Create a New User Account Directly on the WHS
If you are going to install third party applications on your Windows Home Server like uTorrent, eMule, ORB etc. For security reasons it is best to do so under a new user account. Below I shall explain step by step how to accomplish this.
Using Remote Desktop Connection, (Start, Accessories) connect to your WHS as the Administrator. Once in click Start, All Programs, Administrative Tools then Computer Management.
In the left pane expand Local Users and Groups and highlight Users.
From the toolbar select Action then New User…
Fill in the details in the New User dialog making certain to un-tick the first checkbox and tick the second and third checkboxes only. NOTE: Once you untick the User must change password at next login the 2 items below it will not be greyed out.
Take a note of your User name and Password and then click the Create button.
Close the New User dialog.
Right-click the newly created user “WHS” and select Properties.
Select the Member Of tab and click the Add… button.
In the Enter the object names to select box type Administrators into the available text area.
click “Check Names” to make sure that you have typed it in correctly.
————————————————————————
This is the image displayed when “Administrators” is typed in correctly.
————————————————————————-
This is the image displayed when “Administrator” in typed in incorrectly. Notice that the ending “s” is missing.
——————————————————————————————————————
Now click the OK button and then click the OK button in the WHS Properties dialog.
Close the Computer Management windows.
Hit Start, Shut Down and then Restart your Windows Home Server.
You can now login and use this “WHS” account when installing third party software instead of using the administrative account and hopefully protecting your server a bit more in the process and if that software happens to be Torrent or P2P applications DO NOT forget to install AntiVrus software directly onto the Windows Home Server as well!
Share this WHS Article with Others:
I don’t think “for security reasons” is a good argument for creating a new user account as described above.
Adding the new user account to the “Administrators group” provides the user with just as much privledge (attack surface) as using the Administrator account.
Hi Chris,
Yes, I think you are right. What reasons would you say are good arguments for creating a new user account?
Nice…
Nice
Hi there,
Creating a new user account is useful for the following reasons.
First and foremost you have a profile that has a very lightweight registry entry. That is, if you don’t keep messing about with the account. The idea is that with a service account all you do is to run services, so your Application Data should be very light and so would be this account registry.
I do think, however, that is unnecessary to create one account for each service in the case of WHS.
Another thing is that this account could have different security policies. For example you could enforce a more severe lockdown for this account, or prevent users from using terminal services with it, etc.
Hi Pedro,
Thanks for your comments.
Chris is right, creating a new user with Admin rights doesn’t do anything for security, as any rogue process will still be able to access and delete files at will..
HOWEVER, giving the user account admin rights to install the program and making sure the program writes files to a place where any normal user can write to, and then taking away admin rights from the user… now that should work out just fine… If the process starts acting up, it will be acting up as a regular user, not as admin.
Hmm… I followed the instructions on creating the WHS user, but when I restarted the server (Acer Easystore) and tried to log in as that user, I am still seeing the “To log on to this remote computer, you must be granted the Allow log on through Terminal Services right. By default, members of the Remote Desktop Users group or another group that has this right, or if the Remote Desktop User group does not have this right, you must be granted this right manually”. I actually see a number of users that I have created using the console under the Remote Desktop Users group, but I can’t Remote Desktop to my server with any other account other than “administrator”. What to do now?
@Brendan
I had the same issue. I think it’s set this way on purpose, and that the Remote Desktop User group is used to determine features when connecting to the WHS home web site. Plus, a domain controller is normally restricted to RD access only by Administrators. But it may have been an Acer configuration oversight, so if you want to grant all members of the RD group access:
1. Remote Desktop into WHS as Administrator.
2. Start > Run > gpedit.msc. This opens Group Policy Editor.
3. Expand Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
4. Open Allow log on through Terminal Services.
5. Click Add User or Group.
6. Click Object Types and ensure Groups is checked. Then enter Remote Desktop Users as the object name and click Check Names. The name should be found.
7. Click OK until exited.
Charles,
You are so right on the money with that, it’s not funny!!
Thanks!
Jim (JR)
Thnx Charles, this was exactly what I was looking for.