Figure 1 – There are three types of basic Windows 7 user accounts.
With administrator accounts, solutions providers can install software, make configuration changes, add or delete files in most directories and so forth. Standard users can manage their own files inside the %SystemDrive%\Users\
The best Windows 7 user accounts control comes via group management
Ask any experienced Windows solutions provider, and he or she will tell you that the best way to manage rights and permissions -- the controls that establish which applications or services a customer may run and which files or other system resources they can access -- is by establishing groups related to specific kinds of roles or activities.
A quick look at Windows 7's default group names and descriptions (Figure 2) helps illustrate this principle, while also listing the roles and activities that Microsoft finds most useful on Windows 7 systems.
Figure 2 – Windows 7 default group names and descriptions in the Local Users and Groups management console.
Notice the kinds of groups that appear by default, which include backup operators (those who can back up or restore systems), event log readers (those who can access and view event log contents to seek out and diagnose system issues), network configuration operators (those who can manage network configuration items and elements), remote desktop users (those who are allowed to log in from across the network or the Internet) and so on. The idea is to break various types of functionality into distinct areas (or roles), each of which is associated with some group, and then to use group membership to grant access to groups. For example, a system with PhotoShop installed might have a PhotoShop users group, and only those who belong to the group can run PhotoShop on a specific computer.
To access this capability, solutions providers must be logged in using the Administrator account or another account with administrator privileges (like the Ed account in Figure 1). Then, you can simply type lusrmgr.msc in the Start command search box to open the Local Users and Groups management console plug-in depicted in Figure 2. The word "Local" is important because the control applies only to one Windows 7 (or other Windows) machine at a time.
For network users, Active Directory and Group Policy hold the keys to the kingdom
The principles of managing Windows 7 user accounts are slightly different on Windows server networks, where Active Directory servers typically house user account and group information and definitions as well as the policies that go with them. Though you can manage groups, accounts and Group Policies locally from individual Windows machines on production networks, the process is too time-consuming to be worth the effort.
Most solutions providers use the Microsoft Management Console (mmc.exe) with plug-ins to support users, groups and Group Policy management. You can use the Active Directory (AD) Users and Computers tool to set up AD users and groups, and you can use a Group Policy management tool (the Group Policy Management Console, aka gpmc.msc) to set up and manage group policy settings. Group policy settings are used to control desktop appearance, application access, file system rights and permissions and lots more.
About the expert
Ed Tittel is a frequent contributor to numerous TechTarget websites. He's also a contributor to Windows 7 in Depth (Que, 2009) and Windows Server 2008 For Dummies. For more information, check out his Web page at www.edtittel.com.
This was first published in July 2010