Navigating User Account Management for Enhanced Windows Security

Importance of User Account Management for Windows Computers

Your network is comprised of devices and users, and both require proper management. For a user to access a device and its hosted assets, that user requires a user account that has access to the computer. The allocation and management of these accounts are important for multiple reasons including security, personalization and accountability. Effective user management prevents unauthorized access to sensitive data, enables tailored experiences for different user types, and facilitates tracking and auditing of system activities.

Overview of User Account Types

Windows is the predominant operating system for enterprises today, so an understanding of Windows user management is essential. Let's start with where user accounts are created.

• A local account is the most basic type of user account. The account is stored directly on the machine itself and is limited to that device. It is suitable for standalone machines, devices not connected to a network, or security restricted machines.

• Microsoft cloud-based accounts allow users to access multiple Windows devices and sync their settings and preferences for a consistent user experience. They also provide access to other Microsoft services such as OneDrive, Office 365 and the Microsoft Store.

• Domain accounts are centrally managed by network administrators on designated servers to provide consistent access and permissions across multiple devices within the same network domain.

Regardless of where your Windows accounts are stored, each account type has different levels of access and control. There are three basic types of user accounts:

• Administrator accounts
• Standard user accounts
• Guest accounts

Creating and Managing User Accounts in Windows 10 and Windows 11

In this article, we are going to focus on local user management and Microsoft cloud-based accounts. When you are ready to onboard a new Windows 10 or Windows 11 machine, you will need to either create one or more local accounts for that device or link it to a Microsoft account. Once the account is either created or linked, you will need to decide what type of access it should have. Here is a breakdown of each of the account types:

• Administrator accounts: Full system access, control, and management capabilities

• Standard user accounts: Limited access, restricted system-wide changes, ideal for daily use and enhanced security

• Guest accounts (if enabled): Highly restricted access for temporary visitors, with minimal privileges

Step-by-Step Guide to Creating User Account

Windows 10 and Window 11 user management can be conducted using multiple built-in tools.

Using the Settings App

Use the Settings App to link a device to a Microsoft account. Open the Settings App and click on "Accounts" in the left sidebar. Under "Other users," click "Add account." Enter the email address associated with the user's Microsoft account or create a new one as shown below.

To create a local account, you would click "I don't have this person's sign-in information" as shown in the screenshot above. On the next screen, choose "Add a user without a Microsoft account" as shown in the screenshot below:

In the next screen you would then enter a username for the new account and create and confirm a password.

You can then add security questions to help recover the account if needed.

Using the Control Panel

You can also create local accounts using the traditional Windows Control Panel by opening it and selecting "User Accounts."

Then click "Manage another account," select "Add a new user in PC settings," and then proceed to the Settings app to click "Add someone else to this PC" and complete the steps as outlined earlier.

Using the Computer Management Console

Open the Computer Management Console and open Local Users and Groups. Click on the "Users" folder. Then right-click in the right pane and select "New User." Then provide details such as username, and password. You can also set password options such as "User must change password at next logon" or "User cannot change password" as shown below.

Using Command Prompt and PowerShell

Open Command Prompt as an administrator and use the following command to create a new local user account:

net user username password /add

In the case of Windows PowerShell, there are multiple command versions. It starts with opening PowerShell as an administrator. One command possibility is shown below:

To create a new local user account, use the following command:

$Password = Read-Host -AsSecureString "Enter Password"

New-LocalUser -Name "NewUserName" -Password $Password -FullName "New User" -Description "Test user account"

You can learn more about creating Windows accounts with PowerShell here.

Managing User Accounts

Changing Account Name, Picture, and Password

You can change the account name and password for local accounts using the Settings App, Computer Management Console, or CMD or PowerShell commands. The screenshot below shows how to change the password for a local user account using the Computer Management Console.

You can modify some options of the Microsoft accounts linked to your Windows computer using the Settings app. The screenshot below shows where you can associate or change a profile picture.

Enabling and Disabling Accounts

You cannot disable a Microsoft cloud-based account using the local Windows tools, but you can disable local accounts using the Computer Management Console. Right-click on the account you want to modify and select "Properties." In the Properties window, check or uncheck the "Account is disabled" box to enable or disable the account as shown below.

Deleting User Accounts

While you cannot delete any of the local default user accounts in a Windows computer, you can delete any local accounts that were manually created. You cannot delete a Microsoft cloud-based account, but you can delete the link to it from the local machine.

Promoting Standard Users to Administrators

Newly created user accounts are initially created as standard users. For security reasons, you do not want every user to have administrative rights to their computer. Users should only have the permissions necessary to do their job roles. If you do want to promote a standard user to an administrator account, you can do so using the Settings App as shown below:

You can also accomplish the same thing using the Computer Management Console. In this case, you make the designated user a member of the local administrators group as shown below.

Family and Safety Settings

Setting Up Family Accounts

If you are setting up a personal computer for a family member, you may want to create a family group using the Settings app. Family groups provide a centralized way for parents to manage their children's online experiences and ensure their safety while using devices. To do so, open the Settings app and navigate to "Accounts" > "Family & other users." You can then add someone to your family group as shown below.

Managing Microsoft Family Safety Features

Creating a family account for younger users will give you the ability to:

• Monitor activity across Windows devices
• Set screen time limits
• Filter inappropriate content
• Manage app and game purchases

Monitoring and Restricting Child Accounts

If you are a parent, family safety settings give you the ability to view your child's online activity, including websites visited and apps used. You can also filter inappropriate websites and set safe search options in browsers, establish age restrictions for downloads and limit access to specific applications. Screen time management allows them to set daily usage limits and create schedules for when devices can be used. It all adds up to ensuring a safe user experience for your any younger member of your family.

Advanced User Management

In this article, we have shown how to create and manage user accounts using the Local Users and Groups feature in the Computer Management Console. You can skip a step by directly accessing the Local Users and Groups snap-in using the command `lusrmgr.msc` as shown below. Here is the list of default groups that reside in any Windows 10 or Windows 11 device using this tool.

Managing Hidden and Built-In Accounts

Windows comes with two default users accounts: Administrator and Guest. By default, the guest account is disabled for security reasons. Unless you are using the computer as a public kiosk computer, there is no good reason to enable this account. The default administrator account should also be disabled as any attacker is familiar with this account, making it a prime target for brute force attacks. Make sure that any account with administrative rights has a custom username and complex password.

Assigning and Managing User Permissions

You create user accounts to give people access to a computer and its hosted data and applications. There are two ways to control permissions for them. The first is to assign them designated groups which will automatically give them the permissions assigned to those groups. For more granular control, you can assign permissions to the files, folders and applications on the computer. To do so, right-click on a file or folder and select "Properties" > "Security" > "Advanced" as shown below.

You can then add, remove, or modify permissions for users or groups as shown below.

Best practices include Implementing the principle of least privilege, conducting regular permission audits, utilizing groups for efficient management, and documenting all changes to maintain accountability.

Tips for Securing User Accounts

Creating Strong Passwords

To make your user accounts less vulnerable to dictionary and brute force attacks you should use passwords that are 12 characters or longer. They should use a mix of uppercase and lowercase letters, numbers, and special characters and avoid common password patterns or sequential numbers.

Enabling Two-Factor Authentication

While local Windows user accounts don't offer a built-in MFA option, you should enable multifactor authentication for Microsoft cloud accounts as it adds an extra layer of verification beyond just a password. This additional security measure helps safeguard against various threats, including phishing attacks, credential stuffing, and brute force attempts.

Regularly Updating Security Settings

Keeping your Windows systems patched and updated is a mandatory security measure. Frequent updates help defend against newly discovered vulnerabilities and emerging cyber threats. They may also introduce new security features or tools to further enhance account protection, along with performance improvements that help systems run more reliably, thereby improving the overall user experience.

Using Dynamic Lock and Windows Hello

Dynamic Lock is a feature that automatically locks your Windows 10 or 11 PC when you step away from it. It works by pairing your computer with your smartphone via Bluetooth. This prevents other people from accessing or gazing at your screen every time you step away. To enable Dynamic Lock, use the Settings App and navigate to Accounts > Sign-in options. Scroll down to Dynamic Lock and pair your smartphone with your PC via Bluetooth if necessary. Then enable the "Allow Windows to automatically lock your device when you're away" option as shown in the screenshot below.

Notice in the screenshot that Windows Hello is enabled as well. This is a biometric authentication system that allows users to sign in to their devices using facial recognition, fingerprint, or a PIN. Not only is facial recognition or fingerprint more secure than traditional passwords, but it is also faster and provides a faster and more convenient sign-in process.

Troubleshooting Common Issues

Resolving Login Problems

Login problems are a common IT helpdesk problem. Some of the common ways to resolve this recurring problem includes:

• Ensure that the caps lock or num lock keys are not enabled.
• If the user is using a virtual keyboard, ensure that the keyboard language is set correctly.
• Wait for the account lockout time to expire before attempting to login again.
• Have the user use the "I forgot my password" option on the login screen.
• Reset the password using another admin account

Recovering Lost Passwords

Password managers are strongly advised as a secure solution for storing and organizing credentials across various accounts. These tools alleviate the burden of memorizing multiple intricate passwords. In the event a user forgets a specific password, they can easily retrieve it from the password manager. However, if the master password for the password manager itself is forgotten, a reset process is necessary to regain access to all stored passwords. For Windows local accounts, password recovery can be accomplished using a previously created password reset disk or by utilizing another account with administrative privileges to reset the forgotten password. For Microsoft cloud accounts, users can visit the Microsoft account recovery page or ask an Azure administrator to manually reset it.

Fixing Permission Issues

If a user encounters file or folder access issues, test with another user having identical permissions. Adjust permissions as needed for the user or their groups. In some cases, an administrator may need to take ownership to modify permissions. For corrupt user profiles you need to create a new one. Consider restoring the computer from a system restore point if necessary. Always verify and modify permissions carefully to maintain system security and stability.

Best Practices for User Account Management

Regular Account Audits

Regular account audits can enhance overall system security by identifying and removing unnecessary or outdated accounts that could pose potential risks. These audits also optimize access control by ensuring users have appropriate permissions for their roles to prevent unauthorized access and align with the principle of least privilege. They can also play a role in meeting regulatory compliance requirements for account management and access control.

Backing up User Data

Set up automatic, frequent backups to ensure data is always up-to-date. A simple backup method is versioning, which keeps multiple versions of files to recover from incremental changes or corruptions. You can either use built-in or third-party backup solutions to backup data including profile folders (Documents, Pictures, Videos, Music, Desktop, Favorites), application data (AppData folder and custom folders), email files, browser data (bookmarks, passwords, extensions), and system settings (user account information and personalization settings).

Implementing Account Policies

You should consider implementing account policies to enforce security standards across all user accounts. Some of the policies you should consider include:

• Password policies to enforce password standards
• Account lockout policies that enforce a lockout duration after a designated number of failed login attempts
• User rights assignments that define which users or groups can perform specific system actions
• Audit policies that log successful and failed login attempts and track changes to user accounts and permissions

These policies can be created using either Local Security Policy or Group Policy.

Conclusion

The days of handing someone a laptop and giving them broad based administrative rights to the machine is unfortunately over in this era of expanding threat landscapes. Operating according to best practice when it comes to Windows 10 user account management or Windows 11 needs to be job one for personal and enterprise computer users alike. Doing so involves carefully controlling access privileges, regularly auditing user accounts, and implementing robust security measures to mitigate potential threats and vulnerabilities. By prioritizing effective user account management, organizations and individuals can significantly enhance their overall security posture and protect against unauthorized access and data breaches.