Loading...
 
Skip to main content

Be sure to understand the difference between accounts, profiles and sessions.

Accounts

A user account is someone’s identity. It contains user-specific information, including the username and password, and where to find the profile. It is used for authentication and authorization. Accounts are stored either in the local Security Account Manager database (SAM) if you are in a Workgroup or in the Active Directory database if in a domain

There are several ways to create, change and delete local accounts - for example:

  • Open the Control Panel and launch "User accounts".
    This gives you some basic options to manage and create accounts.
  • Execute the command lusrmgr in Command Prompt (or run lusrmgr.msc) to open the Local Users and Groups MMC console.
    This only works in Windows Pro, but it gives you more options.

Each account has an associated security identifier (SID). If you delete an account and recreate it with the same username, the SID will be different.

When you disable a local account, it is no longer listed in the list of profiles you can select to log into the computer.

If you delete an account, this does not delete the user's profile.

If an administrator changes the password of a local user and the person has encrypted his data using EFS, he will lose access to his data!!!

The guest account offers access to resources without logging in. For security reasons,it's best to disable the guest account.

Groups

Groups are used for giving permissions to users.

Each user belongs to one or more groups.

You can check which groups a user belongs to by running lusrmgr and looking at the properties of the user – go to the "Member of…" tab to list the groups.

There are three types of groups:

  • Predefined: groups that are automatically installed and whose members can be modified (e.g. "backup operators", "administrators")
  • Standard: groups that you create
  • System: groups installed by default and whose members cannot be modified (e.g.: Interactive; Console login; this organization; local Authentication NTLM; owner; "everyone")

It's best practice to check that the user account is not a member of the local administrator group. Allowing the user to work only in a user context will drastically reduce the security risks. 

If the users are laptop users, you can still create another account with administrative rights should they need elevated rights when they are away. 

Profiles

A user profile is a collection of user-specific data and settings that personalize their Windows environment. It includes information such as desktop settings, user's preferences and data.

It can either be a local profile (stored on the local computer) or a roaming profile (stored on a network server and synchronized across multiple computers).

Profiles are stored in C:\Users.

The profile contains a hidden file called NTUSER.DAT, which stores all the registry settings of that user.

  • In Users\ the "Public" folder is equivalent to "all users".
  • Users\Public\Desktop is a hidden folder containing desktop items available to all users..
  • To access the Start menu for all users, go to: C:\ProgramData\Microsoft\Windows\Start Menu\.
  • The hidden folder Users\Default contains the model profile which will be copied for each new profile. If you want a shortcut to be available for all the new profiles created, you must save it in Default. 
  • There is a hidden "folder" named "Document and settings" but it is just a link to "C:\Users" (it is only for backward compatibility).
  • There is a hidden "folder" named "all users" but it is a link to the "Public" folder.
  • There is a hidden "folder" named "default user" but it is a link to the "Default" folder.

If you try to delete a profile by just deleting its folder - eg c:\users\username, it will leave some entries in the registry, which may cause problems later.

The proper way to delete a profile is through Advanced system settings\User Profiles\Settings.

To find programs which are launched automatically during startup, go to this folder in the user profile:
AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

You might be in a situation where you need to browse someone else’s user’s profile to access their data, but you do not want to override their Windows password. You can do this from the local admin profile. You will need to change the folders’ ownership and permissions. This article explains how to proceed. 

Sessions

A session in Windows refers to the interactive period of time during which a user is logged into the system and actively using it. It contains all of the processes and other system objects that represent a single user’s logon session. These objects include the windows the user opens, the desktop and so on.

Contributors to this page: admin .
Page last modified on Wednesday October 9, 2024 11:41:35 GMT-0000 by admin.
Show PHP error messages