User account management is a core CompTIA A+ 220-1102 skill — creating, modifying, and troubleshooting user accounts in Windows. Technicians manage local accounts, Microsoft accounts, user groups, and access permissions daily. Understanding account types and UAC (User Account Control) ensures proper security without unnecessary restrictions.
Practice this topic
Local accounts: stored on the individual computer. Types: Administrator (full control of system — can install software, change settings, manage other accounts), Standard user (can use software and change own settings — cannot install software or change system settings). Guest account: disabled by default in modern Windows — limited access, no password required. Create accounts: Settings → Accounts → Family & other users → Add someone else to this PC, or lusrmgr.msc (Local Users and Groups — not available in Home edition).
Microsoft account: links Windows sign-in to an online Microsoft account (email address). Benefits: settings sync across devices, OneDrive integration, access to Microsoft Store, Find My Device, recovery options. Works without domain. To create: Settings → Accounts → Sign in with a Microsoft account instead. Can switch between local and Microsoft account.
User Account Control (UAC): Windows security feature that requires confirmation before making system changes. When a standard user attempts an admin action, UAC prompts for an administrator password. When an admin user attempts an admin action, UAC prompts for confirmation (elevation). UAC levels: 4 (always notify), 3 (notify only for app changes — default), 2 (notify without darkening desktop), 1 (never notify — dangerous). Disable UAC only in extreme circumstances — it prevents malware from silently making system changes.
Groups: collections of users with the same permissions. Built-in groups: Administrators (full control), Users (standard users), Guests (minimal access), Remote Desktop Users (can connect via RDP), Backup Operators (can backup files regardless of file permissions). Manage via lusrmgr.msc or computer management. Adding a user to a group grants all the group's permissions.
Password policies: require complex passwords, minimum length, and regular changes. Local Security Policy (secpol.msc — Pro/Enterprise) → Account Policies → Password Policy. Requirements: minimum length (8+ characters), complexity (uppercase, lowercase, numbers, symbols), maximum password age (90 days), lockout policy (lock after X failed attempts). On Home edition: use netplwiz or Local Group Policy Editor workarounds.
Account lockout: automatic lockout after repeated failed login attempts prevents brute-force password attacks. Configure: secpol.msc → Account Lockout Policy — threshold (number of attempts), lockout duration, observation window. Unlock a locked account: lusrmgr.msc → Users → right-click user → Properties → uncheck 'Account is locked out.' In Active Directory: Active Directory Users and Computers.
Profile types: local profile — stored on the local PC only (roaming profile requires domain). Mandatory profile — read-only profile assigned to multiple users (kiosk use — changes don't persist). Default profile: C:\Users\Default — template for new user profiles. User data stored in C:\Users\[username].
Credential Manager: Windows vault that stores saved credentials for websites and network shares. Control Panel → Credential Manager (or cmdkey /list in command prompt). Useful when: saved wrong password is preventing network share access — remove the stored credential and re-authenticate.
All users should have administrator accounts for convenience
The principle of least privilege requires giving users only the minimum permissions needed for their job. Standard user accounts prevent malware from making system-wide changes (requires admin elevation via UAC). Even IT technicians should use a standard account for daily tasks and switch to admin only when needed. Administrator accounts that are used for daily browsing and email are far more dangerous when compromised by malware
These questions are representative of what you will see on A+ exams. The correct answer and explanation are shown immediately below each question.
A standard user account on a Windows 10 PC attempts to install a new application and receives a UAC prompt asking for administrator credentials. The IT department does not want this user to be able to install software. Which action is MOST appropriate?
Explanation: The correct response is to decline and not provide admin credentials. The user is a standard user — the policy is to prevent software installation. UAC is working correctly by prompting for admin credentials (the user doesn't have them). Providing admin credentials defeats the purpose of the standard account. Disabling UAC would allow silent system changes without any prompts — a significant security regression. Creating a new account doesn't solve the underlying policy question.
Local account: credentials stored only on the local computer. No internet connection required. No sync. Good for: privacy-conscious users, computers that don't need internet-tied features, kiosk/shared computers. Microsoft account: uses a Microsoft email address (Outlook, Hotmail, Live) as credentials. Authenticated against Microsoft servers. Benefits: settings sync across devices, access to Microsoft Store, OneDrive integration, Find My Device, account recovery options. Required for: Microsoft Store app purchases, some Microsoft 365 features. Can be linked to Windows Hello (PIN, fingerprint, face) for local login while keeping the online account benefits.
Try free User Management practice questions with explanations, topic links and progress tracking.