Windows Accounts

User account information can be stored centrally (such as in Microsoft Active Directory) or locally on individual computers. Unless your computer is connected to a corporate network, your user and group information is probably stored locally. This chapter will help you explore local account information.

The exercise in this section requires a Windows computer either running Windows Server or a Windows Pro desktop version. The Home edition of Windows will not work. If you do not have the lusrmgr.msc tool on your computer, you should complete the exercise using the Windows Server instance in the AWS Learner Lab.

Learning Objectives

You should be able to:

  • Describe how local users and groups work on Windows computers
  • List local users
  • Evaluate user properties
  • List local group members

Video Walkthrough

Use this video to follow along with the steps in this lab.

Why Accounts Matter

Managing local accounts is crucial for cybersecurity on Microsoft Windows because it helps mitigate the risk of unauthorized access and potential system breaches. Local accounts with administrative privileges can be particularly vulnerable to exploitation if not properly managed, as attackers can leverage them to gain full control over the system. Implementing strong, unique passwords, regularly updating account credentials, and limiting the use of administrative accounts to essential tasks can significantly reduce the attack surface. Additionally, by monitoring and controlling local account activities, organizations can detect suspicious behavior early and respond promptly to potential threats. Effective local account management, combined with other security measures, helps ensure the integrity, confidentiality, and availability of critical data and system resources.

In a home network, a parent might want to create accounts for each child. Those accounts might not be granted administrative rights. Restricting administrative access would prevent children from accidentally installing malware. In organizations, most employees lack administrative rights on their company-issued computers. Yes, in organizations, the IT department treats their computer users like irresponsible children. You never know what kind of programs Frank in accounting might want to install during his lunch break.

Frank from Accounting
Frank on his lunch break

Hackers might also try to create new accounts on systems to maintain access after a successful breach. Cybersecurity professionals should be able to investigate the user accounts.

Local versus Centralized Accounts

In this exercise, you will explore local accounts. Local accounts live on one specific computer. When you log in with a local account, the username and password are checked inside the database on that computer.

Most large organizations store accounts in centralized directories. When an employee logs into a computer, the computer checks the central directory to confirm that the user has a valid account and that the credentials entered match. The most popular directory service is Microsoft's Active Directory.

The principles of user creation and permissions apply to both local user accounts and accounts in centralized directories.

Users and Groups

User accounts can be managed in all versions of Windows. These instructions will map most closely to Windows Server.

  • In the start menu, search for Users and launch the Add, edit, or remove other users.

Start Menu Item: Add, edit or remove other users

  • Click the button to add an Other user.

Add Other User

  • In Windows Server, clicking "Other user" launches the Local Users and Groups settings.
    • Another way to launch this directly is to run lusrmgr.msc in the start menu. This will link directly to a tool for managing local users and groups. In this case, local refers to this particular computer. These accounts are not centrally managed by an organization.

Start Menu Search for lusrmgr.msc

  • Select the Users category.

List of Local Users

  • Double-click on the Guest account. Notice that the account is disabled.

Guest Account Properties

  • Analyze the properties of your account (Administrator).
  • Open the Groups.

List of Local Groups

  • Double-click the Administrators group. Your account is likely a member of the group.

Administrator Group Properties

  • Check several groups. Many groups will have no members. Some groups will have system account members only instead of named users. These are typically for services that run in the background. The screenshot below shows the IIS_IUSRS group which is used by Microsoft's web server--Internet Information Services (IIS).

Internet Information Services (IIS) Group Members

Add and Remove Accounts

  • Right-click on the Users category and choose New User.
  • Create a user name, enter the full name, choose a password, and click Create.

New Jimbo

  • Click the Close button.
  • The user account has been created. But, this user will not have a home directory yet because this user has not logged in.

New User Created

  • Right-click on the newly created use and choose Delete.
  • Confirm the deletion.

Reflection

  • Why would it be a poor practice to add everybody to the Administrators group?
  • What would be the benefits of having all members of a family use separate local accounts when using a shared computer?

Key Terms

  • Local Account: A user account that is created and stored on a specific computer. It allows access to that computer but does not provide access to network resources or other computers.
  • Active Directory: A directory service developed by Microsoft for Windows domain networks. It is used for centralized permission management and access to networked resources, such as computers, users, and services.
  • Directory Account: A user account that is managed within a directory service, such as Active Directory. It allows users to access network resources and services across multiple computers within a domain.