HOWTO: Set Up Windows User Accounts Correctly

Windows Vista Logo

This has to be the single biggest no-no I see, even with Windows Vista and Windows 7: Users running with accounts with Administrator privileges. In version of Windows prior to Vista, this was asking for trouble because any malware you came across could silently invade your system with full access. At least in Windows Vista and Windows 7, you get a prompt.

Which leads be to the second big no-no I see thanks to Vista and 7: Disabling UAP/UAC. I know it can be annoying, but without those UAP/UAC prompts, Administrator accounts revert back to the pre-Vista days of silent malware infestation. Worse yet, Standard User accounts get no “access denied” errors and Run As silently fails.

One of the selling points of Windows Vista/7 is that your can run as a Standard User and get prompts when higher privileges are needed, so take advantage of it! Windows XP users can follow this advice as well, but will be faced with a few rough edges like getting “Access is denied” errors (forcing you to manually re-run the program with Run As) and not being able to change Windows settings through the GUI with a restricted account.

  1. Enable UAP/UAC (Vista/7 only)
    1. Press [Window Key] + [R] to bring up the Run dialog box.
    2. Type msconfig and press [Enter].
    3. Click on the Tools tab.
    4. Vista users will see two entries call “Enable UAP” and “Disable UAP.” Windows 7 users will see a single “Change UAC Settings.” Click the appropriate entry and then click the Launch button.
  2. Create the main admin account.
    1. Existing install: Create a new account.
      1. Press [Window Key] + [R] to bring up the Run… dialog box
      2. type control userpasswords2, and press [Enter].
      3. Click the Add… button.
      4. You’ll see “User name” and “Full name.” User name will be used on the disk (C:\users\whg) while “Full name” will be used throughout the Windows GUI (Bill Gates, aka William Henry Gates III). Click Next when done.
      5. Enter a password for this new user. Keep in mind that this is the password that people will need to type in when doing things that require elevated privileges, like installing programs. Be sure to keep this password out of the hands of people you do not want doing such things. Click Next to continue.
      6. Select Administrator (Administrators Group) and click Finished.
    2. Fresh install: Create initial account as the admin account
      1. Keep in mind that this first account you create is hardly going to be used outside of initial setup.
      2. Now that you know about userpasswords2, you might opt to enter a shorter type-friendly name as the user name here during the install process. You can set the Full name to something more easily readable once Windows is set up.
      3. I would recommend using this account to log in until you have completely set up Windows. Clicking Yes/No is a heckuva lot easier then entering a password (sometimes incorrectly) before clicking OK.
  3. Set up other user accounts
    1. Existing installs: Change all other accounts to Standard User
      1. Not using Windows 7’s HomeGroup feature.
        1. Bring up the userpasswords2 applet as described above
        2. Select a user to change and then click on Properties button
        3. Click on the Group Membership tab
        4. Select the Standard User button, and then click OK.
        5. Repeat for all users that are in the Administrators group that should not be.
      2. Using Windows 7’s HomeGroup feature.
        1. The userpasswords2 applet only allows the assignment of a single group to any given user. HomeGroup uses a special group called HomeGroup to which all users participating in HomeGroup belong. If you’re using HomeGroup and want to keep users in the HomeGroup, you’ll have to use and elevated command prompt.
        2. The easiest thing to do is to use userpasswords2 to change your respective users into one group (either HomeGroup or Users) and then use the elevated command prompt to add users to the other group.
        3. The command to add users to a group is NET LOCALGROUP [group] [username] /ADD.
    2. Fresh install: Create new accounts as Standard Users