8.2 Users and Groups

The following table lists some of the default groups used on Windows systems.

- Administrators - Power Users - Users - Guests

You can customize many aspects of how UAC works. Use the UAC settings in Control Panel to configure the sensitivity of UAC. UAC Security settings include:

- Always notify me- - Notify me only when applications try to make changes to my computer - Notify me only when applications try to make changes to my computer (do not dim my desktop) - Never notify me

What does Windows 11 do when you log in with an administrator account with elevated privileges? - Notify you that you have administrative privileges. - Assign you a unique administrator token. - Assign you a user and an administrator token. - Use your credentials to assign you administrative privileges.

- Assign you a user and an administrator token. When a standard user logs on, a standard user token is created. But when an administrator logs on, two access tokens are created. Windows creates a standard user token, and then Windows also creates an administrator token. Providing login credentials does not immediately give you administrative credentials. Windows 11 creates a user and an administrative token based on the credentials. These tokens allow Windows to grant you elevated privileges. You receive no notification that you have administrative privileges when you log in with an administrator account.

The following table shows the types of user accounts that are available with Windows:

- Built-in administrator account- An account that has all rights and permissions on the computer. This account is hidden from normal view. It doesn't show up on the usual login screen. - User account with administrative privileges- A user account that has been granted administrative privileges. - Standard account- A basic user account. Standard users can browse the internet, run software, access files, and use printers. - Guest account- An account with limited capabilities, usually restricted to logging on, viewing files, and running some programs. As a security measure, Windows XP and later automatically disable the Guest account to prevent unauthorized logon to the system. - Microsoft account- A free account you can create to access Microsoft devices and services. To set up a Microsoft account, you must use a valid e-mail address. A Microsoft account: --- Allows you to log in to a computer on which you haven't previously set up a local user account. --- Allows you to download apps from the Windows Store. --- Syncs settings across multiple computers.

You want to configure User Account Control so that you see the permission prompt only when programs try to make changes to your computer (not when you make changes). You do not want the desktop to be dimmed when the prompt is shown. What should you do? - Disable the Secure Desktop. - Disable UAC. - Configure UAC to Always notify. - Configure UAC to Never notify.

- Disable the Secure Desktop. When you select the Notify me only when programs try to make changes to my computer (do not dim my desktop) option, the following happens: - Notifications occur when programs make changes. - Notifications do not occur when you make changes. - The desktop is not dimmed, which means Secure Desktop is disabled.

The following table describes the sign-in options provided.

- Facial recognition (Windows Hello) - Fingerprint recognition (Windows Hello) - PIN (Windows Hello) - Security key - Password - Picture password

Which of the following is true of groups on a Windows system? - Group members have the access rights that are assigned to the group. - A group allows multiple users to share a single logon. - Users and local resources, such as printers and shared folders, can be made members of a group. - Users can log on as the group and have all the assigned access rights.

- Group members have the access rights that are assigned to the group. A Windows group is used to identify groups of user accounts that have similar access needs. Group members have the permissions and rights assigned to the group. Using groups simplifies administration. Instead of assigning permissions to each individual user account, you can assign permissions to the group and then make user accounts members of that group. Group accounts cannot be used for logon on a Windows system. Local hardware resources cannot be made members of a group on Windows.

A user calls to report a problem. She is trying to install an application on her new Windows 11 system, but the installation will not proceed. Her user account is a member of the Users group. What is MOST likely causing the installation issue? - She is not a member of the Power Users group. - She is not using an app from the Microsoft Store. - The application is incompatible with Windows 11. - Her group membership does not allow her to install new software.

- Her group membership does not allow her to install new software. Members of the Users group are not allowed to make system-wide changes, such as installing new applications. Only users who are members of the Administrators group can install new applications. On modern versions of Windows, users who are members of Power Users are not allowed to install applications. In fact, the Power Users group is only included for backwards compatibility with older versions of Windows. Windows 11 can run traditional desktop applications as well as apps from the Microsoft Store.

Which of the following must be set up before you can register a facial or fingerprint scan for your account? - Security key - PIN - Picture password - Password

- PIN Windows Hello requires you to set up a PIN before you can register a facial or fingerprint scan for your account.

Which Active Directory service simplifies how users log in to all the systems and applications that they need? - Workgroup - Domain - PIN - SSO

- SSO Active Directory uses the single sign-on (SSO) process to simplify how users sign in to all the systems and applications that they need. When a user logs in, their credentials are authenticated with the authentication server. When the user visits a trusted resource, the authentication server vouches for the user, and the resource allows them access. Windows Hello uses a PIN as a backup for biometric authentication. A domain is an administratively defined collection of network resources that share a common directory database and security policies. A workgroup is Microsoft's implementation of peer-to-peer networking.

User account

A user account controls if and how a user can use a computer. The user account identifies a specific user.

Rights

On Windows systems, rights control the user's ability to perform actions on a computer (such as modifying system settings or installing hardware).

Always notify me (UAC option)

This is the most secure option. When selected, a UAC prompt pops up when programs try to install software, make changes to the computer, or make changes to Windows settings. The secure desktop is enabled for 150 seconds.No task can be performed until the user responds to the prompt. If nothing is selected in 150 seconds, UAC automatically denies the request.

Notify me only when applications try to make changes to my computer (do not dim my desktop) (UAC option)

This setting is the same as the Notify me only when applications try to make changes to my computer, except that the secure desktop is not enabled. This may be a little more convenient, but it is less secure.

Access token

UAC creates an access token for each user logging in. This access token controls what actions the user can perform on the system. Windows creates two types of tokens. When a standard user logs on, it creates a standard user token. When an administrator logs on, it creates a standard user token and an administrator.

User Account Control (UAC)

User Account Control is a tool that alerts the user when a task or operation requires administrative privileges to be completed. Windows 11 lets you use UAC to automatically elevate privileges whenever necessary to complete an administrative-level task. You don't have to log off and log back on as an administrative user to complete the administrative task. Nor do you have to manually use the run option to perform tasks as an administrator. UAC takes care of all that for you.

Notify me only when applications try to make changes to my computer (UAC option)

When selected, a prompt pops up only when an application tries to make changes to the computer. The secure desktop is enabled, and you have 150 seconds to respond to the prompt. If there is no response, the request is denied.

Windows Hello

Windows Hello is a biometric logon system built into Windows 11. Windows Hello stores registered biometric scans, accepts scans for authentication, and determines whether a scan matches the stored scan.

Never notify me (UAC option)

With this setting, UAC prompting is disabled. If you are logged on as an administrator, all actions are executed without prompting you to confirm them. You will not see the secure desktop. If you are logged in as a standard user with this setting, every action that requires privilege elevation is automatically denied.

Which of the following Windows 11 options lets you associate your local user account with an online Microsoft account? - Manage my accounts - Users and Groups - Family & other users - Sign in with a Microsoft account instead

- Sign in with a Microsoft account instead The Sign in with a Microsoft account instead option lets you associate your local user account with your online Microsoft account. The Manage my accounts option lets you manage your user accounts, but does not provide an option to associate your local user account with your online Microsoft account. You can use the Family & other users option to allocate a specific number of hours for screen time, enforce content filters, and receive activity reporting for specific family members. Users and Groups is a snap-in that is used in the Computer Management tool to manage user accounts.

You have recently purchased a third-party application and installed it on your workstation. However, after doing some maintenance work on the users and groups on your Windows system, the application begins to display error messages each time you try to run it. What is the MOST likely cause of the issue? - You deleted a group that was created by the third-party application. - You assigned the wrong permissions to your user account. - You assigned the application user account to the Users group. - You switched from a domain account login to a local login.

- You deleted a group that was created by the third-party application. Many Windows features or third-party applications create additional groups in order to access rights and permissions. If you delete the group, the application probably won't launch or work properly. Assigning the wrong permissions to your user account would not impact the functioning of a third-party application. Switching from a domain to a local login would not impact the launching of a application. The application would not have a user account (although it might have a system account).

You have just installed Windows 11 on your laptop, purchased an infrared camera, and set up Windows Hello facial recognition as your login option. As part of the setup process, you enter a PIN as a backup login method. After a few weeks of using facial recognition login, your infrared camera fails, and you are asked to enter your PIN. Because it has been several weeks, you have forgotten the exact number. You attempt to enter your PIN at least 24 times, but are never locked out. What is the MOST likely reason that you have not been locked out after several failed PIN login attempts? - Your laptop has a TPM chip, but you have failed to set up BitLocker for lockout. - Your laptop does not have a TPM chip, and you have not set up BitLocker for lockout. - You have failed to set up both your TPM chip and BitLocker for lockout. - You have set up BitLocker for lockout, but you have also failed to set up your TPM chip.

- Your laptop does not have a TPM chip, and you have not set up BitLocker for lockout. If you are using a computer with a TPM chip, it is automatically configured for a set number of failed PIN attempts (about 10) before lockout (you do not need to set this up). If your laptop does not have a TPM chip, you can set up BitLocker for lockout after several failed PIN attempts. In this scenario, the most likely reason that you are not locked out is that your laptop does not have a TPM chip, and you have not set up BitLocker for lockout after several failed attempts.

On a Windows system, users and groups are stored in one of three locations:

1) Local accounts are stored on each computer and control access to resources on that computer. 2) Domain accounts are stored in a central database called Active Directory. A domain controller is a special server that stores user accounts, groups, and the rights and permissions assigned to them. 3) Online accounts are stored online by Microsoft.

Administrators group

A group that has complete and unrestricted access to the computer, including every system right. The Administrator user account and any other account designated as a computer administrator is a member of this group.

Guests group

A group that has limited rights. Members can shut down the system.

Power Users group

A group that modern versions of Windows no longer use. However, it still exists for backward compatibility. This group (originally used in Windows XP and earlier) provided limited administrative abilities. Avoid assigning users to the Power Users group unless an application or service specifically requires it.

Users group

A group whose members can use the computer but cannot perform system administration tasks and might not be able to run some legacy applications. - Members cannot install printers if the driver isn't already installed on the system. - Members cannot view or modify system files. - Any user created with Local Users and Groups is automatically a member of this group. - User accounts designated as standard or limited use accounts are members of this group.

You recently installed a Windows 11 system. During the installation process, you elected to sign in to the system with a local user account. After using the system for a time, you decide to begin using an online Microsoft account to authenticate to the system instead. Click the Settings app option you would use to do this.

Accounts

Single Sign-on (SSO)

Active Directory uses the single sign-on (SSO) process to simplify how users log into all the systems and applications that they will need. When a user logs in, the credentials are authenticated with the authentication server. When the user visits a trusted resource, the authentication server vouches for the user; the resource allows the user access. The user can continue to log into multiple network resources without having to re-authenticate or transmit the username and password across the network multiple times.

Admin Approval Mode

Admin Approval Mode is triggered if a standard user access token is not sufficient to perform a given task. The system (through UAC) requests privilege escalation, called Prompt for consent. This requires the user to click the Yes box to perform the action. After the task is performed, it returns to a standard user privilege level.

PIN (Windows Hello)

Allows a user to set up and sign in using a PIN. The user supplies a PIN. If the correct one is entered, then the user is authenticated. The PIN is not intended for day-to-day authentication. Instead, Windows Hello uses the PIN as a backup in the event facial or fingerprint recognition doesn't work. Because of this, Windows Hello requires the end-user to set up a PIN before registering a facial or fingerprint scan for the account.

Fingerprint recognition (Windows Hello)

Allows a user to set up and sign in using a fingerprint scanner. The user supplies a fingerprint sample. If the sample matches the sample stored by Windows Hello, the user is authenticated.

Facial recognition (Windows Hello)

Allows a user to set up and sign in using an infrared camera. This helps prevent unauthorized access by an attacker with a photo of an authorized user. The infrared webcam must be certified to work with Windows Hello. When using facial recognition: - The user presents the face to the webcam. - If the facial characteristics match the sample stored by Windows Hello, the user is authenticated to the system. - The user's facial characteristics and heat patterns must match the stored sample.

Password

Allows a user to sign in using a password. This is also where the user can change the password if needed.

Security key

Allows a user to sign in using a physical key (usually a USB key).

Picture password

Allows a user to swipe and tap a photograph to unlock the device. The user chooses a picture and then selects a 3-step gesture used for sign-in.

Logon

Logon is the process of authenticating to the computer by supplying a user account name and the password associated with that user account.

Permissions

Permissions control access to files, folders, and printers. Permissions identify what the user can do with the associated object.

Prompting for Credentials

Prompting for Credentials happens if an administrator token does not exist for the user. The system knows that the user is only a standard user. Before the task can be performed the user is prompted to enter an administrative password.

Secure desktop

Secure desktop makes the desktop of the system unavailable whenever a UAC prompt is triggered. This is done to ensure that malicious software is not able to alter the display of the UAC prompt or automatically provide consent to the prompt. This is the default behavior of UAC.