Managing user access for XP in the small office

XP brings much stronger security based around multiple users with different access rights, and this can be confusing to those used to all users on a computer having access to everything

In combining the Windows 9X and 2000 product lines into XP, Microsoft has brought many aspects of enterprise computing to people who until now have been content with the one computer, one user way of working.

A prime area for confusion is administration. XP works to the time-tested multiuser model where one superuser -- called the administrator -- can install and maintain software, but all other users can only use it. Any attempts by a mere user to change the configuration of the software or write to directories other than that holding the users' data is stopped by the operating system. And a good thing too: done properly, this can prevent viruses and worms from infecting your computer, and stops users -- even you -- from deleting important files or inadvertently reconfiguring that which ought not to be reconfigured. Even admins don't use their computers as admins: if they're not setting things up, they use accounts with ordinary user privileges.

The default user on XP has administration privileges, but adding a new user is relatively straightforward. Pick User Accounts from the Control Panel: you'll see all accounts already on the computer. Choose Create a new account, type in the new user's name, and pick Limited as the type of account, then click Create Account.

Limited users will be able to run software that's been designed to work in XP. Most software was intended for earlier versions of Windows, and may expect its users to have write privileges to the directory in which it runs -- limited users don't have this. However, it is possible to give users -- or groups of users -- access to individual directories using Windows' Access Control Lists (ACLs). These are part of the NTFS filing system, introduced in Windows NT, and list which user or users can get access to a file. Normally, a file or folder's ACL is set to be the same as that of the folder in which it was created, but this can be changed on a case-by-case basis using the CACLS command.

Say the program you want to run is called Frogstar, and was installed in c:\program files\frogstar. Click on Start, pick Run... and type CMD. This starts up a command window. CD C:\program files to change to the directory above the application's directory -- a limitation of the CACLS utility is that it can't operate on the directory from which it's run. Type CACLS frogstar, and you'll see the access control list for the application's directory -- XP defaults to read-only for the USERS group.

To change this, do CACLS frogstar /E /T /G USERS:F. This means /E -- edit the ACL list, rather than create a new one; /T -- work on the pathname, including all folders; /G USERS:F -- grant everybody in the USERS group Full privileges. Once this has been run, all named users on the computer will have much the same access privileges to everything in the frogstar directory as does the administrator.

You can be more subtle. You can replace USERS in the command above with the name of a particular account, and that will limit the access accordingly. You can also replace the :F with :C, giving Change privilege instead of Full -- for most applications, this will work just as well and it stops the users from having the option of further changing the ACL of the directory. It is possible, for example, to specifically bar the administrator from accessing a directory: if the user who did this subsequently forgets their password, the account will have to be recreated.

You can also use CACLS to prevent named users or groups from having access to parts of the filing system. CACLS privatefiles /E /R fred revokes any rights user fred has over the privatefiles directory; you can also use the /P fred:N to replace fred's existing rights with None, or /D fred to Deny them access altogether. All of these options are functionally equivalent, although they have different effects on the access control list itself.

If you're running XP on a machine that's been upgraded from a previous version of Windows and you didn't convert the filing system from FAT or FAT32 to the newer NTFS, then CACLS won't work. You can easily move over to the new filing system by using the CONVERT command from a command line. It's a one-way process, though, so if you're running old software that doesn't like NTFS (unlikely, unless it's a very old DOS-based program) you shouldn't do it. The only quirk of the CONVERT command is that it won't convert the disk from which it's run, so you'll have to change to the D drive before converting the C drive. Type HELP CONVERT from the command line to find out more.

It's a shame that Microsoft has chosen to introduce the much-enhanced file-based security of Windows NT/2000 in XP without including more by way of explanation of how it works, or at least an easy-to-understand graphical user interface instead of the command line utility. However, taking the time to understand what is at heart a simple and useful idea will substantially improve the reliability and security of your system.


Have your say instantly in the Tech Update forum.

Find out what's where in the new Tech Update with our Guided Tour.

Let the editors know what you think in the Mailroom.