1.1.1.1 Security Principal

The security principal is an entity with an identity that can be authenticated. A security principal is a common concept in security; it is an actor in a security system and can often initiate action. Typically, a security principal is associated with a human user of the computer system, but it can also be an autonomous program within the system, such as a logging daemon, a system backup program, or a network application. In Windows a security principal typically is a user, but also can be a computer, a service, or a security group that represents a set of users. When authenticating a user, the goal is to verify that the user is not an imposter. When authenticating an entity, such as a computer or a network service, the goal is to verify that the entity is genuine.

Security principals receive permissions to access resources such as files and folders. User rights, such as interactive logons, are granted or denied to accounts directly or through membership in a group. The accumulation of these permissions and rights defines what security principals can and cannot do when working on the network.

An identity is associated with a key. If a client proves knowledge of the key to a server, the server treats that associated identity as the identity of the client. A security principal is often referred to as an account. The identity that Windows uses for an account is called a security identifier (SID).