Administrator and User Mode Accounts
There are four different types of user accounts that might exist on a Microsoft Surface unit:
The built-in administrator account ("Administrator"). By default, this account is disabled, and you should not use it.
Accounts that are members of the local Administrators group. When a member of this group logs on, the system automatically switches to administrator mode. Make sure that all administrators and developers who will be working with the Microsoft Surface unit are members of this group.
The Microsoft Surface user mode account. This account is associated with user mode and is used by the Enter User Mode shortcut to log on in user mode. By default, TableUser is the Microsoft Surface user mode account, but you can change this default by using the SurfUser tool. You can assign any non-administrator account as the Microsoft Surface user mode account.
Other accounts. This group includes all accounts that are not members of the Administrators account and not Microsoft Surface mode user accounts. Although you can create such accounts, be aware that the Microsoft Surface software does not support interactive logon by using these accounts. If you try to log on by using an account that is not a member of the Administrators group and not a Microsoft Surface user mode account, you will see a warning message and then you will be logged off.
The rest of this topic includes:
You can log on to a Microsoft Surface unit as an administrator by using the administrator account that you created when you first logged on to the Microsoft Surface unit or by using an account that is a member of the Administrators account.
|You should not use the built-in "Administrator" account (which is disabled by default on all Microsoft Surface units) because is it less secure than the administrator account that you created when you first logged on the Microsoft Surface unit.|
User Mode Account
Every Microsoft Surface unit includes a preconfigured user account, with the assigned user name "TableUser" and a unique, auto-generated, cryptographically strong password. The Microsoft Surface software uses this user mode account to automatically log on to user mode. You can use the preconfigured TableUser account without any changes.
|You must not change the TableUser account name or delete this account, even if you do not use this account.|
You can also use an existing user account (local or domain-based) as the user mode account instead of using the TableUser account. The user mode account must not be a member of the Administrators group on the Microsoft Surface unit. You can use the Windows Vista tools, such as User Accounts or the Active Directory Users and Computers snap-in, to create or modify local or domain-based user accounts that you want to use as user mode accounts. However, you must also run the SurfUser tool that is included with all Microsoft Surface units to designate a user account as the current user mode account and to assign that account's password to the registry. Specifically, the SurfUser assign command enables you to designate a different user mode account.
|By default, the preconfigured user account (TableUser) is designated as the current user mode account. You can change the TableUser account password, but you must not change the TableUser account user name or delete the TableUser account, even if you do not use this account.|
To change a user mode account password (including the password for TableUser), you can use the Windows User Accounts tool or the Net User command (in an elevated Command Prompt window). However, after you change the password, you must use the SurfUser tool to update the password in the registry.
The SurfUser tool assigns or updates the user mode account and its password and then assigns that password to the registry so that the auto logon process can run without error.
You might need to use the SurfUser tool in the following situations:
Your company's security policies require that you change default passwords or to change all passwords periodically.
You want to log on to the Microsoft Surface unit by using the TableUser account to troubleshoot an application and you need to know the password.
You want to run the Microsoft Surface unit in user mode by using a domain account (for example, to enable a Microsoft Surface application to access protected network resources).
You have created a Microsoft Surface unit image and deployed that image to one or multiple units on a network. (If you create an image by using the Windows System Preparation Tool [sysprep], the user password cannot be decrypted, so you must create a new password.)
For more information about how to use SurfUser, see SurfUser Tool.
Did you find this information useful? Please send us your suggestions and comments.
© 2009 Microsoft Corporation. All rights reserved.