Help
Are you curious how Windows 7 works within workgroups, homegroups, and domains? In this excerpt from
William R. Stanek's Windows® 7 Administrator's Pocket Consultant you'll learn about account control, fast user switching, and password management.
Computers running Windows 7 can be members of a homegroup, a workgroup, or a domain. A homegroup is a loose association of computers on a home network. Computers in a homegroup share data that can be accessed using a password common to the users in the homegroup. You set the homegroup password when you set up the homegroup and can modify the password as necessary at any time.
A workgroup is a loose association of computers in which each computer is managed separately. A domain is a collection of computers that you can manage collectively by means of domain controllers, which are servers running Windows that manage access to the network, to the directory database, and to shared resources.
Homegroups are available only when a computer running Windows 7 is connected to a home network. Workgroups and domains are available only when a computer running Windows 7 is connected to a work network. You'll learn how to manage networking and network connections in Chapter 15, Configuring and Troubleshooting TCP/IP Networking. To change the network location type for the network to which a computer currently is connected, follow these steps:
Click the Network icon in the notification area, and then click the Open Network And Sharing Center link. If the Network icon is not displayed, click Start and then click Control Panel. In Control Panel, click Network And Internet, and then click Network And Sharing Center.
Under View Your Active Networks, click Work Network, Home Network, or Public Network.
In the Set Network Location dialog box, select Work Network, Home Network, or Public Network, as appropriate, and then click Close.
Some aspects of Windows 7 vary depending on whether a computer is a member of a homegroup, workgroup, or domain.
The sections that follow discuss these differences as they pertain to User Account Control, logon, fast user switching, and password management.
In a homegroup or workgroup, a computer running Windows 7 has only local machine accounts. In a domain, a computer running Windows 7 has both local machine accounts and domain accounts. Windows 7 has two primary types of local user accounts:
Windows 7 includes User Account Control as a way to enhance computer security by ensuring true separation of standard user and administrator user accounts. Because of the User Account Control feature in Windows 7, all applications run using either standard user or administrator user privileges. Whether you log on as a standard user or as an administrator user, you see a security prompt by default whenever you run an application that requires administrator privileges. The way the security prompt works depends on Group Policy settings (as discussed in the section called “Optimizing User Account Control and Admin Approval Mode” in Chapter 5, Managing User Access and Security) and whether you are logged on with a standard user account or an administrator user account.
When you are logged on using a standard user account, you are asked to provide a password for an administrator account, as shown in Figure 1.3. In a homegroup or workgroup, each local computer administrator account is listed by name. To proceed, you must click an account, type the account's password, and then click Submit.
In a domain, the User Account Control dialog box does not list any administrator accounts, so you must know the user name and password of an administrator account in the default (log on) domain or a trusted domain to continue. When Windows prompts you, type the account name, type the account's password, and then click OK. If the account is in the default domain, you don't have to specify the domain name. If the account is in another domain, you must specify the domain and the account name by using the format domain\username, such as cpandl\williams.
When you are logged on using an administrator user account, you are asked to confirm that you want to continue, as shown in Figure 1.4. You can click Yes to allow the task to be performed or click No to stop the task from being performed. Clicking Show Details shows the full path to the program being executed.
An important related change has to do with elevation of privileges. Elevation allows a standard user application to run with administrator privileges. You can run applications with elevated privileges by following these steps:
Right-click the application's shortcut on the menu or on the desktop, and then click Run As Administrator.
When you see the User Account Control prompt, proceed as you normally would to allow the application to run with administrator privileges.
In a workgroup, Windows 7 displays a Log On screen at startup. All standard user and administrator accounts that you've created on the computer are listed on the Log On screen. To log on, click the account name you want to use. If the account is password protected, you must click the account name, type the account password, and then click the arrow button.
In a domain, Windows 7 displays a blank startup screen after initializing the operating system. You must press Ctrl+Alt+Del to display the Log On screen. By default, the last account to log on to the computer is listed in computer\username or domain\username format. To log on to this account, you type the account password and then click the arrow button. To log on to a different account, click the Switch User button, press Ctrl+Alt+Del, and then click Other User. The logon information you must provide depends on what type of account you are using.
If the account is in the default domain, type the user name and password and then click the arrow button.
If the account is in another domain, you must specify the domain and the account name by using the format domain\username, such as cpandl\williams.
If you want to log on to the local machine, type .\username, where username is the name of the local account, such as .\williams.
Windows 7 supports fast user switching in domain, homegroup, and workgroup configurations. When a user is logged on to a computer running Windows 7, you can use fast user switching to allow another user to log on without requiring the current user to log off.
To switch users, press Ctrl+Alt+Del, and then click the Switch User button. In a workgroup, the Log On screen is displayed as at startup. In a domain, a screen appears with the message "Press Ctrl+Alt+Del To Log On," and you must press Ctrl+Alt+Del again to display the Log On screen.
Unlike Windows XP and earlier versions of Windows, Windows 7 provides fast and easy ways to manage user account passwords. You can easily perform the following tasks:
Change the current user's password
Change the password for another domain or local computer account
Create a password reset disk
Reset a user's password
These tasks are discussed in the sections that follow.
You can change the current user's password by completing the following steps:
Press Ctrl+Alt+Del, and then click the Change A Password option.
Type the current password for the account in the Old Password text box.
Type and confirm the new password for the account in the New Password and the Confirm Password text boxes.
Click the arrow button to confirm the change.
You can change the password for a domain or a local account other than the current user's account by completing these steps:
Press Ctrl+Alt+Del, and then click the Change A Password option.
Click in the User Name text box, and then type the name of the account.
Type the current password for the account in the Old Password text box.
Type and confirm the new password for the account in the New Password and the Confirm Password text boxes.
Click the arrow button to confirm the change.
Passwords for domain users and local users are managed in different ways. In domains, passwords for domain user accounts are managed by administrators. Administrators can reset forgotten passwords using the Active Directory Users And Computers console.
In homegroups and workgroups, passwords for local machine accounts can be stored in a secure, encrypted file on a password reset disk, which can be either a floppy disk or a USB flash device. You can create a password reset disk for the current user by completing these steps:
Press Ctrl+Alt+Del, and then click the Change A Password option.
Click Create A Password Reset Disk to start the Forgotten Password wizard.
In the Forgotten Password wizard, read the introductory message and then click Next.
You can use a floppy disk or a USB flash device as your password key disk. To use a floppy disk, insert a blank, formatted disk into drive A, and then select Floppy Disk Drive (A:) in the drive list. To use a USB flash device, select the device you want to use in the drive list. Click Next.
Type the current password for the logged on user in the text box provided, and then click Next.
After the wizard creates the password reset disk, click Next, remove the disk, and then click Finish.
Be sure to store the password reset disk in a secure location because anyone with access to the disk can use it to gain access to the user's data. If a user is unable to log on because he or she has forgotten the password, you can use the password reset disk to create a new password and log on to the account using this password.
Note
REAL WORLD You can use BitLocker To Go to protect and encrypt USB flash devices and other removable media drives. When a user is logged on, protected media can be unlocked using a password or a smart card with a smart card PIN. However, when a user isn't logged on, the protected drive cannot be accessed. Because of this, you shouldn't protect password reset disks with BitLocker To Go. For more information, see Chapter 11, Using TPM and BitLocker Drive Encryption.
You can reset a password by following these steps:
On the Log On screen, click the arrow button without entering a password, and then click OK. The Reset Password option should be displayed. If the user has already entered the wrong password, the Reset Password option might already be displayed.
Insert the disk or USB flash device containing the password recovery file, and then click Reset Password to start the Reset Password wizard.
In the Reset Password wizard, read the introductory message and then click Next.
Select the device you want to use in the drive list, and then click Next.
On the Reset The User Account Password page, type and confirm a new password for the user.
Type a password hint, and then click Next. Click Finish.
Here’s the ideal, on-the-go reference that desktop administrators and support professionals can carry with them as they support and manage Windows 7.
