Chapter 18
Managing User Accounts and Parental
In Windows Vista, you use user accounts to manage access to your computer and
parental controls to manage the types of content users can access while logged on.
User accounts and parental controls are the two main areas of the operating system
where you’ll have entirely different sets of features and functions at home and at the
office. At home, you’ll use local accounts on your computer and you’ll have full
access to parental controls. While you are logged on to your computer with a local
account, local computer security is applied to your account through Local Group
Policy and through other local computer security components.
On the other hand, at the office, your computer will typically be a member of a
domain and you’ll typically use domain accounts to log on to computers and the net-
work. While you are logged on to the network with a domain account, domain secu-
rity is applied to your account through Active Directory Group Policy and through
other domain security components. Although you can log on to a domain computer
using a local account, some of the domain security changes will still affect what you
can do and how you can work with user accounts.
When working with domain computers, one of the biggest changes you’ll notice is
that there are no parental controls, and this remains true whether you log on with a
local account or a domain account. Another big change is in the available options for
managing local computer accounts. Local computer account options for domain
computers are completely different from the options for managing local computer
accounts on nondomain computers.
Managing Access to Your Computer
Windows Vista provides user accounts and group accounts. User accounts are
designed for individuals. Group accounts, usually referred to as groups, have users as
members and are used to manage the file access permissions and privileges of multi-
ple users. Although you can log on to a user account, you can’t log on to a group
Chapter 18: Managing User Accounts and Parental Controls
At the office, your IT administrators will create and manage the user account you
need to log on to the network. You can use the techniques discussed in the “Logging
On, Switching, Locking, Logging Off, and Shutting Down” section of Chapter 1 to
log on to the network and access your account. If you have a problem with your
account, you can ask your IT administrators to help you resolve it.
At home, you have complete control over your computer. During installation, you
created the user account that you need to log on to your computer. When you are
logged on with an Administrator account rather than a standard user account, you
can create other accounts to allow other people to log on to your computer. You can
also manage user account settings as necessary.
While the user and group names are what Windows Vista displays to you, these
names aren’t the actual identifiers Windows Vista uses. Behind the scenes, when you
create a user or group account, Windows Vista assigns each user or group a unique
security identifier (SID). The SID consists of a computer or domain security ID pre-
fix combined with a unique relative ID for the user or group. The SID allows Win-
dows Vista to track an account independently from its display name. Windows Vista
does this to enable you to easily change account names, and delete accounts without
worrying that someone might gain access to resources simply by re-creating an
account with the same name as one you’ve deleted.
Thus, when you change a username or group name, you tell Windows Vista to map a
particular SID to a new display name. When you delete a user or group, you tell
Windows Vista that a particular SID is no longer valid. If you later were to create an
account with the same username or group name, the new account would not have
the same privileges and permissions as the previous one. This occurs because the
new account will have a new SID.
When you install Windows Vista, the operating system installs several types of
default accounts. The default user accounts are Administrator and Guest. The
default system accounts include LocalSystem, LocalService, and NetworkService.
You use these accounts as follows:
A standard account that provides complete access to your computer. To protect
your computer, the Administrator account should have a secure password.
A standard account that provides limited privileges on your computer. Because
this account can potentially put your computer at risk, the Guest account is dis-
abled by default.
A system account for running system processes and handling system tasks. The
operating system manages this account.

Get Windows Vista Security: Praxisorientierte Sicherheit für Profis now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.