You know that in Windows 2000 you only want the administrator account, or members of the administrator group, to create user accounts. What you may not realize, however, is that members of the power user group can create user accounts, too.
- Go to Control Panel
- Then open Administrative tools
- Launch the Computer management Application
- Open the Local users and Groups snap-in (In Win2k, you have to click on Groups)
- In the right-hand pane, double-click on Power users.
- Select NT AUTHORTYINTERACTIVE and click Remove.
This procedure will remove the Power Users group members' ability to create user accounts. But what about a user who has a notebook computer for both home and work? As long as the user has an account on the computer sharing the resource, a local account for the user can be created and applied to the local administrator group, so that the user can work at home and make necessary changes to the configuration in order to get into the home network. Since the user is now a member of the administrator's group, he should be educated on certain basic security issues such as locking the computer by pressing CTRL ALT DELETE keys when he leaves it alone. The password for this account should be changed every 30 days, and the account should lock out after three failed attempts.
Adesh Rampat has 10 years experience with network and IT administration. He is a member of the Association Of Internet Professionals, the Institute For Network Professionals, and the International Webmasters Association. He has also lectured extensively on a variety of topics.
This was first published in May 2002