NT Accounts

The accounts (users, groups, and computers) in a domain may be in various physical locations and may be connected in any number of ways

TAGS: Computers, Domains, Microsoft, TECH

Security Database Accounts

Here are types of accounts handled by each pair of security databases:

  • User accounts. User accounts contain all the access information pertaining to a particular user. This includes user name, password, rights, permissions, and group membership.
    • Global user. Most user accounts are global user accounts in the domains security database. A global user account should be sufficient to access the domain and any trusted domains. The icon is a head.
    • Local user. Only DCs (Domain Controllers) can make these. Used for special cases where the user originates from a workgroup or a non-trusted domain. By default local users are added to the global Domain Users group. The icon is a head on a computer.
  • Group accounts
    • Local group, aka resource group. Local groups can contain individual user accounts and global group accounts from a domain that made the group or from a trusted domain. A local group is used to give its members access to local resources. The icon is two heads on a computer.
    • Global group, aka account group. Only DCs not using a Low Speed Connection can make these, although non-DCs with security databases can add appropriate global groups to their local groups. Global groups can contain user accounts from a domain that made the group. A global group is used to give its members access to resources in some other trusted domain. The icon is two heads on a globe.
  • Object accounts
    • Machine. Aka computer, computer user, or workstation accounts
    • Domain controller. Aka domain accounts
    • Trusted domain. Used in setting up trust relationships between domains.

Here are some naming conventions for account names:

  • Account names cannot be identical to other account names in the domain.
  • Account names are limited to 20 characters, upper or lower case. Local account names are limited to 256 characters.
  • Account names cannot consist entirely of periods and spaces.
  • Account names cannot contain the following characters:
    " / \ [ ] : ; | = , + * ? < >

A SID (Security ID) is a structure of variable length that uniquely identifies an account. SIDs are unique and never reused.

An ACE (Access Control Entry) is composed of the following:

  • SIDS that the ACE pertains to.
  • Permissions affected.
  • Whether the permissions affected are granted or revoked.

An ACL (Access Control List) is an ACE list which may be in one of three states:

  • Empty. No ACEs, thus no users have access. This is the ACL's initial state.
  • NULL. All users have access. The ACL must be explicitly set to this state.
  • One or more ACEs. Specifies which users have what access. The ACL must be explicitly set to this state.

Each resource will have a SD (Security Descriptor) which consist of the following:

  • 2 SIDs:
    • Owner SID. IDs the current owner of the object.
    • Primary Group SID. IDs the primary group which access the object.
  • 2 ACLs:
    • SACL (System ACL). Tracks permissions on a system level. Only users with system level-access can modify the SACL.
    • DACL (User or Discretionary ACL). Tracks permissions set on an owner level. The current owner can modify the DACL.

When Joe User logs in to the domain, his user name and password are authenticated against the security databases of the DC. If authenticated, the LSA (Local Security Authority) invisibly gives him a SAT (Security Access Token) which holds SIDs for his user account and any groups he belongs to. Now whenever he wants to use a resource, the resource looks to see if he is covered by its ACLs.

Note that the NT security is a structure and not an object model. This means that it should be accessed by the appropriate system API. EG: SDs can are usually represented as absolute (ie using pointers to RAM for their entries) but can also be represented as self-relative (ie store the entries in contiguous blocks of memory) instead so as to be "user friendly" or "transfer friendly". Use the appropriate API functions of MakeAbsoluteSD and MakeSelfRelativeSD as needed.

Note that NT security can be applied to disks formatted as NTFS (NT File System) but not FAT (File Allocation Table).

Built-in Accounts

Windows NT has built-in user accounts and group accounts:

  • Global users.
    • Administrator. Member of the local Administrators group and, if the machines is a DC, of the global Domain Admins group. This account can never be deleted, disabled, or removed from the local Administrators group. It can, however, be renamed.
    • Guest. Member of the local Guests group and, if the machine is a DC, the global Domain Guests group. Starts as not requiring a password, but that can be changed. Can be disabled. Good fro standard use.
  • Local groups
    • Special groups whose membership cannot be altered and thus are not listed in the User Managers:
      • Everyone. Includes anyone using the computer locally and remotely.
      • Interactive. Includes anyone using the computer locally.
      • Network. Includes anyone using the computer remotely.
      • System. The operating system.
      • Creator Owner. Transfer of permissions to creators of subdirectories, files, and print jobs.
    • Groups that only DCs have:
      • Account Operators. Can use the User Manager to add, modify, and delete most user and group accounts for the domain. Members can also use the Server Manager to add computers to the domain. Members can also log onto and shutdown the DCs.
      • Print Operators. Can add, delete, and manage domain printers as well as log onto and shutdown the DCs.
      • Server Operators. Can administer the DCs. Members can act a member of the local Print Operators and Backup Operators groups; add, delete, and manage network shares; lock and unlock DCs; format the hard disks; change the system time.
    • Other built-in groups:
      • Administrators. Has full control over the computer. Starts with the global Administrator user and the global Domain Admins group if the machine is a member of a domain. The latter can be removed but the former cannot.
      • Users. Good for standard use. Starts with the global Domain Users group, but it can be removed.
      • Guests. Good for limited access use. Starts with the global Guest user and the global Domain Guests group. The latter can be removed but the former cannot.
      • Backup Operators. Can back up and restore files on the DC, as well as log onto and shutdown the DCs.
      • Replicators. Supports directory replication functions. This group should not contain actual users.
  • global groups. Cannot can be deleted. Comes with DCs only.
    • Domain Admins. Starts with the global Administrator user. Starts as member of the local Administrators group for the DC and the local Administrators group for each NT machine in the domain, although it can be removed from individual local Administrators groups as needed.
    • Domain Users. Starts with the global Administrator user. Starts as a member of the local Users group for the DC and the local Users group for each NT machine, although it can be removed from individual local Users groups as needed. All new user accounts are added to the global Domain Users account but can be removed. Good for standard use.
    • Domain Guests. Starts with the global Guest user. Is a member of local Users group. Good for limited access use.

The Administrator user account is powerful and its use should be restricted. The Guest user account is limited but how will everyone know what password to use? Most users won't use either one but will have their own user account. The network administrator can create groups and assign users to groups as needed.

Example Accounts

Here is how a network administrator might make groups to access printers for a particular company:
  • Global Groups
    • Management
    • Sales
    • Marketing
    • Accounting
    • Human Resources
    • Engineering
    • Production
    • Information Services
  • Local Groups (and its members)
    • North Printer (Accounting & Human Resources)
    • East Printer (Marketing & Sales)
    • Central Color Printer (Engineering, Marketing, & Sales)
    • South Laser Printer (Information Services & Everyone)
    • West Printer (Engineering & Management)
    • West CAD Printer (Engineering)
    • Factory Printer (Production & Engineering)


GeorgeHernandez.comSome rights reserved