How to Manage Users in Windows 7
A computer running Windows 7 might be used by a single person, by a group of people in an office, or by a family in a home. Fortunately, Windows 7 was designed from the ground up to be a multiuser operating system. The new OS is flexible and can support many different scenarios, with each user having appropriate permissions and a customized environment. Every person using Windows 7 must log in with an account, and each account has a personalized desktop, Start menu, documents folder, history, favorites, and other customizations.
All of that stuff resides in the Users folder on the root of the system drive, where each account has a subfolder named after it. The two main tools I'll describe in this article are the 'User Accounts and Family Safety' wizard-based tool, which you can find in the Control Panel, and the traditional 'Local Users and Groups' tool, which is available in Computer Management.
Before you start creating new users on your Windows 7 computer, you should understand the difference between the two main account types.
Administrators have full control over the system. They can install software programs and hardware drivers, and they can create and modify new users and groups. Additionally, they can reset passwords, set policies, and edit the Registry. The OS identifies tasks that require administrator permissions with a Windows security icon.
Standard users are permitted to log on to the computer, run programs, customize their accounts, and save files in their user folders. Users are restricted from making systemwide changes.
The First User
When Windows first installs, it asks you for a user name and password, which it then uses to create your first account. This account joins the Administrators group, which has the highest set of privileges. From this account you can create and manage all other user accounts. When one person is the sole user of a computer, this first account is sometimes the only one ever created. However, even if you are the only user, a recommended practice is to create a second, standard account for daily use, so that you have it separate from your account with administrative privileges for managing the system. If you want to install software or make other system changes while logged in as a standard user, never fear: When you attempt to make the change, Windows will prompt you to authenticate your administrator account so that you won't need to log on with it.
Creating a New Account
To create a new account, open Control Panel and choose User Accounts and Family Safety, Add or remove user accounts. Click on Create a new account. Type in the new account name, select either the Administrators or Standard Users user type, and then click Create Account. By default, Windows assigns no password; you can make one by clicking on that user's icon and selecting Create a password. Alternatively, you can leave it blank to allow the user to set a password when they first log on.
Once you've created an account, you can customize it further by editing. To edit an account, open Control Panel once again and select User Accounts and Family Safety, Add or remove user accounts. This takes you to the Manage Accounts window, where you can select an account to edit by clicking on its icon. In this window, you can change the account name, create or remove a password, change the picture, set up parental controls, change the account type, or delete the account. Be cautious when removing a password, since it will cause that user to lose any encrypted files, personal certificates, and stored passwords.
If You Accidentally Delete Your Last Administrator Account
Windows 7 has a built-in Administrator account that has no password and is hidden by default. Like all other administrator accounts, it has full control of the system; for you to use it, however, it must be the only remaining administrator account, and you must start the computer in Safe Mode.
Concerned parents are often wary about letting their children have free rein on the family computer. Windows 7's parental controls offer parents a way to keep their children's Web surfing or gaming in check. To arrange parental controls, go to Control Panel and select User Accounts and Family Safety, Set up parental controls for any user. Click on the user for which you want to set controls.
Since all administrators can disable these controls, if an administrator account doesn't have a password, Windows 7's parental controls will offer the option to force that person to set a password at the next log-on.
Turn on parental controls by selecting On, enforce current settings, and then modify each setting as appropriate.
- Time limits: If you want Windows to boot your child off the computer after, say, 10 p.m., this is where you can explicitly permit or deny computer usage by time and by the day of the week.
- Games: Here you can define whether the account is permitted to play games, which game ratings are acceptable, and whether unrated games are allowed. You may also allow or block particular games.
- Allow and block specific programs: If you want to limit your child's computer use to certain applications, this is where you choose them.
Windows 7's parental controls can work in conjunction with the downloadable Windows Live Family Safety, which allows you to set parental controls on Web content.
Changing Your Password
The simplest way to change your password when you are logged in is to press Ctrl-Alt-Del and click Change a Password. In this window, you simply type in your old password and your new one, and then confirm it. Administrators may also overwrite the user name and change the password for another user.
Changing Your Picture
Windows 7 allows you to choose a picture to associate with your account. This is the image you click to log on to the computer. To change it, open Control Panel and choose Users Accounts. Under Users, click Change your Account Picture. You can select from a number of built-in images, or you can browse to one of your own images.
Creating a Password-Reset Disk
A password-reset disk is useful if you forget your password, but the catch is that you have to create it while you are logged in--if you have already forgotten your password, it's too late. You probably don't have a floppy drive on your PC, but a USB drive will work just fine. To create a password-reset disk, open Control Panel and select User Accounts and Family Safety, User Accounts. Click on Create a password reset disk in the left pane. A wizard will guide you through the procedure, asking you on which drive to place the password key as well as what your current password is. Be careful where you store the disk or USB drive--anyone who can access it can use it to gain entry to your account.
Resetting Your Password Using the Password-Reset Disk
If you enter your password incorrectly when you attempt to log on to your computer, Windows will display a Reset password link under the password box. Click it to launch the Password Reset Wizard. When prompted, select the drive that contains the password key, and then type in a new password and password hint.
Using the 'Local Users and Groups' Tool
Though the Windows 7 wizard-based user-management tools are great and easy to use, some people will prefer the legacy tool, called 'Local Users and Groups'. This tool has changed little since its introduction in Windows 2000. To access it, right-click Computer on the Start menu, and select Manage. This will open Computer Management. From there, expand Local Users and Groups.
Creating a new user: Right-click on Users, select New User, and then enter the user name. Optionally you may supply a full name, description, and password. Click Create to make the account.
Modifying users: In 'Local Users and Groups', expand Users and double-click on the appropriate user name.
On the General tab, you may modify the following settings by checking the appropriate box:
- User must change password at next logon
- User cannot change password
- Password never expires
- Account is disabled
- Account is locked out (to unlock an account that Windows has locked in response to a user's entering an incorrect password too many times, as specified by the local security policy, clear this check box)
A note about disabling user accounts: A common administrative practice is to disable an account rather than delete it when an employee leaves. That way, if another user replaces that staffer, you can simply rename and reenable the account, and the new employee will have all the same settings as the previous one.
The Guest account: Windows 7 includes an account named Guest, which has a bare minimum of permissions and is disabled by default. If you want to use this account, click Local Users and Groups, expand Users, double-click on the Guest account, and clear the Account is disabled check box.
Managing groups: Every Windows account is a member of at least one group. Group membership defines what set of permissions each account has. Most people use the groups built in to Windows (called Account Types when you're in the Create User wizard), but you are free to create and customize your own. Groups exist to make administration of a computer easier by allowing the administrator the flexibility to apply permissions and policies to more than one account simultaneously.
Besides Users (or Standard Users) and Administrators, you'll find a multitude of other groups in Windows 7. Some of these are intended for backward-compatibility, while others are designed for specialized purposes such as allowing access to back up and restore files, to read log files, or to connect through Remote Desktop.
Creating a new group: Right-click on Groups in the 'Local Users and Groups' tool, and select New Group. Specify a name and description, and click Add to add the members. Finally, click Create.
Managing User Accounts for Domain Members
Each computer is a member of either a workgroup or a domain. Computers that are part of a domain usually have a network administrator who manages user accounts. These accounts are not located on individual computers, but in a central database called Active Directory. A workgroup is more of an ad-hoc network where each computer is managed separately. Only computers running Windows 7 Professional or greater have the option of joining a domain.
When a PC joins a domain, the user-management options change a bit. Parental controls are unavailable, the User Account tool replaces the 'User Accounts and Family Safety' tool, and you may create local users only through the 'Local Users and Groups' management tool.
Adding a domain user to a local group: In the Control Panel, open User Accounts, and click on Give other users access to this computer. From there, type in the person's user name and the domain (or click Browse to select it from Active Directory), click Next to add them to a group, and then click Finish.
Michael Scalisi is a California-based IT Manager and the writer of PC World's Net Work blog.
For comprehensive, straightforward advice and tips that can help you get the most out of the new operating system, order PC World's Windows 7 Superguide, on CD-ROM or in a convenient, downloadable PDF file.