For years, teachers, parents, tech directors, and computer lab instructors struggled to answer two difficult questions: How do you rig one PC so several different people can use it throughout the day, without interfering with one another’s files and settings? And how do you protect a PC from getting fouled up by mischievous (or bumbling) students and employees?
Windows 7 was designed from the ground up to be a multiple-user operating system. Anyone who uses the computer must log on—click (or type) your name and type in a password—when the computer turns on. Upon doing so, you discover the Windows universe just as you left it, including these elements:
Desktop. Each person sees his own shortcut icons, folder icons, and other stuff left out on the desktop.
Start menu. If you reorganize the Start menu, as described in Chapter 1, you won’t confuse anybody else who uses the machine. No one else can even see the changes you make.
Documents folder. Each person sees only her own stuff in the Documents folder.
Email. Windows maintains a separate stash of email messages for each account holder—along with separate Web bookmarks, a Windows Messenger contact list, and other online details.
Favorites folder. Any Web sites, folders, or other icons you’ve designated as Favorites appear in your Favorites menu, and nobody else’s.
Internet cache. This folder stores a copy of the Web pages you’ve visited recently for faster retrieval the next time you visit them.
History and cookies. Windows maintains a list of recently visited Web sites independently for each person; likewise, it stores a personal collection of cookies (Web site preference files).
Control Panel settings. Windows memorizes the preferences each person establishes using the Control Panel (see Chapter 8), including keyboard, sound, screen saver, and mouse settings.
Privileges. Your user account also determines what you’re allowed to do on the network and even on your own computer: which settings you can change in the Control Panel, and even which files and folders you can open.
Behind the scenes, Windows stores all these files and settings in a single folder—your Personal folder, the one that bears your name. You can open it easily enough; it’s at the top right of the Start menu. (Technically, your Personal folder is in the Computer→Local Disk (C:)→Users folder.)
This feature makes sharing the PC much more convenient, because you don’t have to look at everybody else’s files (and endure their desktop design schemes). It also adds a layer of security, making it less likely that a marauding 6-year-old will throw away your files.
Tip
Even if you don’t share your PC with anyone and don’t create any other accounts, you might still appreciate this feature because it effectively password-protects the entire computer. Your PC is protected from unauthorized casual fiddling when you’re away from your desk (or if your laptop is stolen)—especially if you tell Windows to require your logon password after any time the screen saver has kicked in (Choosing a Screen Saver).
Since the day you installed Windows 7 or fired up a new Win7 machine, you may have made a number of changes to your desktop—fiddled with your Start menu, changed the desktop wallpaper, added some favorites to your Web browser, downloaded files onto your desktop, and so on—without realizing that you were actually making these changes only to your account.
Accordingly, if you create an account for a second person, then when she turns on the computer and signs in, she’ll find the desktop exactly the way it was as factory-installed by Microsoft: basic Start menu, standard desktop picture, default Web browser home page, and so on. She can make the same kinds of changes to the PC that you’ve made, but nothing she does will affect your environment the next time you log on.
In other words, the multiple-accounts feature has two benefits: first, the convenience of hiding everyone else’s junk; and second, security that protects both the PC’s system software and everyone’s work.
If you’re content simply to use Windows, that’s really all you need to know about accounts. If, on the other hand, you have shouldered some of the responsibility for administering Windows machines—if it’s your job to add and remove accounts, for example—read on.
Windows is designed to handle either of two different kinds of networks: workgroups (small, informal home or small-business networks) and domains (corporate networks, professionally and centrally administered).
This distinction becomes particularly important when it comes to user accounts.
Workgroup network. In this smaller kind of network, each computer stores its own security settings, such as user accounts, passwords, and permissions. Clearly, setting up an account on every PC for every employee in a big company would get out of hand.
If you’re part of a workgroup network (or no network), you’ll find that Windows gives you simplified access to user accounts and permissions, both of which are described in this chapter.
Domain network. In a corporation, your files may not be sitting right there on your hard drive. They may, in fact, sit on a network server—a separate computer dedicated to dishing out files to employees from across the network. As you can probably imagine, protecting all this information is somebody’s Job Number One.
That’s why, if your PC is part of a domain, you’ll find Windows 7 more reminiscent of Windows 2000, with more business-oriented features and full access to the account-maintenance and permissions-management options. (Only the Professional, Enterprise, and Ultimate editions of 7 can speak to domain networks.)
This chapter tackles these two broad feature categories—the workgroup scenario and the domain scenario—one at a time.
This section is dedicated to computers in a workgroup network—or no network at all. Corporate networks (domains) are described later in this chapter.
To see what accounts are already on your PC, open the Start menu. Start typing accounts until you see User Accounts in the results list; click it. The User Accounts and Family Safety control panel opens (Figure 23-1).
Tip
The Start menu offers a big, fat shortcut to this dialog box: Just click your picture at the top of the open Start menu.
What you see here depends on which kind of account you have: Administrator or Standard. Read on.
Figure 23-1. The User Accounts and Family Safety control panel always opens up showing you only the details of your account. You can’t even see who else has accounts on your PC—unless you click “Manage another account” and authenticate yourself.
It’s important to understand the phrase that appears just under your name in the panel shown in Figure 23-2. On your own personal PC, the word “Administrator” probably appears here.
Because you’re the person who installed Windows 7, the PC assumes that you’re one of its administrators—the technical wizards who will be in charge of it. You’re the teacher, the parent, the resident guru. You’re the one who will maintain this PC and who will be permitted to make system-wide changes to it.
You’ll find settings all over Windows (and all over this book) that only people with Administrator accounts can change. For example, only an administrator is allowed to:
Create or delete accounts and passwords on the PC.
Install new programs (and certain hardware components).
Make changes to certain Control Panel programs that are off-limits to non-administrators.
See and manipulate any file on the machine.
There’s another kind of account, too, for people who don’t have to make those kinds of changes: the Standard account.
Now, for years, people doled out Administrator accounts pretty freely. You know: The parents got Administrator accounts, the kids got Standard ones.
The trouble is, an Administrator account itself is a kind of security hole. Any time you’re logged in with this kind of account, any nasty software you may have caught from the Internet is also, in effect, logged in—and can make changes to important underlying settings on your PC, just the way a human administrator can.
Figure 23-2. If you click “Manage another account” (in the box shown in Figure 23-1), you finally get to see, and make changes to, all the other accounts.
Put another way: A virus you’ve downloaded will have a much harder time infecting the rest of the machine if you were running a Standard account than an Administrator account.
Today, therefore, Microsoft recommends that everyone use Standard accounts—even you, the wise master and owner of the computer!
So how are you supposed to make important Control Panel changes, install new programs, and so on?
That’s gotten a lot easier in Windows 7. Using a Standard account no longer means that you can’t make important changes. In fact, you can do just about everything on the PC that an Administrator account can—if you know the password of a true Administrator account.
Note
Every Windows 7 PC can (and must) keep at least one Administrator account on hand, even if you rarely log in with that account.
Whenever you try to make a big change, you’re asked to authenticate yourself. As described on Authenticate Yourself: User Account Control, that means supplying an Administrator account’s password, even though you, the currently logged-in person, are a lowly Standard account holder.
If you have a Standard account because you’re a student, a child, or an employee, you’re supposed to call an administrator over to your PC to approve the change you’re making. (If you’re the PC’s owner, but you’re using a Standard account for security purposes, you know an administrator password, so it’s no big deal.)
Now, making broad changes to a PC when you’re an administrator still presents you with those “prove yourself worthy” authentication dialog boxes. The only difference is that you, the administrator, can click Continue to bypass them, rather than having to type in a password.
You’ll have to weigh this security/convenience tradeoff. But you’ve been warned: The least vulnerable PC is one where everyone uses Standard accounts.
All of this is a long-winded way of explaining why, when you open User Accounts, you may see one of two different things.
It’s easy to create a new account in the User Accounts panel: Click “Manage another account.” Authenticate yourself.
You arrive on the master list of accounts (Figure 23-2). If you’re new at this, there’s probably just one account listed here: yours. This is the account Windows created when you installed it.
If you see more than one account here—not just yours—then one of these situations probably applies:
You created them when you installed Windows 7, as described in Appendix A.
You bought a new computer with Windows 7 preinstalled and created several accounts when asked to do so the first time you turned on the machine.
You upgraded the machine from an earlier version of Windows, and Windows 7 gracefully imported all your existing accounts.
To add another one, click “Create a new account.” The next screen asks you to name the account and choose an account type: Administrator or Standard (Figure 23-3).
When you’re finished with the settings, click Create Account (or press Enter). After a moment, you return to the User Accounts screen, where the new person’s name joins whatever names were already there. You can continue adding new accounts forever or until your hard drive is full, whichever comes first.
Tip
If you never had the opportunity to set up a user account when installing Windows—if you bought a PC with Windows already on it, for example—you may see an account named Owner already in place. Nobody can use Windows at all unless there’s at least one Administrator account on it, so Microsoft is doing you a favor here.
Just double-click it and click “Change the account name” to change the name Owner to one that suits you better. Make that account your own using the steps in the following paragraphs.
Figure 23-3. If it’s all in the family, the account’s name could be Casey or Robin. If it’s a corporation or school, you’ll probably want to use both first and last names. Capitalization doesn’t matter, but most punctuation is forbidden. This is also where you specify whether or not this unsuspecting computer user will be an administrator, as described above.
Although the process of creating a new account is swift and simple, it doesn’t offer you much in the way of flexibility. You don’t even have a chance to specify the new person’s password, let alone the tiny picture that appears next to the person’s name and at the top of the Start menu (rubber ducky, flower, or whatever).
That’s why the next step in creating an account is usually editing the one you just set up. To do so, once you’ve returned to the main User Accounts screen (Figure 23-2), click the name or icon of the freshly created account. You arrive at the screen shown at the top in Figure 23-4, where—if you are an administrator—you can choose from any of these options:
Change the account name. You’re offered the opportunity to type in a new name for this person and then click the Change Name button—just the ticket when one of your coworkers gets married or joins the Witness Protection Program.
Create a password. Click this link if you’d like to require a password for access to this person’s account (Figure 23-4, bottom). Capitalization counts.
The usual computer book takes this opportunity to stress the importance of having a long, complex password, such as a phrase that isn’t in the dictionary, something made up of mixed letters and numbers—and not, by the way, the word “password.” This is excellent advice if you create sensitive documents and work in a corporation.
Figure 23-4. Top: Here’s the master menu of account-changing options. Add/change password, change picture, change from Standard to Administrative (or vice versa), and so on. Bottom: You’re supposed to type your password twice to make sure you didn’t introduce a typo the first time. (The PC shows only dots as you type, to guard against the possibility that some villain is snooping over your shoulder.)
But if you share the PC only with a spouse or a few trusted colleagues in a small office, you may have nothing to hide. You may see the multiple-users feature more as a convenience (for keeping your settings and files separate) than a way of protecting secrecy and security.
In these situations, there’s no particular need to dream up a convoluted password. In fact, you may want to consider setting up no password—leaving both password blanks empty. Later, whenever you’re asked for your password, just leave the Password box blank. You’ll be able to log on and authenticate yourself that much faster each day.
If you do decide to provide a password, you can also provide a hint (for yourself or whichever coworker’s account you’re operating on). This is a hint that anybody can see (including bad guys trying to log on as you), so choose something meaningful only to you. If your password is the first person who ever kissed you plus your junior-year phone number, for example, your hint might be “first person who ever kissed me plus my junior-year phone number.”
Later, when you log in and can’t remember your password, leave the Password box empty and hit Enter. You wind up back at the login screen to try again—but this time, your hint will appear just below the Password box to jog your memory.
Tip
This low-security, high-convenience attitude is precisely the idea behind homegroups (Chapter 26).
But homegroups work only if everybody in the house or the office is on Windows 7. If you’re not, then you’ll have to create accounts on each PC that each person might want to access over the network. A word of advice: On each PC, set them up with the same passwords they use when logging onto their own computers. You’ll save them time and hassle. Once they’ve logged onto another machine on the network, they’ll be able to connect to their own computer without having to type in another name and password.
Change the picture. The usual sign-in screen displays each account holder’s name, accompanied by a little picture. When you first create the account, however, it assigns a picture to you at random—and not all the pictures are necessarily appropriate for your personality. Not every extreme-sport headbanger, for example, is crazy about being represented by a kitten.
If you like one of the selections Microsoft has provided, just click it to select it as the replacement graphic. If you’d rather use some other graphics file on the hard drive instead—a photo of your actual face, for example—see Figure 23-5.
Set up Parental Controls. Whenever you edit a Standard account, this link is available, on the premise that this person is either a child or someone who acts like one. See Parental Controls for Parental Controls details.
Change the account type. Change a Standard account into an Administrator account, or vice versa.
Delete the account. See Deleting User Accounts
You’re free to make any of these changes to any account at any time; you don’t have to do it immediately after creating the account.
As described above, Windows contains a handy hint mechanism for helping you recall your password if you’ve forgotten it.
But what if, having walked into a low-hanging branch, you’ve forgotten both your password and the correct interpretation of your hint? In that disastrous situation, your entire world of work and email would be locked inside the computer forever. (Yes, an administrator could issue you a new password—but as noted in the box on Passwords Within Passwords, you’d lose all your secondary passwords in the process.)
Fortunately, Windows offers a clever solution-in-advance: the Password Reset Disk. It’s a USB flash drive or a floppy disk (remember those?) that you can use like a physical key to unlock your account in the event of a forgotten password. The catch: You have to make this disk now, while you still remember your password.
Figure 23-5. Here’s where you change your account picture. If you click “Browse for more pictures,” then Windows shows you a list of the graphics files on your hard drive so you can choose one, which Windows then automatically scales down to postage-stamp size (48 pixels square).
To create this disk, insert a blank floppy or a USB flash drive. Then open the Start menu and click your picture (top right). The “Make changes to your user account” window opens (Figure 23-1).
The second link in the task pane says, “Create a password reset disk.” Click that to open the Forgotten Password Wizard shown in Figure 23-6. Click through it, supplying your current password when you’re asked for it. When you click Finish, remove the disk or flash drive. Label it, and don’t lose it!
Tip
Behind the scenes, Windows saves a file onto the floppy or flash drive called userkey.psw. You can guess what that is.
When the day comes that you can’t remember your password, leave the Password box empty and hit Enter. You wind up back at the login screen; this time, in addition to your password hint, you see a link called “Reset password.” Insert your Password Reset floppy or flash drive and then click that link.
A Password Reset Wizard now helps you create a new password (and a new hint to remind you of it). You’re in.
Figure 23-6. The screens of this wizard guide you through the process of inserting a blank floppy disk or flash drive and preparing it to be your skeleton key. If you forget your password—or if some administrator has changed your password—you can use this disk to reinstate it without the risk of losing all your secondary passwords (memorized Web passwords, encrypted files, and so on).
Even though you now have a new password, your existing Password Reset Disk is still good. Keep it in a drawer somewhere for use the next time you experience a temporarily blank brain.
It happens—somebody graduates, somebody gets fired, somebody dumps you. Sooner or later, you may need to delete an account from your PC.
To delete a user account, open User Accounts, click the appropriate account name, and then click “Delete the account.”
Windows asks if you want to preserve the contents of this person’s Documents folder. If you click the Keep Files button, you find a new folder, named for the dearly departed, on your desktop. (As noted in the dialog box, only the documents, the contents of the desktop, and the Documents folder are preserved—but not programs, email, or even Web favorites.) If that person ever returns to your life, you can create a new account for him and copy these files into the appropriate folder locations.
If you click the Delete Files button, though, the documents are gone forever.
A few more important points about deleting accounts:
You can’t delete the account you’re logged into.
You can’t delete the last Administrator account. One must remain.
You can create a new account with the same name and password as one you deleted earlier, but in Windows’s head, it’s still not the same account. As described in the box on this page, it won’t have any of the original secondary passwords (for Web sites, encrypted files, and so on).
Don’t manipulate accounts manually (by fooling around in the Users folder). Create, delete, and rename them only using User Accounts in the Control Panel. Otherwise, you’ll wind up with duplicate or triplicate folders in Users, with the PC name tacked onto the end of the original account name (Bob, Bob.DELL, and so on)—a sure recipe for confusion.
Tip
If you’re an administrator, don’t miss the Users tab of the Task Manager dialog box. (Press Ctrl+Shift+Esc to get to the Task Manager.) It offers a handy, centralized list of everybody who’s logged into your machine and contains buttons that let you log them off, disconnect them, or even make a little message pop up on their screens. All of this can be handy whenever you need some information, a troubleshooting session, or a power trip.
If you do expect that your colleague may one day return to your life, you might consider disabling the account instead of deleting it. A disabled account doesn’t show up on the login screen or in the User Accounts program, but it’s still there on the hard drive, and you can bring it back when necessary.
There’s no pretty Control Panel link for disabling an account; you’ll have to get your hands greasy in the power-user underpinnings of Windows. See “Account is disabled” on Creating a New Account for details.
Believe it or not, Administrator and Standard aren’t the only kinds of accounts you can set up on your PC.
A third kind, called the Guest account, is ideal for situations where somebody is just visiting you for the day. Rather than create an entire account for this person, complete with password, hint, little picture, and so on, you can just switch on the Guest account.
To find the on/off switch, open the Start menu and type guest; click “Turn guest account on or off” in the results list. Authenticate yourself if necessary.
In the Manage Accounts window, click Guest, and then click Turn On.
Now, when the visitor tries to log in, she can choose Guest as the account. She can use the computer but can’t see anyone else’s files or make any changes to your settings.
When the visitor to your office is finally out of your hair, healthy paranoia suggests that you turn off the Guest account once again. (To do so, follow precisely the same steps, except click “Turn off the guest account” in the final step.)
You can’t work in Windows 7 very long before encountering the
dialog box shown in Figure 23-7. It appears any
time you install a new program or try to change an important setting
on your PC. (Throughout Windows, a colorful 
icon next to a button or link indicates a
change that will produce this message box.)
NOSTALGIA CORNER: The Secret, Fully Automatic Logon Trick
You’re supposed to do most of your account-editing work in the User Accounts program of the Control Panel, which is basically a wizard that offers one option per screen. That requirement may not thrill veteran Windows 2000 fans, however, who are used to the much more direct—and more powerful—User Accounts screen.
Actually, it’s still in Windows 7. To make it appear, press
+R to open the Run dialog box, type out
control User-passwords2, authenticate yourself
if necessary, and then press Enter. You see the program shown
here.
Most of the functions are the same as what you’d find in the User Accounts program—it’s just that you don’t have to slog through several wizard screens to get things done. Here you can add, remove, or edit accounts, all in a single screen.
This older Control Panel program also offers a few features that you don’t get at all in the new one. For example, you can turn off the checkbox called, “Users must enter a user name and password to use this computer.” When you do so, you get, when you click OK, a dialog box called Automatically Log On, where you can specify a user name and password of one special person. This lucky individual won’t have to specify any name and password at logon time, and can instead turn on the PC and cruise directly to the desktop. (This feature works only at startup time. If you choose Start→Log Off, the standard Logon dialog box appears so that other people have the opportunity to sign in.)
This automatic-logon business is ordinarily a luxury enjoyed by solo operators whose PCs have only one account and no password. By using the secret User Accounts method, however, you can set up automatic logon even on a PC with several accounts, provided you recognize the security hole that it leaves open.
Clearly, Microsoft chose the name User Account Control (UAC) to put a positive spin on a fairly intrusive security feature; calling it the IYW (Interrupt Your Work) box probably wouldn’t have sounded like so much fun.
Why do these boxes pop up? In the olden days, nasties like spyware and viruses could install themselves invisibly, behind your back. That’s because Windows ran in Administrative mode all the time, meaning it left the door open for anyone and anything to make important changes to your PC. Unfortunately, that included viruses.
Figure 23-7. Top: When you try to make a major change to Windows, like deleting an account or installing a new program, Windows wants to make absolutely sure that it’s you and not some virus doing the changing. So it stops the show to ask for confirmation that it’s you, an administrator, out there. Bottom: This dialog box offers what amounts to a Nuisance slider; you control where Windows stands on the security/interruption continuum by dragging it up (more alarmist) or down (no interruptions at all).
Windows 7, on the other hand, runs in Standard mode all the time. Whenever somebody or some program wants to make a big change to your system—something that ought to have the permission of an administrator (Administrator vs. Standard Accounts)—the UAC box alerts you. If you click Continue, Windows elevates (opens) the program’s permissions settings just long enough to make the change.
Most of the time, you are the one making the changes, which can make the UAC box a bit annoying. But if that UAC dialog box ever appears by itself, you’ll know something evil is afoot on your PC, and you’ll have the chance to shut it down.
How you get past the UAC box—how you authenticate yourself—depends on the kind of account you have:
If you’re an administrator, the UAC box generally doesn’t appear at all. Even when you click a link marked with a
icon, you generally blow right past it.
(That’s a welcome change from Vista, when you’d see the UAC box
for no good reason—you’d hit Enter to blow past it.)If you’re a Standard account holder, the UAC dialog box requires the password of an administrator. You’re supposed to call an administrator over to your desk to indicate his permission to proceed by entering his own name and password.
Questions? Yes, you in the back?
Why does the screen go dark around the dialog box?
That’s another security step. It’s designed to prevent evil software from tricking you by displaying a fake Windows dialog box. Windows darkens and freezes everything on the screen except the one, true Windows dialog box: the UAC box.
Can I turn off the UAC interruptions?
Well, yes. But listen: You should be grateful that they don’t appear nearly as often as they did in Vista, where they became a profound nuisance.
All right then. If even the few remaining interruptions are too much for you, you can turn them off altogether. Open the Start menu. Type uac; click “Change User Account Control settings.”
You get the dialog box shown at bottom in Figure 23-7. If you drag the slider all the way to the bottom, you won’t be interrupted by UAC boxes at all.
This truly isn’t a good idea, though. You’re sending your PC right back to the days of Windows XP, when any sneaky old malware could install itself or change your system settings without your knowledge. Do this only on a PC that’s not connected to a network or the Internet, for example, or maybe when you, the all-knowing system administrator, are trying to troubleshoot and the UAC interruptions are slowing you down.
When your computer is a member of a corporate domain, the controls you use to create and manage user accounts are quite a bit different.
In this case, when you choose Start→Control Panel, you see a category called “User Accounts” instead of “User Accounts and Family Safety.” And the option called “Add or remove user accounts” on a workgroup PC is now called “Give other users access to this computer.”
When you click that option, you see the dialog box shown in Figure 23-8. The layout is different, but the idea is the same: You can see all the accounts on the computer.
Figure 23-8. A computer that’s a member of a domain has a more detailed User Accounts dialog box. Instead of creating new accounts on your local machine, these controls let you give other people on your domain the ability to log onto your computer locally (that is, in person, rather than from across the network).
This dialog box lets you create local accounts—accounts stored only on your computer, and not on the corporate domain machine—for existing citizens of the domain.
Why would you need a local account, if all your files and settings are actually stored elsewhere on the network? Because certain tasks, like installing drivers for new hardware, require you to log on using a local Administrator account.
Note
This business of creating a local account that corresponds to an existing domain account isn’t quite the same thing as creating a completely new account for a completely new person. For that purpose, see the following pages.
When you click the Add button (Figure 23-8), an Add New User Wizard appears. It lets you specify the person’s name and the name of the domain that already stores his account. (You can also click the Browse button to search your domain for a specific person.)
When you click Next, the wizard prompts you to specify what level of access you want to grant this person. You have three choices:
Standard user. This person will be allowed to change certain system settings and install programs that don’t affect Windows settings for other users.
Administrator. This person gets the same privileges as a local administrative user.
Other. If you choose this option, you’ll be allowed to specify what local group this person belongs to, as described later in this chapter.
Once the account you selected appears in the User Accounts list, that person is now ready to log into your PC using the local account.
The control panels you’ve read about so far in this chapter are designed for simplicity and convenience, but not for power. Windows offers a second way to create, edit, and delete accounts: an alternative window that, depending on your taste for technical sophistication, is either intimidating and technical or liberating and flexible.
It’s called the Local Users and Groups console.
The quickest way to open up the Local Users and Groups window
is to press +R to open the Run dialog box, type out
Lusrmgr.msc, and authenticate
yourself if necessary. (Microsoft swears that “Lusrmgr.msc” is
not short for “loser manager,” even though
network administrators might hear that in their heads.)
The Local Users and Groups console appears, as shown in Figure 23-9.
In this console, you have complete control over the local accounts (and groups, as described in a moment) on your computer. This is the real, raw, unshielded command center, intended for power users who aren’t easily frightened.
The truth is, you probably won’t use these controls much on a domain computer. After all, most people’s accounts live on the domain computer, not the local machine. You might occasionally have to log in using the local Administrator account to perform system maintenance and upgrade tasks, but you’ll rarely have to create new accounts.
Workgroup computers (on a small network) are another story. Remember that you’ll have to create a new account for each person who might want to use this computer—or even to access its files from across the network. If you use the Local Users and Groups console to create and edit these accounts, you have much more control over the new account holder’s freedom than you do with the User Accounts control panel.
Figure 23-9. Local Users and Groups is a Microsoft Management Console (MMC) snap-in. MMC is a shell program that lets you run most of Windows’s system administration applications. An MMC snap-in typically has two panes. You select an item in the left (scope) pane to see information about it displayed in the right (detail) pane.
To create a new account in the Local Users and Groups console, start by double-clicking the Users folder in the middle of the window. It opens to show you a list of the accounts already on the machine. It includes not only the accounts you created during the Win7 installation (and thereafter), but also the Guest and secret Administrator accounts described earlier in this chapter.
To create a new account, choose Action→New User. In the New User dialog box (Figure 23-10), type a name for the account, the person’s full name, and, if you like, a description. (The description can be anything you like, although Microsoft no doubt has in mind “Shipping manager” rather than “Short and balding.”)
In the Password and Confirm Password text boxes, specify the password your new colleague will need to access the account. Its complexity and length are up to your innate sense of paranoia.
Tip
If you can’t create a new account, it’s probably because you don’t have the proper privileges yourself. You must have an Administrator account (Administrator vs. Standard Accounts) or belong to the Administrators group (Groups).
If you turn off the “User must change password at next logon” checkbox, then you can turn on options like these:
User cannot change password. This person won’t be allowed to change the password you’ve just made up. (Some system administrators like to maintain sole control over the account passwords on their computers.)
Password never expires. Using software rules called local security policies, an administrator can make account passwords expire after a specific time, periodically forcing employees to make up new ones. It’s a security measure designed to foil intruders who somehow get hold of the existing passwords. But if you turn on this option, the person whose account you’re now creating will be able to use the same password indefinitely, no matter what the local security policy says.
Figure 23-10. When you first create a new user, the “User must change password at next logon” checkbox is turned on. It’s telling you that no matter what password you make up when creating the account, your colleague will be asked to make up a new one the first time he logs in. This way, you can assign a simple password (or no password at all) to all new accounts, but your underlings will still be free to devise passwords of their own choosing, and the accounts won’t go unprotected.
Account is disabled. When you turn on this box, this account holder won’t be able to log on. You might use this option when, for example, somebody goes on sabbatical—it’s not as drastic a step as deleting the account, because you can always reactivate the account by turning the checkbox off. You can also use this option to set up certain accounts in advance, which you then activate when the time comes by turning this checkbox off again.
Note
When an account is disabled, a circled ↓ badge appears on its icon in the Local Users and Groups console. (You may have noticed that the Guest account appears this way when you first install Windows.)
When you click the Create button, you add the new account to the console, and you make the dialog box blank again, ready for you to create another new account, if necessary. When you’re finished creating accounts, click Close to return to the main console window.
As you may have guessed from its name, you can also use the Local Users and Groups window to create groups—named collections of account holders.
Suppose you work for a small company that uses a workgroup network. You want to be able to share various files on your computer with certain other people on the network. You’d like to be able to permit them to access some folders but not others. Smooth network operator that you are, you solve this problem by assigning permissions to the appropriate files and folders.
In fact, you can specify different access permissions to each file for each person. But if you had to set up these access privileges manually for every file on your hard drive, for every account holder on the network, you’d go out of your mind.
That’s where groups come in. You can create one group—called Trusted Comrades, for example—and fill it with the names of every account holder who should be allowed to access your files. Thereafter, it’s a piece of cake to give everybody in that group access to a certain folder, in one swift step. You end up having to create only one permission assignment for each file, instead of one for each person for each file.
Furthermore, if a new employee joins the company, you can simply add her to the group. Instantly, she has exactly the right access to the right files and folders, without your having to do any additional work.
To create a new group, click the Groups folder in the left side of the Local Users and Groups console (Figure 23-9). Choose Action→New Group. Into the appropriate boxes (Figure 23-11), type a name for the group, and a description, if you like. Then click Add.
Figure 23-11. The New Group dialog box lets you specify the members of the group you’re creating. A group can have any number of members, and a person can be a member of any number of groups.
A Select Users dialog box appears. Here you can specify who should be members of your new group. Type each account holder’s name into the text box, separated by semicolons, and then click Check Names to make sure you spelled them right. (You can always add more members to the group, or remove them, later.)
Finally, click OK to close the dialog box, and then click Create to add the group to the list in the console. The box appears empty again, ready for you to create another group.
You may have noticed that even the first time you opened the Users and Groups window, a few group names appeared there already. That’s because Windows comes with a canned list of ready-made groups that Microsoft hopes will save you some time.
For example, when you use the User Accounts control panel program to set up a new account, Windows automatically places that person into the Standard or Administrators group, depending on whether or not you made him an administrator (Administrator vs. Standard Accounts). In fact, that’s how Windows knows what powers and freedom this person is supposed to have.
Here are some of the built-in groups on a Windows 7 computer:
Administrators. Members of the Administrators group have complete control over every aspect of the computer. They can modify any setting, create or delete accounts and groups, install or remove any software, and modify or delete any file.
But as Spider-Man’s uncle might say, with great power comes great responsibility. Administrator powers make it possible to screw up your operating system in thousands of major and minor ways, either on purpose or by accident. That’s why it’s a good idea to keep the number of Administrator accounts to a minimum—and even to avoid using one for everyday purposes yourself.
Note
The Power Users group was a big deal in Windows XP. Power Users had fewer powers than Administrators, but still more than mere mortals in the Users group. But Microsoft felt that they added complexity and represented yet another potential security hole. In Win7, this group is essentially abandoned.
Users. Standard account holders (Administrator vs. Standard Accounts) are members of this group. They can access their own Start menu and desktop settings, their own Documents folder, the Shared Documents folder, and whatever folders they create themselves—but they can’t change any computer-wide settings, Windows system files, or program files.
If you’re a member of this group, you can install new programs—but you’ll be the only one who can use them. That’s by design; any problems introduced by that program (viruses, for example) are limited to your files and not spread to the whole system.
If you’re the administrator, it’s a good idea to put most new account holders into this group.
Guests. If you’re in this group, you have pretty much the same privileges as members of the Users group. You lose only a few nonessential perks, like the ability to read the computer’s system event log (a record of behind-the-scenes technical happenings).
In addition to these basic groups, there are some special-purpose groups like Backup Operators, Replicator, Cryptographic Operators, Event Log Readers, and so on. These are all groups with specialized privileges, designed for high-end network administration. You can double-click one (or widen its Description column) to read all about it.
To edit an account or group, just double-click its name in the Local Users and Groups window. A Properties dialog box appears, as shown in Figure 23-12.
Figure 23-12. In the Properties dialog box for a user account, you can change the full name or description, modify the password options, and add this person to, or remove this person from, a group. The Properties dialog box for a group is simpler still, containing only a list of the group’s members.
You can also change an account password by right-clicking the name and choosing Set Password from the shortcut menu. (But see Deleting User Accounts for some cautions about this process.)
Suppose you’re signed in and you’ve got things just the way you like them. You have 11 programs open in carefully arranged windows, your Web browser is downloading some gigantic file, and you’re composing an important speech in Microsoft Word. Now Robin, a coworker/family member/fellow student, wants to duck in to do a quick email check.
In the old days, you might have rewarded Robin with eye-rolling and heavy sighs, or worse. If you chose to accommodate the request, you would have had to shut down your whole ecosystem—interrupting the download, closing your windows, saving your work, and exiting your programs. You would have had to log off completely.
Thanks to Fast User Switching, however, none of that is necessary.
All you have to do is press the magic keystroke, +L (which locks the screen), and then click
Switch User. (Maybe it’s more direct to just choose Start→“Shut
down”→“Switch user.”)
Now the list of accounts appears (Figure 23-13), ready for the next person to sign in.
Figure 23-13. At this moment, you have several alternatives. If you click
the 
button (lower-right corner of the screen),
you can make the computer turn off, restart, sleep, and so on—maybe
because you’re in a sudden panic over the amount of work you have to
do. Or you can just log in.
The words “Logged on” beneath your name indicate that you haven’t actually logged off. Instead, Windows has memorized the state of affairs in your account—complete with all open windows, documents, and programs—and shoved it into the background.
Robin can now click the Robin button to sign in normally, do a little work, or look something up. When Robin logs out, the accounts screen comes back once again, at which point you can log on again. Without having to wait more than a couple of seconds, you find yourself exactly where you began, with all your programs and documents still open and running—an enormous timesaver.
When it comes to the screens you encounter when you log onto a Windows computer, your mileage may vary. What you see depends on how your PC has been set up. For example:
This is what people on standalone or workgroup computers see most of the time (Figure 23-13).
To sign in, click your account name in the list. If no password is required for your account, you proceed to your Windows desktop with no further interruption.
If there is a password associated with your account, you see a place for it. Type your password and then press Enter (or click the blue arrow button).
There’s no limit to the number of times you can try to type in a password. With each incorrect guess, you’re told, “The user name or password is incorrect,” and an OK button appears to let you try again. The second time you try, your password hint appears, too (Editing an Account).
If you’re the only account holder, and you’ve set up no password for yourself, you can cruise all the way to the desktop without any stops. The setup steps appear in the box on The Secret, Fully Automatic Logon Trick
This password-free scenario, of course, is not very secure; any evildoer who walks by your machine when you’re in the bathroom has complete access to all your files (and protected Web sites). But if you work in a home office, for example, where the threat of privacy invasion isn’t very great, it’s by far the most convenient arrangement.
You or your friendly network geek has added your PC to a domain while installing Windows 7 and activated the “Require Users to Press Ctrl-Alt-Delete” option. This is the most secure configuration, and also the least convenient.
Tip
Even when you’re looking at the standard, friendly Accounts screen (Figure 23-13), you can switch to the older, Classic logon screen: Just press Ctrl+Alt+Delete. (If you’re having trouble making it work, try pressing down the Alt key before the other ones.)
You may be used to using the Ctrl+Alt+Delete keystroke for summoning the box where you can open the Task Manager or lock your computer; but at the Accounts screen, it means something else entirely.
As you’ve read earlier in this chapter, every document, icon, and preference setting related to your account resides in a single folder: By default, it’s the one bearing your name in the Local Disk (C:)→Users folder. This folder’s friendly name is your Personal folder, but to network geeks, it’s known as your user profile.
Each account holder has a user profile. But your PC also has a couple of profiles that aren’t linked to human beings’ accounts.
Have you ever noticed, for example, that not everything you actually see in your Start menu and on your desktop is, in fact, in your user profile folder?
Part of the solution to this mystery is the Public profile, which also lurks in the Users folder (Figure 23-14). As you can probably tell by its name, this folder stores many of the same kinds of settings your profile folder does—except that anything in (C:)→Users→Public→Desktop appears on everybody’s desktop.
Figure 23-14. Behind the scenes, Windows maintains another profile folder, whose subfolders closely parallel those in your own. What you see—the contents of the Desktop, Documents folder, Favorites list, and so on—is a combination of what’s in your own user profile folder and what’s in the Public folder.
All of this is a long-winded way of suggesting another way to make some icon available to everybody with an account on your machine. Drag it into the Desktop folder in the Public profile folder.
But if you’re wondering where the common Start menu items are, you’ll have to look somewhere else. If you’re prowling around your hard drive, you’ll find them in (C:)→ProgramData→Microsoft→Windows→Start Menu. But the ProgramData folder is ordinarily hidden, so here’s a faster way: Open the Start menu, right-click All Programs, and then choose Open All Users.
These locations also offer a handy solution to the “Whose software is it, anyway?” conundrum, the burning question of whose Start menu and desktop reflect new software that you’ve installed using your own account.
As noted in Chapter 6, some software installers ask if you’d like the new program to show up only in your Start menu, or in everybody’s Start menu. But not every installer is this thoughtful. Some installers automatically deposit their new software into the ProgramData and Public folders, thereby making its Start menu and desktop icons available to everybody when they log on.
On the other hand, some installers may deposit a new software program only into your account (or that of whoever is logged in at the moment). In that case, other account holders won’t be able to use the program at all, even if they know it’s been installed, because their own Start Menu and Desktop folders won’t reflect the installation. Worse, some people, not seeing the program’s name on their Start menus, might not realize that you’ve already installed it—and may well install it again.
One possible solution is to open the Start Menu→Programs folder in your user profile folder (open the Start menu, right-click All Programs, and choose Open). Copy the newly installed icon, and then paste it into the “everybody” profile folder (open the Start menu, right-click All Programs, and then choose Open All Users.)
Repeat with the Desktop folder, if you’d like everyone to see a desktop icon for the new program. To open the shared desktop folder, open (C:)→Users→Public→Desktop. (You’ll have to make the Desktop folder visible first—see “Show hidden files, folders, and drives” on The “Folder Options” Options—and then make it invisible again afterward.) You’ve just made that software available and visible to everybody who logs onto the computer.
When you create a new account, who decides what the desktop picture will be—and the Start menu configuration, the assortment of desktop icons, and so on?
Well, Microsoft does, of course—but you can change all that. What a newly created account holder sees is only a reflection of the Default user profile. It’s yet another folder—this one usually hidden—in your (C:)→Users folder, and it’s the common starting point for all profiles.
If you’d like to make some changes to that starting point, turn on “Show hidden files, folders, and drives” (The “Folder Options” Options). Then open the (C:)→Users→Default folder, and make whatever changes you like.
There’s one final aspect of user accounts that’s worth mentioning: NTFS permissions, a technology that’s a core part of Windows 7’s security system. Using this feature, you can specify exactly which coworkers are allowed to open which files and folders on your machine. In fact, you can also specify how much access each person has. You can dictate, for example, that Gomez and Morticia aren’t allowed to open your Fourth-Quarter Projections spreadsheet at all, that Fred and Ginger can open it but not make changes, and George and Gracie can both open it and make changes.
Your colleagues will encounter the permissions you’ve set up like this in two different situations: when tapping into your machine from across the network, or when sitting down at it and logging in using their own names and passwords. In either case, the NTFS permissions you set up protect your files and folders equally well.
Figure 23-15. The Security tab of an NTFS folder’s Properties dialog box. If you have any aspirations to be a Windows power user, get used to this dialog box. You’re going to see it a lot, because almost every icon on a Windows system—files, folders, disks, printers—has a Security tab like this one.
Tip
In Chapter 26, you can read about a very similar form of access privileges called share permissions. There’s a big difference between share permissions and the NTFS permissions described here, though: Share permissions keep people out of your stuff only when they try to access your PC from over the network.
Actually, there are other differences, too. NTFS permissions offer more gradations of access. And using NTFS permissions, you can declare individual files—not just folders—accessible or inaccessible to specific coworkers. See NTFS Permissions: Protecting Your Stuff for details.
Using NTFS permissions is most decidedly a power-user technique because of the added complexity it introduces. Entire books have been written on the topic of NTFS permissions alone.
You’ve been warned.
To change the permissions for an NTFS file or folder, you open its Properties dialog box by right-clicking its icon and then choosing Properties from the shortcut menu. Click the Security tab (Figure 23-15).
The top of the Security tab lists the people and groups that have been granted or denied permissions to the selected file or folder. When you click a name in the list, the Permissions box at the bottom of the dialog box shows you how much access that person or group has.
The first step in assigning permissions, then, is to click Edit. You see an editable version of the dialog box shown in Figure 23-15.
If the person or group isn’t listed, click the Add button to display the Select Users or Groups dialog box, where you can type them in (Figure 23-16).
Figure 23-16. Type the names of the people or groups in the “Enter the object names to select” box at the bottom, trying not to feel depersonalized by Microsoft’s reference to you as an “object.” If you’re adding more than one name, separate them with semicolons. Because remembering exact spellings can be iffy, click Check Names to confirm that these are indeed legitimate account holders. Finally, click OK to insert them into the list on the Security tab.
Tip
Instead of typing in names one at a time, as shown in Figure 23-16, you can also choose them from a list, which lets you avoid spelling mistakes and having to guess at the variations. To do so, click the Advanced button to display an expanded version of the dialog box, and then click Find Now to search for all the accounts and groups on the computer. Finally, in the resulting list, click the names of the people and groups you want to add (Ctrl+click to select more than one at a time). Click OK to add them to the previous dialog box, and then click OK again to add the selected users and groups to the Security tab.
If you’ve used Windows 2000, you might wonder why this process is so much more convoluted in Windows 7. The answer is: Good question!
Once you’ve added the users and groups you need to the list on the Security tab, you can highlight each one and set permissions for it. You do that by turning on the Allow or Deny checkboxes at the bottom half of the dialog box.
The different degrees of freedom break down as follows (they’re listed here from least to most control, even though that’s not how they’re listed in the dialog box):
List folder contents, available only for folders, means that the selected individuals can see (but not necessarily open) the files and folders inside. That may sound obvious—but believe it or not, if you don’t turn on this option, the affected people won’t even be able to see what’s in this folder. The folder will just appear empty.
Read lets people examine the contents of the file or folder, but not make changes. (They can also examine the permissions settings of these files and folders—the ones you’re setting up right now.)
Read & Execute is a lot like Read, except that it also lets people run any programs they find inside the affected folder. When applied to a folder, furthermore, this permission adds the ability to traverse folders. (Traversing means directly opening inner folders even when you’re not allowed to open the outer folder. You might get to an inner folder by double-clicking a shortcut icon, for example, or by typing the folder’s path into the address bar of a window.)
Write is like Read, but adds the freedom to make and save changes to the file. When applied to a folder, this permission means that people can create new files and folders inside it.
Modify includes all the abilities of the Write and Read & Execute levels, plus the ability to delete the file or folder.
Full control confers complete power over the file or folder. The selected person or group can do anything they like with it, including trashing it or its contents, changing its permissions, taking ownership of it (away from you, if they like), and so on.
Of course, turning on Allow grants that level of freedom to the specified user or group, and turning it off takes away that freedom. (For details on the Deny checkbox, see the box on the facing page.)
Note
If you’re not careful, it’s entirely possible to “orphan” a file or folder (or even your entire drive) by revoking everyone’s permission to it, even your own, making it completely inaccessible by anyone. That’s why, before you get too deeply into working with NTFS permissions, you might consider creating an extra user account on your system and granting it full control for all your drives, just in case something goes wrong.
Once you understand the concept of permissions, and you’ve enjoyed a thorough shudder contemplating the complexity of a network administrator’s job (six levels of permissions x thousands of files x thousands of employees = way too many permutations), one other mystery of Windows will fully snap into focus: the purpose of groups, introduced on Groups.
On those pages, you can read about groups as canned categories, complete with predefined powers over the PC, into which you can put different individuals to save yourself the time of adjusting their permissions and privileges individually. As it turns out, each of the ready-made groups also comes with predefined permissions over the files and folders on your hard drive.
Here, for example, is how the system grants permissions to the items in your Windows folder for the Users and Administrators groups:
If you belong to the Users group, you have the List Folder Contents permission, which means you can see what’s in the Windows folder; the Read permission, which means you can open up anything you find inside; and the Read & Execute permission, which means you can run programs in that folder (which is essential for Windows itself to run). But people in the Users group aren’t allowed to change or delete anything in the Windows folder, or to put anything else inside. Windows is protecting itself against the mischievous and the clueless.
Members of the Administrators group have all those abilities and more—they also have Modify and Write permissions, which let them add new files and folders to the Windows folder (so that, for example, they can install a new software program on the machine).
If you successfully absorbed all this information about permissions, one thing should be clear: People in the Administrators group ought to be able to change or delete any file in your Windows folder. After all, they have the Modify permission, which ought to give them that power.
In fact, they can move or delete anything in any folder in the Windows folder, because the first cardinal rule of NTFS permissions is this:
In other words, if you have the Modify and Write permissions to a folder, then you ought to have the same permissions for every file and folder inside it.
But in Windows XP, there was something called the Power Users group. It’s been turned off in Windows 7, but for the sake of illustration, let’s say you’re part of it. You’d find that you can’t, in fact, delete any files or folders in the Windows folder. That’s because each of them comes with Modify and Write permissions turned off for Power Users, even though the folder that encloses them has those permissions turned on.
Why would Microsoft go to this trouble? Because it wanted to prevent people in this group from inadvertently changing or deleting important Windows files—and yet it wanted these people to be able to put new files into the Windows folder, so they can install new programs.
This is a perfect example of the second cardinal rule of NTFS permissions:
Here’s another example: Suppose your sister, the technical whiz of the household, has given you Read, Write, Modify, Read & Execute, and List Folder Contents permissions to her own Documents folder. Now you can read, change, or delete any file there. But she can still protect an individual document or folder inside her Documents folder—the BirthdayPartyPlans.doc file, for example—by denying you all permissions to it. You’ll be able to open anything else in there, but not that file.
Believe it or not, NTFS permissions get even more complicated, thanks to the third cardinal rule:
Now suppose your sister has given you the Read and List Folder Contents permissions to her Documents folder—a “look, but don’t touch” policy. Thanks to the first cardinal rule, you automatically get the same permissions to every file and folder inside Documents.
Suppose one of these inner folders is called Grocery Lists. If she grants you the Modify and Write permissions to the Grocery Lists folder so you can add items to the shopping list, you end up having Read, Modify, and Write permissions for every file in that folder. Those files have accumulated permissions—they got the Read permission from Documents, and the Modify and Write permissions from the Grocery Lists folder.
Because these layers of inherited permissions can get dizzyingly complex, Microsoft has prepared for you a little cheat sheet, a dialog box that tells you the bottom line, the net result—the effective permissions. To see it, follow these steps:
Click the Advanced button on the Security tab.
The Advanced Security Settings dialog box appears.
Click the Effective Permissions tab; click Select.
Now you see the same Select User or Group dialog box you saw earlier when you were creating permissions.
Figure 23-17. The Effective Permissions tab for an NTFS folder. Note that you can’t turn these checkboxes on or off; this is a read-only screen that tells you what permissions the selected user or group has for the file or folder. You can’t modify the permissions here. You can’t tell from this display how these effective permissions have been calculated, either (that is, where the permissions have been inherited from).
Click the user or group whose effective permissions you want to see, and then click OK.
You now see checkmarks next to the permissions that are in effect, taking into account folder-permission inheritance and all other factors, for the user or group of that particular file or folder (Figure 23-17).
