Fotolia

How to manage Windows 7 user accounts and groups

Whether your customers operate in a workgroup or a domain/Active Directory environment, user account setup and group memberships control their rights, permissions and roles.

There are three types of basic Windows 7 user accounts for solutions providers to work with: one for local administrators and their equivalents; one for standard, everyday users; and another for a guest account -- which is turned off by default in Windows 7. All of these account types are shown in Figure 1, along with an administrator account.

To access the Windows 7 User Accounts item in the Control Panel, type user into the Start menu search box, then click User Accounts in the resulting menu selections that appear.

With administrator accounts, solutions providers can install software, make configuration changes, add or delete files in most directories, and so forth. Standard users can manage their own files inside the %SystemDrive%\Users\ directory tree, but they can only make limited changes to their machines. Guests can look at system files, but only in certain directories, and they can't do much to the Windows machines they have access to.

Having User Account Control is vital for creating user IDs and associating passwords and images to accounts. But when it comes to managing user rights and permissions, the real action lies elsewhere in Windows 7.

Basic Windows 7 user accounts
Figure 1. There are three types of basic Windows 7 user accounts.

The best Windows 7 user account control comes via group management

Ask any experienced Windows solutions provider and he or she will tell you that the best way to manage rights and permissions -- the controls that establish which applications or services a customer can run and which files or other system resources he can access -- is by establishing groups related to specific kinds of roles or activities.

A quick look at Windows 7's default group names and descriptions -- Figure 2 -- helps illustrate this principle, while also listing the roles and activities that Microsoft finds most useful on Windows 7 systems.

Local Users and Groups console, one of several administration tools
Figure 2. Windows 7 default group names and descriptions in the Local Users and Groups management console

Notice the kinds of groups that appear by default, which include backup operators, who can back up or restore systems; event log readers, who can access and view event log contents to seek out and diagnose system issues; network configuration operators, who can manage network configuration items and elements; remote desktop users, who are allowed to log in from across the network or the internet; and so on.

The idea is to break various types of functionalities into distinct areas or roles, each of which is associated with a group, and then to use group membership to grant access to groups. For example, a system with Photoshop installed might have a Photoshop users group, and only those who belong to the group can run Photoshop on a specific computer.

To access this capability, solutions providers must be logged in using the Administrator account or another account with administrator privileges, like the Ed account in Figure 1. Then, you can simply type lusrmgr.msc in the Start command search box to open the Local Users and Groups management console plugin depicted in Figure 2. The word Local is important because the control applies only to one Windows machine at a time.

For network users, Active Directory and Group Policy hold the keys to the kingdom

The principles of managing Windows 7 user accounts are slightly different on Windows server networks, where Active Directory (AD) servers typically house user account and group information and definitions, as well as the policies that go with them. Though you can manage groups, accounts and Group Policies locally from individual Windows machines on production networks, the process is too time-consuming to be worth the effort.

Most solutions providers use the Microsoft Management Console -- mmc.exe -- with plugins to support users, groups and Group Policy management. You can use the AD Users and Computers tool to set up AD users and groups, and you can use a Group Policy management tool -- the Group Policy Management Console, or gpmc.msc -- to set up and manage group policy settings. Group policy settings can be used to control desktop appearance, application access, file system rights and permissions, and lots more.

For more information on Windows administration, check out our Windows 10 Group Policy Objects management feature and our overview articles on remote server administration tools and free Windows administration tools.

Dig Deeper on MSP technology services