Win XP user and user group description

Administrators belong to the users in the local group of the administators, all have the rights of the system administrator, they have the maximum control of this computer, can perform the management tasks of the entire computer. The built-in system administrator account Administrator is a member of the local group and cannot be removed from the group. If this computer is joined to the domain, the domain's Domain Admins will automatically be added to the Administrators group for that computer. In other words, the system administrator on the domain also has the privileges of the system administrator on this computer.

Backup OPerators Members in this group, regardless of whether they have access to folders or files on this computer, can go through Start - All Programs - Attachments - System Tools "-"Backup" way to back up and restore these folders and files.

Guests This group is for users who do not have a user account but need access to resources on the local computer. Members of this group cannot permanently change the working environment of their desktop. The most common default member of this group is the user account Guest.

Network Configuration Operators Users in this group can perform general network setup tasks on the client, such as changing the IP address, but cannot install/delete drivers and services, or perform network server settings. Tasks such as DNS server, DHCP server settings.

Power Users Users in this group have more rights than the Users group, but have fewer rights than the Administrators group. For example, you can: Create, delete, change local user account creation, deletion, management Shared folder settings and shared printer customizations on the local computer, such as changing computer time, shutting down the computer, etc.

Members of the Power Users group cannot change Administrators and Backup Operators, cannot take ownership of files, cannot back up And restore files, unable to install delete and delete device drivers, unable to manage security and audit logs.

Remote Desktop Users Members of this group can log in from a remote computer, for example, using a terminal server to log in from a remote computer.

Users This group member only has some basic rights, such as running applications, but they can't modify the operating system's settings, can't change other users' data, and can't shut down server-level computers. All added local user accounts automatically belong to this group. If this computer has joined the domain, the domain's Domain Users will be automatically added to the Users group of that computer.

Built-in special group:

Everone Any user belongs to this group. Note that if the Guest account is enabled, you must be careful when assigning permissions to the Everone group, because when a user without an account connects to the computer, he is allowed to automatically use the Guest account to connect, but because the Guest is also part of the Everone group, he Will have the permissions that Everyone has.

Authenticated Users Anyone who connects with a valid user account belongs to this group. It is recommended to set the Authenticated Users group as much as possible when setting permissions, not for Everone.

Interactive Any user who logs in locally belongs to this group.

Network Anyone who connects to this computer over a network belongs to this group.

Creator Owner The creator of a resource such as a folder, file, or print file is the Creator Owner of the resource. However, if the creator is a member of the Administrators group, its Creator Owner is the Administrators group.

Anonymous Logon Any user who is not connected with a valid Windows Server 2003 account belongs to this group. Note that in Windows 2003, the "Anonymous Logon" group is not included in the Everone group.

Note: The following settings for Windows XP Home Edition does not work.

In the family or in the unit, there may be a phenomenon in which one machine and multiple users share. As the administrator of the computer, the corresponding authority should be set appropriately according to the needs of each user. In WinXP, you can easily complete these settings (taking the setting of multi-user usage rights in the home as an example).

First, it is forbidden to install software. If children always like to install game software into the computer endlessly, how can you prohibit their installation permission? The most effective way is to create a limited account for them, so that when a child logs into WinXP with his or her own account, he can only run pre-installed programs and access his own files. For software installation, you can only say goodbye. It is. The specific steps to create a restricted account are as follows:

1. First log in to WinXP as the system administrator (Administrator).

2. Click on the "Start → Control Panel" command and double-click the "User Account" icon in the "Control Panel" window.

3. Click "Create a new user" in the pop-up window task list, and then enter a name (such as "Moon") in the text box of the wizard window. This name will appear on the welcome screen or start. In the menu, click the "Next" button.

4. The "Computer Administrator" and "Restricted" permissions are available in the newly created screen. Click the "Restricted" radio button with your mouse and click "Create Account".

In addition, in the task list window, you can also complete the operation of renaming and deleting the created account.

Second, account management is a good helper - family member group If you want other users to have only read access to one of their own folders, the usual practice is to assign permissions to each account. If there are more users, this is more troublesome. To solve this problem, create a family member group, just add other accounts to this group, and then assign this permission to the group, then all users in the group. I have this permission. The specific steps for creating a group are as follows:

1. Click to select the "Start → Control Panel" command, double-click the "Administrative Tools → Computer Management" icon, and the "Computer Management" window will pop up.

2. In the tree structure of the left pane, expand System Tools→Local Users and Groups step by step. Under this branch, there are two options: User and Group. Select "Group" and in the right pane you will find groups built into the system such as "Administrators", "Power Users", "Users" and "Guests".

3. Select the "Operation → New Group" command, and the "New Group" window will pop up. Enter a "Home Member" in the "Group Name" box and click the "Create" button to create a group.

4. Next, add members to the group and click the "Add" button to bring up the "Select User" window.

5. Click the "Object Type" button and select the object type as "User"; then click the "Advanced" button.

6. In the further expanded user window, click "Find Now", select the "Sun" user in the search results list, and click the "OK" button to add the "Sun" account to the group. In the same way, other users are also added to this group.

Three, WinXP can also achieve standard account permissions among family members, if a user wants to obtain permissions similar to the standard account in Win2000, WinXP does not directly provide the function to create such an account, then How can we achieve this? The specific steps are as follows:

1. In the "Computer Management" window, under the "System Tools→Local Users and Groups" branch, select the "Group" option, and double-click the "Users" group in the right pane. The "Sun Properties" window pops up, click "Sun" in the "Members" list, then click the "Delete" button to delete the account, click the "OK" button to return to the "Computer Management" window.

2. Double-click the "Power Users" group, click the "Add" button in the pop-up "Power Users" property window, and add the "Sun" account to the "Power Users" group as described above. can.

This way, a restricted account Sun can gain access to a standard account, and the software installation can be removed from then on.

Fourth, add a talisman to the file When multiple people share a computer, presumably your most worried is that your document was accidentally deleted by others, or the secret document was sneaked, if you are using NTFS files System, then let WinXP add a talisman to your document (or folder)! If so, even a restricted account can deny the administrator access to his protected files (or folders). Now let's take a look at the setting method, for example, prohibiting the administrator from accessing the "MyDocument" folder, and the account of the family member group can have read-only access to the folder. The specific steps are as follows:

1. For example, log in as “Moon”, right click on the “MyDocument” folder and select the “Properties” command in the shortcut menu. Select the "Security" tab in the properties window that opens.

2. Click on the "Advanced" button and in the advanced security settings window that pops up, "Inherit the rights items that can be applied to child objects from the parent, including those explicitly defined here" checkbox The previous check mark is canceled. At this time, a security prompt will pop up on the screen. Select “Copy” (or “Delete”) to ^39020301g^7. Then click "OK" to return to the properties window.

3. Delete the "SYSTEM", "CREATOR OWNER", and "Users" groups in the "Users and Groups" list.

4. Then click the "Add" button, the "Select Users and Groups" dialog box will pop up, and add the "Home Member" group to the "Group or User Name" list as described above.

5. Next, set the permissions separately. In the "Group or User Name" list of the Properties window, first select the "Administrators" group, then check the "Full Control" line in the following permission list. Reject the checkbox and you will find that the other checkboxes in this column are also automatically marked with a checkmark of ^8. This way the members of the administrator group are denied access to the folder.

6. Select the "Home Member" group and make sure that the "Allow" check box for "Read and Run" is checked in the permission list. This way, members of the group (such as your sister and brother) can view and run the documents in that folder.

If you only set the permissions for reading the folder to the "Home Membe" group, and then set the write permission for a user, but in the end the user can only get permission to read the folder, this is because of the "security" attribute. Always take the strictest of all permissions.

Hint: In WinXP, if you want to set the security permissions on the folder, the disk drive where the folder is located must be the NTFS file system. If it is not such a file system, you must first perform the conversion operation. The method is: in the "Run" dialog box, type "Convert X: /fs: ntfs" (where X is the converted disk drive), click "OK".

In addition, if the "Security" tab is not found in the folder properties window, you only need to select the "Tools→Folder Options" command in the Explorer window, and select "View" in the pop-up window. Tab, then remove the checkmark from the "Use simple file sharing" checkbox in the "Advanced settings" list.

5. Set a security barrier in the public folder. If a folder (such as "Public") stores some public files, you can allow members of the Users group to read and write, but there are still folders in this folder. A "Secret" subfolder is used to store some important files, only members of the Users group are allowed to read. How to set up such a security barrier? The specific method is as follows:

1. First click the “Public” folder with the mouse, select the “Properties” command in the shortcut menu, and click the “Security” tab in the pop-up properties window.

2. Select the "Users" group in the "Group or User Name" list and set its permissions to allow "Full Control".

3. Then open the "Public" folder, select the "Properties" command in the "Secret" context menu, click the "Security" tab in the pop-up properties window, you will find "Users" "The group has the "Full Control" permission, and the permission is displayed in gray, indicating that the permission is passed from the superior folder "Public", click "Write" in "Reject", select the item, click " OK button, the system will give a "safe" warning window, the prompt "reject" priority is higher than "allow", click "yes".

This way, members of the "Users" group will be rejected when they write to the "Secret" folder. Rejecting a permission is like a barrier to block a command from a higher level (parent).