MSDN Library

2.2 Accounts

One of the most important aspects of any security principal is that it serves as a point of management between the system and the administrator. As such, it needs to have attributes that make it meaningful to the administrator or the user. The security principal (or account) has at least a name and an identifier.

The name is a simple textual name for the account, such as John Smith, SYSTEM, or RedmondDc1$. The name is merely an attribute of the account, however, and can change over time. A common scenario is that the person that the account refers to changes his or her name.

Also, the name is treated as case-insensitive. That is, John Smith, JOHN SMITH, john smith, and joHn SmiTH are treated as equivalent in Windows. Microsoft views case-sensitivity as creating an unnecessary burden on the administrator and as something that can lead to mistakes.

The identifier, though also an attribute of the account, has to satisfy other attributes as well. Of particular importance are the uniqueness and persistence of the identifier and the issuer of the identifier. The persistence of the identifier is what provides the administrator with the capability to assign a resource to that account and not be surprised in the future by changes to the account.

Consider the case of John Smith. The administrator may assign John Smith access to a certain document at one point in time. If that John Smith leaves the company and a new John Smith is hired, the new John Smith should not have access to the resources of the original John Smith. Conversely, if John Smith changes his name to John Q. Smith, he should not lose access to the resources previously granted.

The other important attribute is the issuer of the identifier. Identities have different weight, conceptually, depending on the issuer. In the physical world, a store is generally willing to accept a driver's license as proof of identity, but the store is unwilling to accept a gymnasium membership card. In the Windows model, the issuer of an account is encoded with the identity so that any recipient can make a similar decision.

The identifier that Windows uses for accounts is called a security identifier (SID).

Windows contains a number of built-in accounts:

  • User account: Identifies users who belong to the domain by storing their names, their passwords, the groups that they belong to, the permissions that they have for accessing system resources, and other personal information.

  • Group account: Identifies a specific group of users and is used to assign them permissions to objects and resources.

  • Computer account: Identifies computers that belong to the domain. A computer account is commonly referred to as a "machine account."

Each built-in user, computer, or group account is a security principal.<1>

User and computer accounts can be added, disabled, reset, and deleted by using Active Directory Users and Computers. A computer account can also be created when a computer is joined to a domain. For more information about user and computer accounts, see Active Directory naming and Object names.

© 2016 Microsoft