Chapter 6: Sharing Your Computer with Multiple Users
Setting Up a Computer for Multiple Users When several people share a computer, local user accounts allow each person to personalize the user interface without inconveniencing the other users. The user accounts can have passwords, to prevent people from logging on as each other, or you can dispense with passwords, if security isn't a concern.
We recommend creating a password for each user account, even if it's an obvious one. Passwords prevent toddlers or bored passersby from using your computer, even if the password is simply "xxx" or the same as the user name. When you start using Windows XP, you are automatically logged on with an administrator user account named Administrator (in Windows XP Professional) or Owner (in Windows XP Home Edition), unless you tell the Windows XP Setup Wizard the names of the people who will use the computer (which causes the Setup Wizard to create administrator accounts for each of them). Using this administrator account, you can create user accounts for the people who will use the computer, giving each person the appropriate type of account (administrator or limited) based on the person's level of use.
In Windows XP Professional, user account features can be set in one of two ways: the newly-designed User Accounts window, and the Windows 2000-based Microsoft Management Console. Windows XP Home Edition provides only the User Accounts window: you can't see user account information in the Microsoft Management Console.
The User Accounts Window To make basic changes to local user accounts or to create new accounts, choose Start | Control Panel and click User Accounts. You see the User Accounts window shown in Figure 6-1. The existing accounts appear in the lower part of the window.
Figure 6-1: Creating or changing user accounts (when logged on with an administrative account)
Displaying Local Users and Groups in the Microsoft Management Console For more advanced settings, you need to use the Local Users And Groups utility in the Microsoft Management Console (MMC), a program that can display various Windows configuration tools. The Local Users And Groups utility is not available in Windows XP Home Edition, but in Windows XP Professional, choose Start, right-click My Computer, and choose Manage from the menu that appears. You see the Computer Management window. Open the System Tools item in the left (tree) pane if it's not already open by clicking its plus box. Click Local Users And Groups to see the Users and Groups folders, and click the Users or Groups folder to see its contents (as shown in Figure 6-2).
Figure 6-2: The Computer Management utility displays information about the user accounts and groups defined on the computer.
Controlling How Users Log On As the administrator of your PC, you can choose how Windows asks people to long on. You have two choices:
- Welcome screen The Windows XP Welcome screen displays a picture and name for each user account, so that users click the one they want. If the user account has a password, a white box appears in which the user types a password.
- Classic logon screen Windows Me/9x-style logon screen, in which you type the user account name and password. Fast User Switching isn't available if you use the Classic logon screen.
If you use the Welcome screen, you can also choose whether or not to enable Fast User Switching. To choose between the Welcome screen and the Classic login screen, and to enable or disable Fast User Switching, you must be logged in with an administrator account. Follow these steps:
- Make sure that you are the only user who is logged on.
- Choose Start | Control Panel, and click User Accounts to display the User Accounts window (see Figure 6-1).
- Click Change The Way Users Log On Or Off. You see the User Accounts window shown in Figure 6-3.
Figure 6-3: Administrator users can control how all users log on and off.
- Make your selections using the Use The Welcome Screen check box and the Use Fast User Switching check box, and click the Apply Options button.
If security is a concern, use the Classic logon screen, which doesn't display the names of the user accounts. If a person has to type both a user name and a password, they need to know twice as much to break into your system.
Creating and Deleting Groups Windows comes with groups for the three types of user accounts: Administrator user accounts are in the Administrators group, limited user accounts are in the Users group, and the Guest account is alone in the Guest group. Windows XP Professional has other groups (Backup Operators, Network Configuration Operators, Power Users, Remote Desktop Users, Replicator, and HelpServicesGroup) which are usually used only on domain-based LANs.
If you have Windows XP Professional, you can create new groups, assign users to groups, and delete groups by using the Local Users And Groups item in the Computer Management window. (Windows XP Home Edition doesn't include the Local Users And Groups program.) You can change a group's name and its members, and you can grant the members of the group permission to use specific files and folders.
Domain-based accounts, which are stored in the Active Directory program running on a Windows server, have domain groups. You can't define or change domain groups unless you have access to the Windows authentication services that control the domain's user accounts and groups. To create a local group, follow these steps:
- Log on with an administrator account.
- Choose Start, right-click My Computer, and choose Manage to display the Computer Management window (see Figure 6-2).
- Open the Local Users And Groups folder and then the Groups folder.
- Choose Action | New Group to display the New Group window.
- Type a name for the group (don't use the name of an existing group) and a description (optional).
- Click Create. Then click Close. The new group appears on the list of groups.
To add members to a group, select the group from the list in the Groups folder and choose Action | Add To Group. When you see the group Properties dialog box (shown in Figure 6-4), click Add to see the Select User dialog box, type the user account name in the Name box, and click OK. (The other settings in the Select User dialog box apply to domain-based networks.) To remove a user from a group, click the user account name in the group Properties dialog box and click Remove.
Figure 6-4: Properties of a group To rename a group, select it and choose Action | Rename. Feel free to rename groups that you have created, but don't rename any of the groups that come with Windows, because these names may be referred to in Windows utility programs.
To change the rights that a group gives to its members, the next section describes how to see and change the User Rights Assignment settings.
Other Security Options Windows XP Professional (not Home Edition) has many other security options, but most are of interest only if your computer is on a domain-based LAN. Here's a quick once-over of policy settings--settings that control how accounts, passwords, and groups work.
If you want to look at policy settings that control users' passwords, how many times someone can type the wrong password before Windows locks the user account, and which rights are assigned to which groups, you can open the Local Security Settings window (see Figure 6-5). Choose Start | Control Panel, click Performance And Maintenance, and click Administrative Tools. From the Administrative Tools window, run the Local Security Policy program. (Or, choose Start | Run and type secpol.msc and press ENTER.)
Figure 6-5: The Local Security Settings window The folders listed on the left side of the window contain groups of policy settings:
- Password Policy (in the Account Policies folder) Control whether user accounts need passwords, how complex they need to be, and how often people have to change them.
- Account Lockout Policy (in the Account Policies folder) Control whether user accounts are locked out if someone types the wrong password more than a specified number of times.
- Audit Policy (in the Local Policies folder) Control what security events are included in audit log files.
- User Rights Assignment (in the Local Policies folder) Control which groups of user accounts can perform which types of tasks.
- Security Options (in the Local Policies folder) Include a variety of security settings, including who may install printers, use the CD-ROM and floppy drives, and whether you can shut the system down without logging on.
Click a setting and click the Properties button on the toolbar (or right-click the setting and choose Properties) to see what the options are for that policy setting.