User management in Windows

Content

1. Introduction

An account is a set of data about a user that is necessary to authenticate him and provide access to his personal data and settings. Thus, an account consists of a username and password (or other means of authentication). The password is often encrypted or hashed. An account can store a user's photo or other image, take into account the age of various statistical characteristics of the user's behavior in the system.

It is not uncommon for several users to work on the same computer. On Linux, it is more convenient to manage users on the command line. In the Microsoft family of operating systems, this feature is also present, as is the GUI (Graphical User Interface).

Account management is one of the primary responsibilities of a system administrator. It is very convenient to combine users into groups, edit their access rights depending, for example, on their position in the company. This directly affects the security of the information system.

2. Account management via lusrmgr.msc

Immediately after installing Windows, we start working with Administrator rights. These rights in the OS allow, for example, to create, modify, delete other accounts, perform any operations to configure the system.

The lusrmgr.msc snap-in is used to manage accounts (Fig. 1). We can also open it by entering the name in the "Run" command field, or in the internal system search.

Figure. 1. lusrmgr.msc window

In order to create an account, you need to do the following:

  1. Go to the "Users" folder (Fig. 2).
  2. In the menu bar, select "Action", then "New User".
  3. Be sure to fill in the "User" field, the rest if necessary (Fig. 3).

Figure. 2. OS users

Figure. 3. User creation

A user group is a collection of user accounts that have the same rights and security permissions. The user account must be a member of at least one user group.

Different users have different needs, the administrator can allocate the necessary permissions and prohibitions. If we have many users, then it is convenient to distribute rights not individually, but by user groups. Windows has several built-in groups: Administrators, Users, Power Users, Backup Operators, Guests, Remote Desktop Users, DHCP Administrators, DHCP Users, and WINS Users. We can also create our own group. For this:

  1. Go to the "Groups" folder (Fig. 4).
  2. In the menu bar, select "Action", then "Create Group".
  3. Be sure to fill in the "Group Name" field, the rest if necessary (Fig. 5.1 - 5.2).

Figure. 4. List of all groups

Figure. 5.1. Create a group

Figure. 5.2. Adding users to a group

You can view which groups a user belongs to in the Users folder by right-clicking on the user, then selecting Properties, Group Memberships. If we go to the "General" tab, we can manage the user's password, and also, if necessary, disable the account (Fig. 6).

Figure. 6. Management in the "General" tab

The administrator can also set password time limits, for this you need to use the gpedit.msc snap-in. Next, go to "Computer Configuration", "Windows Configuration", "Security Settings", "Account Policy", "Password Policy" (Fig. 7).

Figure. 7. Changing the password expiration time

3. Account management via cmd

As mentioned earlier, we can manage accounts through the command line. To begin with, we will write the command whoami and whoami /user (Fig. 8). The first displays information about the current user, the second additionally shows the SID (security identifier). SID is a variable length data structure that identifies a user, group, domain, or computer account. The last 4 digits indicate the object's relative security identifier (RID). 3 sets of numbers before RID is just the SID.

Figure. 8. whoami and whoami /user

For further account management, we need the net user command. With it, we can:

  • add an account (net user NAME PASSWORD /ADD) (Fig. 9.1);
  • add account password (net user NAME PASSWORD) (Fig. 9.4);
  • rename account (wmic useraccount where name='NAME' rename ‘NEWNAME’) (Fig. 9.2);
  • view account information (net user NAME) (Fig. 9.3);
  • change account password (net user NAME NEW_PASSWORD);
  • disable account (net user NAME /active:no);
  • delete your account (net user NAME /delete) (Fig. 9.5).

Figure. 9.1. Adding an account

Figure. 9.2. Adding an account

Figure. 9.3. Adding an account

Figure. 9.4. Adding a password to an account

Figure. 9.5. Deleting an account

To work with groups, you must use the net localgroup command. For example, with it we can:

  • list all local groups (net localgroup);
  • add local group (net localgroup GROUPNAME /add);
  • add existing user accounts to a group (net localgroup GROUPNAME USERNAME1 USERNAME2 /add /domain);
  • display a list of users in a local group (net localgroup GROUPNAME).

4. Conclusion

Thus, having become familiar with the basics of user management in the Windows operating system, we can draw the following conclusions:

Creating an account, changing the account password, and many other actions can be performed both through various snap-ins and through the command line. In the second case, we can use, for example, the net user command. Also with group changes, they can also be done in the two ways described above.

To ensure information security, it is necessary to sort their accounts into groups, where you can enter restrictions on their rights (for example, viewing certain folders).

Ian L. Dolganov
Ian L. Dolganov
Student of Applied Informatics

My research interests are in OS administration and various programming languages.