This section is dedicated to computers in a workgroup network—or no network at all. If your computer is a member of a domain, skip to “Local Accounts on a Domain Computer,” later in this chapter.
To see what accounts are already on your PC, choose Start→Control Panel, and then open the User Accounts icon. You’ll see a list of existing accounts (Figure 17-1).
Figure 17-1. This screen lists everyone for whom you’ve created an account. From here, you can create new accounts or change people’s passwords. (Hint: To change account settings, just click the person’s name on the bottom half of the screen. Clicking the “Change an account” link at top requires an extra, redundant click.)
If you see more than one account here—not just yours—then one of these situations probably applies:
You created them when you installed Windows XP Pro, as described in Appendix A.
Tip
All of the accounts you create when you first install Windows XP become Administrator accounts, as described in the following section.
You bought a new computer with Windows XP preinstalled, and created several accounts when asked to do so the first time you turned on the machine.
You upgraded the machine from an earlier version of Windows. Windows XP gracefully imports all of your existing accounts.
Note
Upgrader beware: If you’ve upgraded from Windows 98 or Me, Windows XP treats all of these imported accounts as Administrator accounts, described below. It also wipes out their passwords, which leaves open a security hole the size of Canada. Promptly after upgrading, therefore, you should take a moment to assign passwords and downgrade account types to Limited, as described below.
If you’re new at this, there’s probably just one account listed here: yours. This is the account that Windows XP created when you first installed it.
It’s important to understand the phrase that appears just under each person’s name. On your own personal PC, the words “Computer administrator” probably appear underneath yours.
Because you’re the person who installed Windows XP to begin with, the PC assumes that you’re one of its administrators—the technical wizards who will be in charge of it. You’re the teacher, the parent, the resident guru. You’re the one who will maintain this PC and who will be permitted to make system-wide changes to it.
You’ll find settings all over Windows XP Professional (and all over this book) that only people with “Computer administrator” accounts can change. For example, only an administrator is allowed to:
Create or delete accounts and passwords on the PC.
Install new programs (and certain hardware components).
Make changes to certain Control Panel programs that are off-limits to non-administrators.
See and manipulate any file on the machine.
As you go about creating accounts for other people who’ll use this PC, you’ll be offered the opportunity to make each one an administrator just like you. Needless to say, use discretion. Bestow these powers only upon people as responsible and technically masterful as you.
Anyone who isn’t an administrator is an ordinary, everyday Limited account holder. “Limited” people have everyday access to certain Control Panel settings—the ones that pertain to their own computing environments. But most other areas of the PC are off-limits, including everybody else’s My Documents folders, Windows system files, and so on.
If you’re a Limited account holder, in other words, your entire world consists of the Start menu, your My Documents folder, the Shared Documents folder, and any folders you create.
Tip
If a Limited account holder manages to download a computer virus, its infection will be confined to his account. If an administrator catches a virus, on the other hand, every file on the machine is at risk.
That’s a good argument for creating as few computer administrator accounts as possible. In fact, some Windows pros don’t even use Administrator accounts themselves. Even they use Limited accounts, keeping one Administrator account on hand only for new software or hardware installations, account or password changing, and similar special cases.
Once you’ve opened the User Accounts program in the Control Panel, it’s easy to create a new account: just click the “Create a new account” link shown in Figure 17-1. (You see this link only if you are, in fact, an administrator.)
A wizard guides you through the selection of a name and an account type (see Figure 17-2).
When you’re finished with the settings, click the Create Account button (or press Enter). After a moment, you return to the User Accounts screen (Figure 17-1), where the new person’s name joins whatever names were already there. You can continue adding new accounts forever or until your hard drive is full, whichever comes first.
Figure 17-2. Top left: If it’s all in the family, the account’s name could be Chris or Robin. If it’s a corporation or school, you’ll probably want to use both first and last names. Capitalization doesn’t matter, but most punctuation is forbidden. Bottom right: This is the master switch that lets you specify whether or not this unsuspecting computer user will be a computer administrator, as described above.
Tip
If you never had the opportunity to set up a user account when installing Windows XP—if you bought a PC with Windows XP already on it, for example—you may see an account named Owner already in place. Nobody can use Windows XP at all unless there’s at least one Administrator account on it, so Microsoft is doing you a favor here.
Just use the User Accounts program in the Control Panel to change the name Owner to one that suits you better. Make that account your own using the steps in the following paragraphs.
Although the process of creating a new account is swift and simple, it doesn’t offer you much in the way of flexibility. You don’t even have a chance to specify the new person’s password, let alone the tiny picture that appears next to the person’s name and at the top of the Start menu (rubber ducky, flower, or whatever).
That’s why the next step in creating an account is usually editing the one you just set up. To do so, once you’ve returned to the main User Accounts screen (Figure 17-1), click the name or icon of the freshly created account. You arrive at the screen shown at the top in Figure 17-3, where—if you are an administrator—you can choose from any of these options:
Change the name. You’ll be offered the opportunity to type in a new name for this person and then click the Change Name button—just the ticket when one of your co-workers gets married or joins the Witness Protection Program.
Create a password. Click this link if you’d like to require a password for access to this person’s account (Figure 17-3, bottom). Capitalization counts.
The usual computer book takes this opportunity to stress the importance of having a long, complex password, such as a phrase that isn’t in the dictionary, something made up of mixed letters and numbers, and not “password.” This is excellent advice if you create sensitive documents and work in a corporation.
But if you share the PC only with a spouse or a few trusted colleagues in a small office, for example, you may have nothing to hide. You may see the multiple-users feature more as a convenience (for keeping your settings and files separate) than a way of protecting secrecy and security.
In these situations, there’s no particular need to dream up a convoluted password. In fact, you may want to consider setting up no password—leaving both password blanks empty. Later, whenever you’re asked for your password, just leave the Password box blank. You’ll be able to log on that much faster each day.
If you do decide to provide a password, you can also provide a hint (for yourself or whichever co-worker’s account you’re operating on). This is a hint than anybody can see (including bad guys trying to log on as you), so choose something meaningful only to you. If your password is the first person who ever kissed you plus your junior-year phone number, for example, your hint might be “first person who ever kissed me plus my junior-year phone number.” Later, if you ever forget your password, you’ll be offered an opportunity to view this hint at sign-in time to jog your memory.
Tip
When you’re creating accounts that other people will use for the purpose of accessing their machines from across the network, set up the same passwords they use when logging onto their own computers. You’ll save them time and hassle. Once they’ve logged onto another machine on the network, they’ll be able to connect to their own without having to type in another name and password.
By the way, it’s fine for you, an administrator, to create the original passwords for new accounts. But don’t change their passwords later on, after they’ve been using the computer for a while. If you do, you’ll wipe out various internal security features of their accounts, including access to their stored Web site passwords and stored passwords for shared folders and disks on the network (Chapter 20). See the box on winxppro Section 17.3.5 for details.
Figure 17-3. Top: Here’s the master menu of account changing options that you, an administrator, can see. (If you’re a Limited account holder, you see far fewer options.) Bottom: You’re supposed to type your password twice, to make sure you didn’t introduce a typo the first time. (The PC shows only dots as you type, to guard against the possibility that some villain is snooping over your shoulder.)
Make your files private. The first time you make up a password for your own account, another screen asks: “Do you want to make your files and folders private?” If you’re using the accounts feature more for convenience than for security—if you and your boss are married and have no secrets from each other, for example—click No.
Note
The private-folder feature is available only on hard drives you’ve formatted using the NTFS scheme, as described on Section A.3.
But if you click the button labeled “Yes, Make Private,” Windows takes a minute to mark everything in your user profile folder off-limits to other account holders. (Your user profile folder is the one bearing your name in the Documents and Settings folder on your hard drive.) Henceforth, if anyone else tries to open any of your files or folders (when they’re logged in under their own names), they’ll get nothing but a curt “Access is denied” message.
(Technically, making a folder private even shields it from the eyes of the machine’s Administrator account holders—but it’s a pretty flimsy shield. A determined administrator can burrow past this wisp of protection to examine your files, if she’s determined to do so, or even change your password late one night to gain full access to your stuff.)
Note that even if you do make your files and folders private, you’ll still be able to share selected files and folders with other people. You just put them into the Shared Documents folder described on Section 3.1.
Tip
You can make any of your own folders private—or un-private, for that matter. Just right-click the folder; from the shortcut menu, choose Properties; click the Sharing tab; and turn “Make this folder private” on or off.
To make your entire world un-private, for example, you’d perform this surgery on your user profile folder in the Documents and Settings folder ( Section 17.7.1.4).
Change the picture. The usual sign-in screen (Figure 17-14) displays each account holder’s name, accompanied by a little picture. When you first create the account, however, it assigns a picture to you at random—and not all of them are necessarily appropriate for your personality. Not every extreme-sport headbanger, for example, is crazy about being represented by a dainty flower or butterfly.
If you like the selections that Microsoft has provided (drag the vertical scroll bar to see them all), just click one to select it as the replacement graphic. If you’d rather use some other graphics file on the hard drive instead—a digital photo of your own face, for example—you can click the “Browse for more pictures” link (Figure 17-4). You’ll be shown a list of the graphics files on your hard drive so that you can choose one, which Windows then automatically scales down to postage stamp size (48 pixels square).
Change the account type. Click this link to change a Limited account into an Administrator account, or vice versa. You might want to use this option, for Local Accounts on a Workstation 522 windows xp pro: the missing manual example, after upgrading a Windows 98 or Windows Me computer to Windows XP—a process that otherwise leaves all existing user accounts as Administrator accounts.
Delete the account. See section 17.3.5.
You’re free to make any of these changes to any account at any time; you don’t have to do it just after first creating the account.
Tip
If the User Accounts program looks nothing like the illustrations in this chapter so far, it’s probably because you have only a Limited account. In that case, opening User Accounts in the Control Panel offers only certain links: “Create a password” (or “Change my password”), “Change my picture,” and “Set up my account to use a .NET Passport.” Only a computer administrator can make the other kinds of changes described here.
Figure 17-4. Right: Here’s where you change your account picture. If a camera or scanner is attached, you get an extra link here, “Get a picture from a camera or scanner”— instant picture. And here’s a tip: If you like to change your picture with your mood, there’s a shortcut to this dialog box. Just click your picture at the top of the open Start menu (left).
As described later in this chapter, Windows XP contains a handy hint mechanism for helping you recall your password if you’ve forgotten it: the little ? icon that appears after you click your name on the Welcome screen. When you click that little icon, you’re shown the hint that you provided for yourself—if you provided one—when setting up your account.
But what if, having walked into a low-hanging branch, you’ve completely forgotten both your password and the correct interpretation of your hint? In that disastrous situation, your entire world of work and email would be locked inside the computer forever. (Yes, an administrator could issue you a new password—but as noted in the box on the facing page, you’d lose all your secondary passwords in the process.)
Fortunately, Windows XP offers a clever solution-in-advance: the Password Reset Disk. It’s a floppy disk that you can use like a physical key to unlock your account, in the event of a forgotten password. The catch: You have to make this disk now, while you still remember your password.
To create this disk, choose Start→Control Panel. Open the User Accounts program. If you’re an administrator, click your account name; if not, you can skip this step.
Either way, you should now see a link in the task pane called, “Prevent a forgotten password.” Click that to open the Forgotten Password Wizard shown in Figure 17-5.
When the day comes that you can’t remember your password, your attempts to get past the logon screen will be met by a “Use your Password Reset Disk” link. (If you’ve turned off the standard Welcome screen shown at top in Figure 17-14, you’ll see a Reset button instead.)
When you click that link or button, Windows asks you to insert your Password Reset Disk, and then gives you the opportunity to create a new password (and a new hint to remind you of it). You’re in.
Even though you now have a new password, your existing Password Reset Disk will still be good. Keep it in a drawer somewhere, for use the next time you experience a temporarily blank brain.
Figure 17-5. The screens of this wizard guide you through the process of inserting a blank floppy disk and preparing it to be your master skeleton key. If you forget your password—or if some administrator has changed your password—you can use this disk to reinstate it without the risk of losing all of your secondary passwords (memorized Web passwords, encrypted files, and so on).
It happens: Somebody graduates, somebody gets fired, somebody dumps you. Sooner or later, you may need to delete a user account from your PC.
To delete a user account, you, an administrator, must open the User Accounts program, click the appropriate account name, and then click “Delete the account.”
Windows XP now asks you if you want to preserve the contents of this person’s My Documents folder. If you click the Keep Files button, you’ll find a new folder, named for the dearly departed, on your desktop. (As noted in the dialog box, only the documents, contents of the desktop, and the My Documents folder are preserved—but not programs, email, or even Web favorites.) If that person ever returns to your life, you can create a new account for him and copy these files into the appropriate folder locations.
If you click the Delete Files button, on the other hand, the documents are gone forever.
A few more important points about deleting accounts:
You can’t delete the account you’re logged into.
You can’t delete the last Administrator account. One account must always remain.
You can create a new account with the same name and password as one that you deleted earlier, but in Windows XP’s head, it’s still not the same account. As described in the box on Section 17.3.5, it won’t have any of the original secondary passwords (for Web sites, encrypted files, and so on).
Don’t manipulate accounts manually (by fooling around in the Documents and Settings folder, for example). Create, delete, and rename them only using the User Accounts program in the Control Panel. Otherwise, you’ll wind up with duplicate or triplicate folders in Documents and Settings, with the PC name tacked onto the end of the original account name (Bob, Bob.MILLENNIA, and so on)—a sure recipe for confusion.
FREQUENTLY ASKED QUESTIONLimited Unlimited
OK, OK, I get it: for maximum security, it’s best to create Limited accounts for the people who use my PC. But I’ve got this program, Beekeeper Pro, that doesn’t work right under a Limited account. Now what?
Unfortunately, you have only two alternatives, and neither is particularly convenient.
First, whenever a Limited account holder encounters a place where administrator powers are required, he doesn’t actually have to log out so that you, the administrator, can log on and make changes. Instead, he can just call you over to the PC. He can then right-click the icon of the problem program and, from the shortcut menu, choose “Run as.”
The dialog box shown here appears. You, the administrator, should click “The following user,” and then fill in your own name and password—if, indeed, you feel comfortable permitting your peon limited user to proceed. As far as Windows (and the specific program in question) is concerned, that limited user is now officially an administrator.
That, of course, is a one-shot, temporary solution—a routine that will grow old fast if the limited user has to use that recalcitrant program every single day. In that case, you may have no alternative but to upgrade your colleague to an Administrator account, despite the security downsides.
Tip
If you’re an administrator, don’t miss the Users tab of the Task Manager dialog box (press Ctrl+Alt+Delete to open it). It offers a handy, centralized list of everybody who’s logged into your machine—even those who have dialed in from the road, as described in Chapter 21 —and buttons that let you log them off, disconnect them, or even make a little message pop up on their screens. All of this can be handy whenever you need some information, a troubleshooting session, or a power trip.
It may come as a surprise to a workgroup user that Windows XP provides one more, very special account: an emergency, backup account with full administrator powers. Even if you delete all of your other accounts, this one will still remain, if only to give you some way to get into your machine. It’s an account called Administrator, and it’s ordinarily hidden.
In fact, you’ll generally see it only in times of troubleshooting, when you start up your PC in Safe Mode ( Section 16.8). It’s the ideal account to use in those situations. Not only does it come with no password assigned, but it’s also not limited in any way. It gives you free powers over every file, which is just what you may need to troubleshoot your computer.
Actually, Administrator and Limited aren’t the only kinds of accounts you can set up on your PC.
The third kind, called the Guest account, is ideal for situations where somebody is just visiting you for the day. Rather than create an entire account for this person, complete with password, hint, little picture, and so on, you can just switch on the Guest account.
To do so, open the User Accounts program in the Control Panel. If you’re an administrator, you’ll see an icon for the Guest account at the bottom of the screen (Figure 17-6). Click it; on the next screen, click the button labeled Turn On the Guest Account. That’s all there is to it.
When the visitor to your office is finally out of your hair, healthy paranoia suggests that you turn off the Guest account once again. (To do so, follow precisely the same steps, except click Turn Off the Guest Account in the final step.)