Windows User Accounts and Groups

Windows user accounts and groups are the foundation of authentication and authorization in Windows operating systems. A user account is a unique identity that allows a person or service to log on to a Windows system and access resources. Each account has a Security Identifier (SID) — a unique, immutable number that Windows uses internally to track permissions, not the username. Groups are collections of user accounts that simplify permission management: instead of assigning permissions to each user individually, you assign permissions to a group, and all members inherit those permissions.

Windows supports two primary categories of user accounts: local accounts and domain accounts. Local accounts are stored in the Security Accounts Manager (SAM) database on a single computer and are only valid on that machine. Domain accounts are stored in Active Directory (AD) and can be used across multiple computers in a network. The CompTIA A+ 220-1102 exam focuses heavily on local accounts and the built-in accounts that come with Windows.

Built-in Local Accounts: - Administrator: The most powerful account. It has full control over the system, including the ability to install software, change system settings, and manage other users. By default, the built-in Administrator account is disabled in Windows 10/11 for security reasons. It has a well-known SID: S-1-5-21-...-500. - Guest: A limited account for temporary access. It is disabled by default. Even when enabled, it has restricted permissions (e.g., cannot install software or change system settings). Its SID ends with -501. - DefaultAccount: A built-in account used by the system for running services and tasks. It is not meant for interactive logon.

User Account Control (UAC): UAC is a security feature that prevents unauthorized changes to the operating system. When an administrator logs in, they receive two access tokens: one with standard user privileges and one with administrator privileges. By default, standard user operations use the standard token. When an operation requires administrative rights (e.g., installing software, changing system settings), UAC prompts the user for consent (for administrators) or credentials (for standard users). This prompt is called a 'consent prompt' or 'credential prompt'. The prompt appears on the Secure Desktop, a protected desktop that prevents other programs from interfering.

Groups can be local (stored in SAM) or domain (stored in AD). The 220-1102 exam focuses on local groups. Groups have a specific scope that determines where they can be used.

Built-in Local Groups: - Administrators: Members have full control over the computer. The built-in Administrator account is a member by default. - Users: Members can run applications, use printers, and shut down the computer, but cannot make system-wide changes or install software that affects other users. - Guests: Members have the same rights as the Users group, but the Guest account is a member by default. Additional restrictions apply (e.g., no ability to create a password). - Power Users: In older Windows versions (XP/2000), this group had elevated privileges but less than Administrators. In Windows 10/11, Power Users is retained for backward compatibility but has no special privileges by default. - Remote Desktop Users: Members can log on remotely using Remote Desktop. - Backup Operators: Members can back up and restore files regardless of file permissions, but cannot change security settings. - Network Configuration Operators: Members can change TCP/IP settings. - Performance Log Users: Members can manage performance counters, logs, and alerts. - Performance Monitor Users: Members can access performance monitoring data. - Hyper-V Administrators: Members have full access to Hyper-V features.

Special Identity Groups (not visible in GUI): - Everyone: Includes all users, including guests and anonymous users. - Authenticated Users: Includes all users who have logged on with a valid username and password (excludes Guest if not authenticated). - Interactive: Users who log on locally. - Network: Users who access the computer over the network. - Creator Owner: The user who created a file or folder.

When a user logs on to Windows, the following process occurs: 1. The user provides credentials (username and password, or smart card, or biometric). 2. The Local Security Authority (LSA) validates the credentials against the SAM database (for local accounts) or against Active Directory (for domain accounts). 3. If authentication succeeds, the LSA creates an access token. This token contains the user's SID, the SIDs of all groups the user belongs to, and the user's privileges. 4. Every process launched by the user inherits a copy of this token. 5. When the process tries to access an object (file, registry key, printer), Windows compares the token's SIDs against the object's Access Control List (ACL). If a matching Allow entry is found, access is granted; if a Deny entry is found, access is denied. Deny entries always override Allow entries.

Local Users and Groups MMC Snap-in (lusrmgr.msc): - Available in Windows Pro, Enterprise, and Education editions (not in Windows Home). - To open: Press Win+R, type lusrmgr.msc, and press Enter. - Under 'Users', you can create, disable, rename, and delete local user accounts. You can also set passwords and manage group memberships. - Under 'Groups', you can create new local groups and add/remove members.

Computer Management Console: - Right-click 'This PC' > Manage > Local Users and Groups. - Alternatively, open compmgmt.msc.

Settings App (Windows 10/11): - For basic user management: Settings > Accounts > Family & other users. - You can add new users, change account types (Standard or Administrator), and set up password reset disks.

net user command: - net user : Lists all user accounts. - net user username password /add : Creates a new user account with password. - net user username /delete : Deletes a user account. - net user username /active:yes : Enables a disabled account. - net user username * : Prompts to set/change password.

net localgroup command: - net localgroup : Lists all local groups. - net localgroup groupname /add : Creates a new local group. - net localgroup groupname username /add : Adds a user to a group. - net localgroup groupname username /delete : Removes a user from a group.

WMIC (Windows Management Instrumentation Command-line): - wmic useraccount get name,sid : Lists all user accounts with their SIDs. - wmic group where name='Administrators' get name,sid : Gets SID of a group.

PowerShell cmdlets: - Get-LocalUser : Lists local user accounts. - New-LocalUser -Name "username" -Password (ConvertTo-SecureString "password" -AsPlainText -Force) : Creates a new local user. - Add-LocalGroupMember -Group "Administrators" -Member "username" : Adds user to group. - Get-LocalGroup : Lists local groups.

UAC is a mandatory access control mechanism that restricts application permissions. When an administrator logs in, Windows creates two tokens: a filtered token with standard user privileges and a full token with administrator privileges. By default, applications run with the filtered token. When an application requires administrator privileges, Windows checks if the executable is marked as 'requireAdministrator' in its manifest. If so, UAC prompts for consent (for administrators) or credentials (for standard users). The prompt appears on the Secure Desktop, which is a separate desktop that only the operating system can access. This prevents malicious software from mimicking the prompt.

UAC Levels: - Always notify (highest): Prompts for all changes, including Windows settings. - Notify me only when apps try to make changes to my computer (default): Prompts only when a program tries to make system changes. - Notify me only when apps try to make changes (do not dim my desktop): Same as default but without Secure Desktop. - Never notify (lowest): UAC is effectively disabled (not recommended).

To change UAC settings: Control Panel > User Accounts > Change User Account Control settings.

Windows enforces password policies that are configured in Local Security Policy (secpol.msc) or Group Policy. Key settings: - Enforce password history: Remember a set number of previous passwords to prevent reuse (default: 0 in standalone, 24 in domain). - Maximum password age: How long a password can be used before it must be changed (default: 42 days in domain, 0 = never expire in standalone). - Minimum password age: How long a password must be used before it can be changed (default: 0 in standalone, 1 day in domain). - Minimum password length: Minimum number of characters (default: 0 in standalone, 7 in domain). - Password must meet complexity requirements: Requires passwords to have three of four character types (uppercase, lowercase, digits, non-alphanumeric). Enabled by default in domain, disabled in standalone. - Account lockout threshold: Number of failed logon attempts before account is locked (default: 0 = never lock). - Account lockout duration: Minutes the account remains locked (default: 30 minutes). - Reset account lockout counter after: Minutes after which the failed attempt counter resets (default: 30 minutes).

Each user account has a profile that stores personal settings, documents, and configuration. Profiles are stored in C:\Users\<username>. There are three types: - Local profile: Created when a user logs on for the first time. Stored locally. - Roaming profile: Stored on a network server and downloaded to any computer the user logs on to (used in domain environments). - Mandatory profile: A read-only roaming profile that users cannot change.

In a domain environment, user accounts are stored in Active Directory. The local SAM is not used for domain accounts. Domain users can log on to any domain-joined computer using their domain credentials. The computer must trust the domain controller. Group Policy Objects (GPOs) apply settings to users and computers. The 220-1102 exam expects you to know the difference between local and domain accounts, but does not require deep Active Directory knowledge.

In enterprise environments, managing user accounts and groups is a daily task for IT support. Here are three common scenarios:

Scenario 1: Onboarding a New Employee When a new employee joins, the IT administrator creates a domain user account in Active Directory (not local). The account is added to appropriate security groups (e.g., 'Sales', 'VPN Users', 'FileShare_ReadWrite'). The user logs on to their assigned computer using domain credentials. The computer must be domain-joined. If the computer is not domain-joined, a local account is created instead. The administrator must ensure the account has a strong initial password and that 'User must change password at next logon' is checked. Common mistakes: forgetting to add the user to the correct groups, leading to access denied errors; or leaving the password never expire, violating security policy.

Scenario 2: Troubleshooting 'Access Denied' A user reports they cannot access a shared folder. The helpdesk checks the folder's permissions: the folder grants 'Modify' to the 'Finance' group. The user is not in the Finance group. Solution: Add the user to the Finance group (via AD or local group). Alternatively, if the user needs temporary access, the administrator can use 'Effective Access' tab in Advanced Security Settings to check which permissions the user actually has. Another common issue: the user has multiple group memberships that conflict — a Deny entry for one group overrides Allow entries from other groups. The administrator must examine the user's token using whoami /groups or gpresult /r.

Scenario 3: Securing a Shared Computer In a lab or kiosk environment, multiple users share a single Windows computer. The administrator creates local standard user accounts for each user. To prevent users from installing software or changing system settings, the accounts are placed only in the Users group, not Administrators. UAC is set to the default level. Additionally, Group Policy (or Local Group Policy) can restrict access to Control Panel, prevent command prompt, and set a time limit for logon sessions. The Guest account is kept disabled. If a user needs temporary access, a guest account can be enabled but with strict limitations. Performance considerations: too many user profiles can consume disk space; profiles can be deleted via System Properties > Advanced > User Profiles > Settings.

Common misconfigurations: - Giving a user administrative privileges unnecessarily (e.g., to install a printer driver). This exposes the system to malware and accidental changes. Instead, use Group Policy to deploy drivers or provide the user with a one-time admin password via LAPS (Local Administrator Password Solution). - Not disabling old accounts when employees leave. This creates security holes. Automated scripts or HR integration should disable accounts upon termination. - Setting passwords that never expire on service accounts. This violates security best practices; service accounts should have long, complex passwords that are rotated regularly.