computer’s use and maintenance. As a best practice, all other regular users should have standard user accounts.

Note

For computers running Windows 11 that you join to Azure AD, you can specify a user within your Azure AD tenant as a device administrator; this task can be accomplished automatically during the Azure AD join process.

What happened to the Administrator account?

Every computer running Windows has a special account named Administrator. In versions of Windows before Windows 7, Administrator was the primary account for managing the computer. Like other administrator accounts, the Administrator account has full rights over the entire computer. But in Windows 11, the Administrator account is disabled by default.

In Windows 11, there’s seldom a need to use the Administrator account instead of another administrator account. With default settings in Windows, the Administrator account does have one unique capability: It’s not subject to UAC, even when UAC is turned on for all other users. All other administrator accounts (which are sometimes called Protected Administrator accounts) run with standard-user privileges unless the user consents to elevation. The Administrator account runs with full administrative privileges at all times and never needs your consent for elevation. (For this reason, of course, it’s rather risky. Any app that runs as Administrator has full control of the computer—which means apps written by malicious or inexperienced programmers might do significant damage to your system.)

Inside OUT

And the Guest account?

Historically, the built-in Guest account provided a way to offer limited access to occasional users. Not so in Windows 11. Although this account still exists, it’s disabled by default, and the supported tools for enabling it (the Local Users And Groups console, for example) do not work as you might expect. In our experience, trying to trick Windows 11 into enabling this capability is almost certain to end in frustration. In the cloud-centric world of Windows 11, the Guest account no longer works as it used to, and enabling it can cause a variety of problems. A better solution (if your guests don’t have their own device that can connect to your wireless network) is to set up a standard account for guest use.

Changing account settings

With options in Settings and Control Panel, you can make changes to your own account or to another user’s account.

To change your own account, go to Settings > Accounts > Your Info, shown earlier in Figure 10-1. Even quicker: Open Start, click or tap your account picture, and then choose Change Account Settings.

Here, you can change your account picture, either by browsing for a picture file or by using your webcam to take a picture. If you sign in with a Microsoft account, the Manage My Accounts link opens your default web browser and loads your account page at https://account.microsoft.com. On that page, you can change your password or edit the name associated with your Microsoft account. Click other links along the top of the page to review your services and subscriptions, security settings, and order history and payment and to review or change your payment options. You can also get information about other devices associated with your Microsoft account.

If you have added one or more users to your computer, you (as a computer administrator) can make changes to the account of each of those users. (For information about adding users, see “Adding a user to your computer” later in this chapter.)

To change a user’s account type, go to Settings > Accounts > Other Users. Click the name of the account you want to change, and click Change Account Type. Your choices are Standard User or Administrator, as described in the previous section.

If the person signs in with a Microsoft account, there are no other changes you can make. (You can’t make changes to someone else’s Microsoft account; only the owner of that account can make changes by signing in at https://account.microsoft.com.) For users who sign in with a local user account, you can make a few additional changes, but you must start from User Accounts in Control Panel (shown earlier in Figure 10-2). Click Manage Another Account, and then click the name of the account you want to change. You can make the following changes:

• Account Name The name you’re changing here is the full name, which is the one that appears on the sign-in screen, on the Start menu, and in User Accounts.

• Password You can create a password and store a hint that provides a reminder for a forgotten password. If the account is already password protected, you can use User Accounts to change the password or remove the password. For more information about passwords, see “Setting or changing a password” later in this chapter.

• Account Type Your choices here are the same as in Settings > Accounts: Administrator (which adds the account to the Administrators group) or Standard User (which adds the account to the Users group).

• Delete You can also delete the account, optionally choosing to either delete the user’s files or retain them.

If you sign in with a local user account, you can make the following additional changes to your own account (that is, the one with which you’re currently signed in) by clicking links in the left pane:

• Manage Your Credentials This link opens Credential Manager, where you can manage stored credentials that you use to access network resources and websites. Note that the new Microsoft Edge browser, based on the Chromium engine, has its own store of saved credentials and ignores this one.

• Create A Password Reset Disk This link, available only when you are signed in with a local account, launches the Forgotten Password Wizard, from which you can create a password reset tool on removable media. As an alternative, Windows 11 allows you to recover from a lost password using answers to the password reset questions you chose when setting up the account.

• Manage Your File Encryption Certificates This link opens a wizard you can use to create and manage certificates that enable the use of Encrypting File System (EFS). EFS, which is available in Pro and Enterprise editions of Windows 11, is a method of encrypting folders and files so that they can be accessed only by someone who has the appropriate credentials. For more information, see “Encrypting information” in Chapter 12, “Windows security and privacy.”

• Configure Advanced User Profile Properties This link is used to switch your profile between a local profile (one that is stored on the local computer) and a roaming profile (one that is stored on a network server in a domain environment). With a local profile, you end up with a different profile on each computer you use, whereas a roaming profile is the same regardless of which computer you use to sign in to the network. Roaming profiles require a domain network running Windows Server Active Directory services. Microsoft accounts and Azure AD accounts use a different mechanism to sync settings.

• Change My Environment Variables Of interest primarily to programmers, this link opens a dialog in which you can create and edit environment variables that are available only to your user account; in addition, you can view system environment variables, which are available to all accounts.

Deleting an account

As a local administrator, you can delete any local account or Microsoft account set up on a Windows 11 PC, unless that account is currently signed in. To delete an account, go to Settings > Accounts > Other Users and click the name of the account you want to delete. Then click Remove. Windows then warns about the consequences of deleting an account, which include removing the user’s files.

Note

Windows won’t let you delete the last local account on the computer, even if you signed in using the built-in account named Administrator. This limitation helps to enforce the sound security practice of using an account other than Administrator for your everyday computing.

After you delete an account, that user can no longer sign in. Deleting an account also has another effect you should be aware of: You cannot restore access to resources that are currently shared with the user simply by re-creating the account. This includes files shared with the user and the user’s encrypted files, personal certificates, and stored passwords for websites and network resources. That’s because those permissions are linked to the user’s original security identifier (SID)—not the username. Even if you create a new account with the same name and password, it will have a new SID, which will not gain access to anything that was restricted to the original user account. (For more information about security identifiers, see “Introducing access control in Windows” later in this chapter.)

Inside OUT

Delete an account without deleting its data

Earlier versions of Windows included an option for preserving an account’s data files—documents, photos, music, downloads, and other files and folders stored in the user’s profile—when you delete the user account. Windows 11 offers that option, too, but you won’t find it in Settings. Instead, open User Accounts in Control Panel. Click Manage Another Account, select the account you want to remove, and then click Delete The Account.

This option gives you a choice about what to do with the account’s files:

• Delete Files After you select Delete Files and confirm your intention in the next window, Windows deletes the account, its user profile, and all files in that account’s user profile.

• Keep Files Windows copies certain parts of the user’s profile—specifically, files and folders stored on the desktop and in the Documents, Favorites, Music, Pictures, and Videos folders—to a folder on your desktop, where they become part of your profile and remain under your control. All other folders in the user profile are deleted after you confirm your intention in the next window that appears; email messages and other data stored in the AppData folder are also deleted, as are settings stored in the registry.

Making the sign-in process more secure

As we noted in the previous section, every account on a Windows 11 PC is backed by a set of credentials, comprising a username (which might be in the form of an email address) and a password. You can use those credentials to sign in to your account on a Windows 11 PC: At the sign-in screen, select your name (if it’s not already selected) and then enter a password.

Note

When you first turn on your computer or return to it after signing out, the lock screen is displayed. The lock screen normally displays a picture, the current time and date, and alerts from selected apps. (You can select your own lock screen picture and specify what information you want displayed on the lock screen. For details, see “Customizing the lock screen and sign-in screen” in Chapter 4.) To get from the lock screen to the sign-in screen, click anywhere, press any key, or (if you have a touchscreen) swipe up.

Inside OUT

Press Ctrl+Alt+Delete without a keyboard

Some network administrators enable a policy that requires you to press Ctrl+Alt+Delete to switch from the lock screen to the sign-in screen. (That keystroke combination, whose role in Windows security dates back to the earliest versions of Windows NT, is called the secure attention sequence.) That requirement can make it tough to sign in to your corporate network on a tablet with no keyboard—until you know the trick. On modern hybrid Windows 11 PCs such as the Surface Pro and Surface Book device families from Microsoft, the display can be detached from its keyboard; in that configuration, press the Power button and Volume Down simultaneously to send the required sequence. In the unlikely event that you’re running Windows 11 on a Windows 8–era device with a dedicated Windows button (usually on the bezel along the right or bottom edge of the screen), press that button and the power button simultaneously.

Signing in with a strong password can be inconvenient, especially when it’s long and consists of a mix of upper- and lowercase letters, numbers, and special characters. The degree of difficulty becomes even more extreme when you need to enter that strong password on a device where the physical keyboard is unavailable.

To make the sign-in process more convenient without sacrificing security, Windows 11 supports several options you can use in place of your account password. Figure 10-5 shows the full range of alternatives, which you can find by going to Settings > Accounts > Sign-In Options.

Figure 10-5 Windows Hello biometric options are available only if you have a compatible infrared camera or fingerprint reader.

The first three options on the list apply to Windows Hello, a feature that augments the Windows 11 sign-in process with a form of hardware-based security. Additional sign-in options on this page include tools for managing physical security keys, and setting up and managing Dynamic Lock.

If you set up more than one option for signing in, you can choose a method other than the default by clicking Sign-In Options on the sign-in screen. This ability might come in handy, for example, if Windows Hello fails to recognize your face or fingerprint. Icons for each of the options you set up then appear as shown in Figure 10-6; click or tap one to switch methods.

Figure 10-6 Click Sign-In Options to choose a different method for signing in. If Windows Hello biometric authentication is set up, icons for Face or Fingerprint might appear here.

Note that these alternative sign-in options also work for some applications, including the Microsoft Store.

In the following sections, we explain how to set up and manage each of these sign-in methods. We start with the most important secure sign-in option of all, which isn’t available in Settings.

Adding security with multifactor authentication

The single greatest advantage of signing in with a Microsoft account or an Azure AD account, as far as we’re concerned, is support for multifactor authentication, which provides security for your PC and its data. (This feature is often called two-factor authentication, or 2FA, but it can also be referred to as two-step verification.) It takes just a few minutes to set up, and the result is a layer of protection that helps prevent a malicious person from using stolen credentials to impersonate your identity.

The most common form of 2FA uses an authenticator app installed on a mobile phone to provide a secondary form of proof of identity when necessary. In that case, the two factors are the classic “something you know” (your password) and “something you have” (the mobile device that you’ve set up as a trusted device). The combination of those two factors creates a hurdle that will stop all but the most determined attackers.

To turn on this feature for a Microsoft account, go to https://account.live.com/proofs and sign in. On that page, you can add approved contact info for receiving security requests and turn on two-step verification.

For devices that are connected to an organization using Azure AD, an administrator must enable multifactor authentication; after that step is complete, users can manage security verification from the Azure AD My Account portal. Start at https://myaccount.microsoft.com, signing in with your work or school account, and then click Additional Security Verification, under the Security Info heading; you can go directly to the page from https://mysignins.microsoft.com/security-info.

For Windows 11, the identity verification process works best with the Microsoft Authenticator app, which is available on both Android and iOS smartphones from each platform’s store or from https://www.microsoft.com/authenticator. This app handles authentication for Azure AD and Microsoft accounts; it also supports most third-party accounts, including those from Google, Facebook, and Amazon. The Authenticator app supports fingerprint- and face-based approvals on compatible hardware and works with several types of smart watches.

When 2FA is turned on, you need to use that additional factor to prove your identity in situations that Microsoft defines as requiring extra security, such as when signing in on a new device for the first time or making changes to account settings; typically, this involves approving a prompt on a previously verified device, such as the Microsoft Authenticator app on a smartphone.

Using Windows Hello

The Windows Hello feature enables you to configure your Windows 11 PC as a trusted device that you can unlock using biometric hardware or a device-specific PIN. In this configuration, your credentials are stored in encrypted form on the device; to sign in, you unlock those credentials with a PIN or biometric identification (using your fingerprint or face).

To set up Windows Hello, you first have to confirm your identity by correctly entering your credentials. After passing that test, you can add a PIN and, with the right hardware support, register your biometric information. When this enrollment process is complete, you can skip the password and sign in to Windows 11 by entering your PIN or supplying what Microsoft engineers call your “biometric gesture,” using facial recognition or a fingerprint reader.

The device you sign in on acts as an authentication component because you established your identity when you set up the device; your additional information (the PIN or your biometric data) is associated with the enrolled device and is not stored on a remote server. This arrangement prevents so-called shoulder surfing attacks, where someone tries to steal your password by watching your keystrokes as you sign in. Because Windows Hello uses a device-specific PIN, other people can’t sign in to your account unless they also steal your computer.

If you want, you can also configure a device so that the only available options use the Windows Hello PIN or biometric information; in this configuration, the Password and Picture Password sign-in options are not available. To enable this option, go to Settings > Accounts > Sign-In Options and enable the For Improved Security, Only Allow Windows Hello Sign-In For Microsoft Accounts On This Device (Recommended) setting.

Inside Out

Configure Windows Hello for Business

For PCs running Windows 11 in unmanaged environments, Windows Hello uses what it calls a “convenience PIN” to unlock encrypted credentials on the device. In managed deployments, administrators can configure Windows Hello for Business settings using Group Policy or mobile device management software such as Microsoft Intune. When these policies are enabled, device credentials are backed by a certificate or encryption key that in turn is bound to the Trusted Platform Module (TPM) on the device; unlocking the device provides an authentication token based on the certificate or key. This architecture makes network-based authentication less susceptible to “replay” attacks. For more details about Windows Hello for Business, see https://bit.ly/WindowsHelloForBusiness.

Setting up a Windows Hello PIN

Windows 11 encourages you to set up a PIN when you create a new user account for the first time. If you skipped this step during Setup, go to the Sign-In Options page and click PIN (Windows Hello). Then click Set Up and follow the on-screen instructions. You need to confirm your identity by entering your account password first. Then enter and confirm your new PIN, as shown in Figure 10-7. The minimum length is four digits (0–9 only), but your PIN can be as long as you want. If you prefer something more complex and harder to guess, select the Include Letters And Symbols option.

Figure 10-7 A PIN serves as a convenient alternative for signing in to Windows and verifying your identity in apps and services. You can choose a PIN that’s longer than the minimum of four characters.

If you want to change your PIN, from the Sign-in Options page, select PIN (Windows Hello) and then click Change Your PIN. Follow the on-screen instructions to complete the process.

To sign in using a PIN, enter the numbers on your keyboard. Note that keypresses in the numeric keypad area of the keyboard register as numbers while you type in the PIN box on the sign-in screen, regardless of whether Num Lock is set. If your computer doesn’t have a keyboard, a numeric pad appears on the screen so that you can tap your PIN. (If the numeric pad does not appear, tap in the PIN-entry box.)

Inside OUT

Make your PIN even stronger

You might be worried that a four-digit numeric PIN, presenting 10,000 possible combinations from 0000 to 9999, is too easy to guess. You’ll probably rest a little easier knowing that Windows 11 offers only five incorrect tries before locking you out. After four incorrect attempts, you’re required to enter a challenge phrase (which incidentally confirms that your keyboard is working correctly). After the fifth incorrect attempt, a would-be intruder is locked out. At that point, Windows requires you to restart your device and try signing in again. After a handful of failed tries, Windows stops accepting new guesses and requires you to enter your password.

And imagine an intruder’s surprise when they learn that a PIN can be more than four digits long. When you set up your PIN, we recommend that you make it six digits instead of four, allowing up to a million possible numeric combinations and trying the patience of even the most persistent attacker. Even an eight-digit PIN (100 million numeric combinations) is still easier to enter than a complex password.

As an even more secure alternative, you can select the Include Letters And Symbols check box and set up a complex PIN consisting of eight characters representing more than a trillion possible combinations of numbers, letters, and symbols.

If you sign in to an Active Directory domain or Azure AD, a network administrator can use Group Policy on Windows 11 Pro or Enterprise to mandate a minimum PIN length and to force the use of letters and numbers, making the PIN practically unguessable. These settings are in the Group Policy Editor under Computer Configuration > Administrative Templates > Windows Components > Windows Hello For Business.

Using Windows Hello for biometric sign-ins

With the proper hardware, you can sign in simply by swiping your fingerprint or, even easier, showing your face in front of your computer’s camera. You might also be able to verify your identity with Windows Hello when making a purchase or accessing a secure service.

To use Windows Hello for biometric sign-ins on a PC, you need one of the following:

• A fingerprint reader that supports the Windows Biometric Framework; if this hardware isn’t built in to your computer, you can add a USB-based fingerprint reader.

• An illuminated 3-D infrared camera such as those found on Surface laptops and tablets from Microsoft, as well as other advanced devices; note that a standard webcam does not work.

Note

You must add a PIN as described earlier in this chapter before you can use Windows Hello biometric features. This PIN becomes a backup sign-in option in the event your biometric hardware malfunctions or isn’t able to recognize you.

To set up Windows Hello, go to Settings > Accounts > Sign-In Options. Under Windows Hello, expand either Facial Recognition (Windows Hello) or Fingerprint Recognition (Windows Hello) as appropriate. Then click Set Up for the biometric device you want to use.

Windows asks you to enter your PIN to verify your identity. After that, you need to enter your biometric data. With face recognition, that involves looking into the camera (as shown in Figure 10-8); to set up a fingerprint reader, follow the prompts to swipe your fingerprint several times, until Windows Hello has recorded the data it needs.

If you’re setting up fingerprint scanning, you can enroll additional fingers so that you have an alternative if the finger you normally use is, for example, covered with a bandage. Click Add Another after you complete registration for a fingerprint. To add another fingerprint later, return to Settings > Accounts > Sign-In Options and click Add Another. You can also associate an additional fingerprint with a different user account on the same device. Sign in to the alternate account, and set up the second fingerprint there. When you restart, you can choose your account by choosing the fingerprint associated with that account.

Figure 10-8 Setup for Windows Hello guides you through the brief process of scanning and storing your biometric data.

Using a picture password

This option is a bit of a misfit on the list of sign-in options. It doesn’t offer the same level of security as Windows Hello (which is the main reason we don’t recommend using it), but the option survives for users who like the idea of personalizing the sign-in process.

Note

If you have enabled the For Improved Security, Only Allow Windows Hello Sign-In For Microsoft Accounts On This Device (Recommended) setting, Picture Password is not displayed on the Sign-in Options page.

With a picture password, you can sign in on a touchscreen using a combination of gestures (specifically, circles, straight lines, and taps) that you make on a picture displayed on the sign-in screen. The easiest way to get comfortable with a picture password is to go ahead and create one.

To get started, go to Settings > Accounts > Sign-In Options. Under Picture Password, click Add. Verify your identity by entering your password to display an introductory screen where you can choose a picture. You then get to select one of your own pictures to appear on the sign-in screen. When you’re satisfied with your selection, click Use This Picture.

On the next screen that appears, you specify the three gestures you’ll use to sign in. These gestures can consist of circles, straight lines, and taps. After repeating the series of gestures to confirm your new “password,” click Finish.

To sign in with a picture password, you must perform the same three gestures on the sign-in screen, in the same order, using the same locations, and in the same direction. You don’t need to be that precise; Windows allows minor variations in location.

Setting or changing a password

When you set up a Microsoft account, you’re required to create a password. Similarly, if you add a local user account to your computer, Windows 11 prompts you to specify a password.

Note

If you sign in with a local account, you must add a password before you can use a PIN, picture password, or Windows Hello.

To set or change your Microsoft account password, go to Settings > Accounts > Sign-In Options. Click or tap Change under Password. If Windows Hello is set up, you first need to enter your PIN or supply biometric authentication. Next, you must enter your existing password to confirm your identity. Windows then asks you to enter your new password.

Note

If you have enabled the For Improved Security, Only Allow Windows Hello Sign-In For Microsoft Accounts On This Device (Recommended) setting, Password is not displayed on the Sign-in Options page.

Changing the password for a local account requires an extra step: You must specify a password hint. The password hint appears after you click your name on the sign-in screen and type your password incorrectly. Be sure your hint is only a subtle reminder because any user can click your name and then view the hint. (Windows won’t allow you to create a password hint that contains your password.)

Note

If you sign in with a local account, you can use a quicker alternative: Press Ctrl+Alt+Delete, and click Change A Password. This method does not include the option to enter a password hint.

You can also set or change the password for the local account of another user on your computer. To do so, open User Accounts in Control Panel, click Manage Another Account, and click the name of the user whose password you want to change. Then click Change The Password or (if the account doesn’t currently have a password) Create A Password.

Caution

If another user has files encrypted with EFS, do not create or change a password for that user; instead, show the user how to accomplish the task from his or her own account. Similarly, do not remove or change another user’s password unless the user has forgotten the password and has exhausted all other options to access the account. (For more information, see the sidebar “Recovering from a lost password.”) If you create, change, or remove another user’s password, that user loses all personal certificates and stored passwords for websites and network resources. Without the personal certificates, the user loses access to all encrypted files and all email messages encrypted with the user’s private key. Windows deletes the certificates and passwords to prevent the administrator who makes a password change from gaining access to them—but this security comes at a cost!

Recovering from a lost password

It’s bound to happen someday: You try to sign in to your computer and are faced with the password prompt, and you can’t remember the password. This is perhaps more likely when you usually sign in using facial recognition or a PIN because you’re seldom entering your password.

For a Microsoft account or an Azure Active Directory account, clicking a link on the sign-in screen (either I Forgot My Password or I Forgot My PIN) connects to Microsoft’s servers and leads you through the steps to verify your identity and reset your password or PIN. During this process, an alternative method is offered: Use Microsoft Authenticator—an app you install on your mobile device—to verify your identity and sign in.

Another alternative for a Microsoft account is to use another computer or a mobile device to go to https://account.live.com/password/reset. Answer a series of questions there, and you can send a code to one of the alternative verification methods on your account—a text message to your mobile device or an email message to an account you control. Enter the code to prove your identity, and you can reset your password.

For a local account, if the password hint doesn’t jog your memory, you have two supported options. The first asks you to correctly answer the three password reset questions you chose when you set up the local account initially. The second option is to use a password reset disk, if you previously created one before you needed it and then stored it in a safe place.

When password amnesia sets in, take your best guess at a password. If you’re wrong, Windows informs you that the password is incorrect and offers both a hint and a Reset Password link. For Windows 11, that option offers blanks to fill in answers to the three password reset questions; if you have a password reset disk, scroll down and click Use A Password Reset Disk Instead. That opens the Password Reset Wizard, which in turn asks for the location of the password reset disk, reads the encrypted key, and then asks you to set a new password. After you sign in using the new credentials, your password reset disk remains usable in case you forget the new password; you don’t need to make a new one.

If you can’t remember the password and neither of the above options works, you’re out of luck. A local administrator can sign in and change or remove your password for you, but you’ll lose access to your encrypted files and email messages and your stored credentials. If that prospect gives you chills, perhaps you should consider switching to a Microsoft account.

Managing a physical security key

A security key is a physical device built around encryption hardware that supports the Fast Identity Online (FIDO2) standard. These keys, which typically plug into a USB port or connect via Bluetooth or NFC, can be used as a second identity factor to sign in to a Microsoft account or reset a password. Security keys also work with password manager apps and are supported by every major browser that runs on Windows 11, which in turn allows you to use one of these devices for 2FA support on popular web services. In this scenario, you’re typically prompted to tap the security key after entering your credentials. With the addition of a PIN, you can use a security key for passwordless sign in.

Windows 11 doesn’t directly support security keys for signing in, but you can use it to manage a hardware key. Go to Settings > Accounts > Sign-In Options, click Security Key, and then click Manage. Tap the hardware key to select it and then use the options shown in Figure 10-9 to add or change the security key PIN or remove saved credentials from the key and get a fresh start.

Figure 10-9 You can use a physical security key as a second factor for signing in to web services, including Microsoft accounts. Use these controls to change the PIN or remove stored credentials.

Signing out, switching accounts, or locking your computer

When you step away from your computer, you want to be sure you don’t leave it in a state in which others can use your credentials to access your files, sign in to websites or services using saved passwords, read and reply to email messages, or otherwise interfere with your digital identity. For security’s sake, you need to sign out, switch accounts, or lock your computer:

• Sign Out With this option, all your running apps close, and the lock screen appears.

• Switch Account With this option, also known as fast user switching, your apps continue to run. The sign-in screen appears, ready for the sign-in credentials of the alternative account you select. Your account is still signed in, but only you can return to your own session, which you can do when the user who is currently signed in chooses to sign out, switch accounts, or lock the computer.

• Lock With this option, your apps continue to run, but the lock screen appears so that no one can see your desktop or use the computer. Only you can unlock the computer to return to your session; however, other users can sign in to their own sessions without disturbing yours.

To sign out, switch accounts, or lock your computer, click Start and click or tap your picture (in the lower left of Start). That displays a menu with Lock and Sign Out options; on a device with more than one user account set up, it also includes a profile picture and username for other available accounts. On a computer that’s joined to a domain, Switch Account appears instead of individual account names. You can then enter an account name on the sign-in screen.

Inside OUT

Use keyboard shortcuts

To lock your computer, press Windows key+L. (You might also find it more convenient to use this shortcut for switching accounts; the only difference is that it takes you to the lock screen instead of to the sign-in screen.)

For any of these actions—sign out, switch accounts, or lock—you can start by pressing Ctrl+Alt+Delete, which displays a menu that includes all three options.

Using Dynamic Lock

Windows 11 provides another way to lock a computer called Dynamic Lock. With Dynamic Lock, your computer automatically locks when it becomes separated from your phone, such as when you step away from your desk with your phone in your pocket or purse. To use Dynamic Lock, follow these steps:

If you haven’t already done so, pair your Bluetooth-enabled phone to your computer. For more information, see “Setting up Bluetooth devices” in Chapter 13, “Managing hardware and devices.” Open Settings > Accounts > Sign-In Options. Under the Additional Settings heading, select Dynamic Lock and then select the Allow Windows To Lock Your Device Automatically When You’re Away checkbox.

After following these steps, Windows polls your phone several times each minute. (This does place a small hit on your phone’s battery life.) When it discovers that the phone is no longer in range, the computer locks. Be aware, however, that locking doesn’t occur instantly; Windows polls your phone only periodically, and it takes some time for you to get far enough away so that your phone is out of range.

How far is “out of range”? That sensitivity depends on several factors, including the signal strength of your two devices and the number of walls and other obstructions between the devices. A registry value sets the threshold, but calibrating it takes some experimentation. Rafael Rivera has created a tool for working with Dynamic Lock threshold values; you can read about it at https://bit.ly/DynLock.

For security reasons, Windows 11 does not offer a corresponding dynamic unlock feature. When you return to your computer, even with phone in hand, you need to sign in using one of the usual methods: Windows Hello, password, or PIN.

Sharing your PC with other users

Personal computers are usually just that—personal. But there are situations in which it makes sense for a single PC to be shared by multiple users. In those circumstances, it’s prudent to configure the shared device securely. Doing so helps to protect each user’s data from inadvertent deletions and changes as well as malicious damage and theft.

Note

In this section, we offer advice for configuring a PC with Microsoft accounts and local accounts. Azure AD and domain accounts are administered centrally.

When you set up your computer, consider these suggestions:

• Control who can sign in. Create accounts only for users who need to use your computer’s resources, either by signing in locally or over a network. If an account you created is no longer needed, delete or disable it.

• Use standard accounts for additional users. During setup, Windows sets up one local administrative account for installing apps, creating and managing accounts, and so on. All other accounts can and should run with standard privileges.

• Be sure that all accounts are protected by a strong password and 2FA. This is especially important for administrator accounts and for other accounts whose profiles contain important or sensitive documents.

• Restrict sign-in times. You might want to limit the computing hours for some users, especially children. The easiest way for home users to do this is by setting up family accounts; for details, see “Controlling your family’s computer access,” later in this chapter.

• Restrict access to certain files. You’ll want to be sure that some files are available to all users, whereas other files are available only to the person who created them. The Public folder and a user’s personal folders provide a general framework for this protection. You can further refine your file-protection scheme by selectively applying permissions to varying combinations of files, folders, and users.

Adding a user to your computer

To allow another person to sign in on your computer and access their own files and settings, you must add a user account for that person. How you choose to set up that account depends on how you as an administrator want to manage the other person’s access. You can add a secondary account by specifying the other person’s Microsoft account email (or creating a local user account with a username and password of your choosing); your only management option in that case is choosing whether the account type is Administrator or Standard. If you’re adding accounts for other family members (especially children), you can choose from a different set of options that allow you much more granular control over when and how they access the PC.

To create a conventional secondary account without using family settings, start by signing in as an administrator and then go to Settings > Accounts. Then select Other Users. (On Windows 11 version 21H2, this option is under the Family & Other Users heading.)

Note

The option to set up accounts for other family members is not available on PCs that are joined to a Windows domain or Azure Active Directory.

Other Users, shown in Figure 10-10, enables you to add additional accounts, either local accounts or Microsoft accounts. To add a user with a Microsoft account, click Add Account and then enter the email address (or phone number) for the account they currently use and complete the wizard to create the user’s account.

Figure 10-10 From this Settings page, you can add a local account or a Microsoft account. The Work Or School option is available only if another Work Or School account is already set up.

If you want to create a local account, click Add Account and then click I Don’t Have This Person’s Sign-In Information. Then, on the Create Account page, select Add A User Without A Microsoft Account.

The Create A User For This PC page displays, shown in Figure 10-11, and you can enter the username and password for the other person.

Figure 10-11 It takes some persistence, but you can resist the entreaties to use a Microsoft account and instead set up a local user account; eventually, you get to this dialog.

You’re also required to choose and answer three security questions for the local account. (If your computer has only local accounts set up, you go directly to this final dialog, skipping the two that guide you toward a Microsoft account.) Click Next, and your work is done.

To add an account for a family member, go to Settings > Accounts, select Family, and then select Add Someone from the Your Family section. Enter the email address of the Microsoft account used by the family member and then complete the wizard to add the account.

You’re asked to define the role that the new user has: An Organizer can edit family and safety settings; a Member can edit their own settings, using options based on their age. When you’ve defined the role, click Invite to send an invitation to the user’s configured email account; they can then use that invitation to complete the process of adding their account to the computer.

Note

The invitation email has as a subject line ”Microsoft Family Safety“ and provides a link labeled Accept Invitation. Selecting this link opens the Family Safety online app, and enables the user to join the family group using the specified email account.

The user account is displayed with a status of Pending until the user accepts the invite.

Note

After you add the account, modify account type, choosing between Standard User and Administrator.

If you’re adding an account for a child, select Create One For A Child on the Add Someone page. After you’ve created their account in the usual way, the account is added to the computer.

Controlling your family’s computer access

Previous versions of Windows had a feature called Parental Controls (Windows Vista and Windows 7) or Family Safety (Windows 8), which allowed parents to restrict and monitor their children’s computer use. Both Windows 10 and Windows 11 offer similar capabilities, but the implementation is completely different. Those earlier Windows versions stored their settings on your PC, but in Windows 11, family settings are now stored and managed as part of your Microsoft account.

Note

Rather than classifying each person as Child or Adult, you act as Organizer for your family; when you add an account to your family, you can assign that person as a Member, whose activities can be managed, or as an Organizer, who can view and change the settings online.

This approach has some benefits:

• You don’t need to make settings for each member of your family on each computer. After you add a family member on one PC, you manage their settings in the cloud, and those settings apply to all the family PCs where they sign in.

• You can manage each family member’s computer use from any computer that’s connected to the internet.

Family settings have one requirement that some might perceive as a disadvantage: Each family member must have a Microsoft account and sign in with that account.

You use the Family Safety webpage, the Windows Family app (on a Windows 10 or Windows 11 PC), or the Family Safety app on iOS or Android to manage family settings.

Note

The Windows 11 Family app is typically installed automatically with Windows 11 version 22H2; on a PC running version 21H2, you might need to visit the Microsoft Store to download this useful app.

What can you do with Family Safety?

• Set screen time. Define limits for your children’s devices, apps, and games.

• Find your family. Enables you to locate family members by retrieving location data from their mobile devices.

• Monitor driving safety. Enables you to gain insights into your family members’ driving habits, including speed, phone use, and sudden braking. This is a premium feature.

• Review reports. Track and review family members’ device and app use.

• Define content filters. Control what type of content members can access online.

• Manage family email, calendar, and OneNote. Enables you to schedule events, share notes, and set up group email.

Note

Family members must sign in and grant permission for organizers to view their activity and see their location on an Android device.

As the organizer, you perform all management tasks online (at https://family.microsoft.com) or in the Family app. Sign in with your Microsoft account to get started. Figure 10-12 shows a portion of the interface for setting up both daily limits and the times during which a family member can use a Windows 11 PC or an Xbox One console.

Figure 10-12 With Screen Time settings, you specify an allowable range of times for a child’s daily use of Windows 11 PCs and an Xbox One console.

Troubleshooting

The email invitation never arrives

Despite repeated attempts on your part to set up a new family member, sometimes the invitation isn’t sent. To get around this, browse to https://family.microsoft.com. On the webpage that appears, click the Add A Family Member button (the plus sign under the Your Family heading), and follow the instructions.

Note that when you sign in to one of your other computers, your family’s accounts are already in place; you don’t need to add family members on each device. However, by default, the other family members cannot sign in to these other devices. To enable access, return to the Family page in Settings, click the name of the family member, and then click Allow Sign In. To disable access for a family member on a specific device, click Block Sign In.

Restricting use with assigned access

Assigned access is a rather odd feature that you can use to configure your computer so that a single designated user can run a single app. When that user signs in, the specified app starts automatically and runs full-screen. The user can’t close the app or start any others. In fact, the only way out is to press Ctrl+Alt+Delete (or press the Windows button and power button simultaneously), which signs out the user and returns to the sign-in screen.

The use cases for this feature are limited, but here are a few examples:

• A kiosk app for public use (see “Setting up a kiosk device” in Chapter 19 for more information)

• A point-of-sale app for your business

• A game for a very young child

If you can think of a use for this feature, click Get Started under the Set Up A Kiosk heading at the bottom of the Other Users page.

When you launch this wizard, you must either add a new account or select an existing account and designate a Windows app (not a legacy desktop program) for use with the kiosk account. If you selected a web browser as the app, you need to enter the URL for the browser to open.

Introducing access control in Windows

We’ve saved this fairly technical section for last. Most Windows users never need to deal with the nuts and bolts of the Windows security model. But developers, network administrators, and anyone who aspires to the label “power user” should have at least a basic understanding of what happens when you create accounts, share files, install software drivers, and perform other tasks that have security implications.

The Windows approach to security is discretionary: Each securable system resource—each file or printer, for example—has an owner. That owner, in turn, has discretion over who can and cannot access the resource. Usually, a resource is owned by the user who creates it. If you create a file, for example, you are the file’s owner under ordinary circumstances. (Computer administrators, however, can take ownership of resources they didn’t create.)

Note

To exercise full discretionary control over individual files, you must store those files on an NTFS volume (this feature is also available on PCs running Windows 11 Pro for Workstations with ReFS-formatted volumes). For the sake of compatibility, Windows 11 supports the FAT file systems (FAT, FAT32) used by early Windows versions and many USB flash drives, as well as the exFAT file system used on some removable drives. However, none of the FAT-based file systems support file permissions. To enjoy the full benefits of Windows security, you must use NTFS or ReFS. For more information about file systems, see “Choosing a file system” in Chapter 8, ”Managing local and cloud storage.”

What are security identifiers?

Windows security relies on the use of a security identifier (SID) to manage access controls and permissions for a user account. When you create a user account on your computer, Windows assigns a unique SID to that account. The SID remains uniquely associated with that user account until the account is deleted, whereupon the SID is never used again—for that user or any other user. Even if you re-create an account with identical information, a new SID is created.

A SID is a variable-length value that contains a revision level, a 48-bit identifier authority value, and a number of 32-bit subauthority values. The SID takes the form S-1-x-y1-y2- . . . . S-1 identifies it as a revision 1 SID; x is the value for the identifier authority; and y1, y2, and so on are values for subauthorities.

You sometimes see a SID in a security dialog (for example, on the Security tab of a file’s properties dialog) before Windows has had time to look up the user account name. You also spot SIDs in the hidden and protected $RECYCLE.BIN folder (each SID you see in this folder represents the Recycle Bin for a particular user) and in the registry (the HKEY_USERS hive contains a key, identified by SID, for each user account on the computer), among other places. The easiest way to determine your own SID is with the Whoami command-line utility. For details, see the following Inside Out sidebar.

Not all SIDs are unique (although the SID assigned to your user account is always unique). A number of commonly used SIDs are constant among all Windows installations. For example, S-1-5-18 is the SID for the built-in Local System account, a hidden member of the Administrators group that is used by the operating system and by services that sign in using the Local System account. You can find a complete list of such SIDs under the heading “Well-known SIDS” in the document at https://support.microsoft.com/kb/243330.

To control which users have access to a resource, Windows uses the SID assigned to each user account. Your SID (a gigantic number guaranteed to be unique) follows you around wherever you go in Windows. When you sign in, the operating system first validates your username and password. Then it creates a security access token. You can think of this as the electronic equivalent of an ID badge. It includes your username and SID, plus information about any security groups to which your account belongs. (Security groups are described later in this chapter.) Any app you start gets a copy of your security access token.

Inside OUT

Learn about your own account with Whoami

Windows includes a command-line utility called Whoami (Who Am I?). You can use Whoami to find out the name of the account that’s currently signed in, its SID, the names of the security groups of which it’s a member, and its privileges. To use Whoami, start by opening a Command Prompt window. (You don’t need elevated privileges.)

Then, to learn the name of the signed-in user, type whoami. (This is particularly useful if you’re signed in as a standard user but running an elevated Command Prompt window—when it might not be obvious which account is currently “you.”) If you’re curious about your SID, type whoami /user. For a complete list of Whoami parameters, type whoami /?.

With User Account Control (UAC) turned on, administrators who sign in get two security access tokens—one that has the privileges of a standard user and one that has the full privileges of an administrator.

Whenever you attempt to walk through a controlled “door” in Windows (for example, when you connect to a shared printer), or any time an app attempts to do so on your behalf, the operating system examines your security access token and decides whether to let you pass. If access is permitted, you notice nothing. If access is denied, you get to hear a beep and read a refusal message.

In determining whom to let pass and whom to block, Windows consults the resource’s access control list (ACL). This is simply a list of SIDs and the access privileges associated with each one. Every resource subject to access control has an ACL. This manner of allowing and blocking access to resources such as files and printers has remained essentially unchanged since Windows NT.

What are ACLs?

Each folder and each file on an NTFS-formatted volume has an ACL (also known as DACL, for discretionary access control list, and commonly called NTFS permissions). An ACL comprises an access control entry (ACE) for each user who is allowed access to the folder or file. With NTFS permissions, you can control access to any file or folder, allowing different types of access for different users or groups of users.

To view and edit NTFS permissions for a file or folder, right-click its icon and choose Properties. The Security tab lists all the groups and users with permissions set for the selected object, as shown in Figure 10-13. Different permissions can be set for each user, as you can see by selecting each one.

Figure 10-13 Click the Edit button to change NTFS permissions for a file or folder.

To make changes to the settings for any user or group in the list, or to add or remove a user or group in the list, click Edit. Use caution. Setting NTFS permissions without understanding the full consequences can lead to unexpected and unwelcome results, including a complete loss of access to files and folders. Above all, avoid delving into the inner workings of NTFS permissions when your goal is to manage network sharing, which is governed by a separate set of options. For details, see Chapter 11, “Configuring Windows networks.”

The access granted by each permission type is as follows:

• Full Control Users with Full Control can list contents of a folder, read and open files, create new files, delete files and subfolders, change permissions on files and subfolders, and take ownership of files.

• Modify Allows the user to read, change, create, and delete files but not to change permissions or take ownership of files.

• Read & Execute Allows the user to view files and launch executable files.

• List Folder Contents Provides the same permissions as Read & Execute, but can be applied only to folders.

• Read Allows the user to list the contents of a folder, read file attributes, read permissions, and synchronize files.

• Write Allows the user to create files, write data, read attributes and permissions, and synchronize files.

• Special Permissions The assigned permissions don’t match any of the preceding permission descriptions. To see precisely which permissions are granted, click Advanced.

UAC adds another layer of restrictions based on user accounts. With UAC turned on, applications are normally launched using an administrator’s standard user token. (Standard users, of course, have only a standard user token.) If an application requires administrator privileges, UAC asks for your consent (if you’re signed in as an administrator) or the credentials of an administrator (if you’re signed in as a standard user) before letting the application run. With UAC turned off, Windows works in the same (rather dangerous) manner as Windows versions from more than two decades ago, before Microsoft got serious about security: Administrator accounts can do just about anything (sometimes getting those users in trouble), and standard accounts don’t have the privileges needed to run many older desktop apps.

• For more information about UAC, see “Preventing unsafe actions with User Account Control” in Chapter 12.