Before you start
Objectives: learn what is a user account, what is SID, how to switch between users and which database is used for local authentication, and which for domain authentication.
Prerequisites: no prerequisites.
Key terms: user account, security, SID, user switching, SAM database, credentials, Active Directory
Since Windows XP, anyone who wants to use the computer must authenticate before being allowed to do anything on the system. The user account basically identifies some specific user. When signing in to the system the user has to supply two things, and those are the user name and the password. This process is known as the logon. Every user will have specific rights on the system. User rights determine what actions are allowed for certain users. For example, some users will have rights to install applications, some will have rights to modify system settings, etc. Permissions identify what a specific user can do with files, folders, and other objects on the system. For example, some users will have the permission to only read some file, and some users will have permission to read and to edit some file.
In Windows we have an environment that supports multiple-logged in users simultaneously. We can leave the computer, our applications could still be running, and someone else can log on and use the resource on the same machine. When they are done, they can log off, and we can switch back to our account and continue our work. In order for this feature to work we need user accounts. User accounts simplify the control of access to the computer resources in a great way.
User accounts are created either during the installation, or after the installation with the utility which enables us to control our user accounts. With each user account comes user profile which contains user-specific settings that the system uses to customize their Windows environment. The profiles are unique settings for our users, like different desktop backgrounds, favorites, files, etc.
Security Identifier (SID)
As we get into the user account management, we need to understand how is a user account created inside the system. In Windows each user account is represented by something known as Security Identifier (SID). The system identifies each user account using the Security Identifier, not the user account name. When we create new user account, what we really do is create a new SID. As a user logs in, the system activates the SID and loads the specific user profile. The user name is really nothing more than an attribute of the SID. There is a lot of information that we can store about users (address, telephone numbers, e-mail address, company information, etc.), but the key thing to remember is that all that information really revolves around the SID. Example of a SID would be: “S-1-5-21-3623811015-3361044348-30300820-1013”.
Types of Accounts
There are two general types of accounts that we can create in Windows environment:
- Local user account – stored in the local system and is not distributed to any other system. Administrators typically use Computer Management console to create and manage local user accounts. Keep in mind that only local resources are accessible with local user accounts.
- Domain user account – stored in a centralized database called the Active Directory. It is replicated between domain controllers in the domain. Administrators typically use Active Directory Users and Computers console, CMD tools, and PowerShell to manage user accounts in Active Directory.
Security Accounts Manager (SAM) Database
The process of local authentication requires that we authenticate through Security Accounts Manager (SAM) database which is located on the local machine itself. As a user goes to log on, the user must provide a valid credentials for the log in process. These valid credentials include a user name and a users password. Once these credentials are entered, they are checked in the local SAM database. If they are validated, the user is permitted to log on to the computer. When the user logs in, the system will load its user profile.
Environment in which we don’t use a centralized database for user management is typically called a Workgroup (at least when we are talking about Windows OS). Workgroup computers are computers that are not members of a domain. Workgroup environment is great if we have relatively small number of users and computers to manage. For example, if we have one user on one machine, and we want to allow that user access to another machine, we would have to create additional user account on that other machine with the same properties in order to allow access. This could work for up to 5 users or even for up to 10 users, but there would be a lot of duplication of data during the whole process. If we compare this to Active Directory (AD), we would only need to to create one user account which is centrally stored in the AD database.
Active Directory Database
Domain is a grouping of computers that has a centralized collection of user accounts to ease the management of all those users. Domain user accounts are stored on the server called Domain Controller (DC). When some user tries to log on to some workstation that is a member of the domain, its credentials will be validated on the Domain Controller. Users can access resources on all computers in the domain for which the user account has permissions. Domain user accounts have many properties that we can configure. So, domain accounts are used in Active Directory environment, and the database where all user accounts (among other things) are stored is called the Active Directory. If our computer is not on a domain, it will use local authentication trough the local SAM database.
The great advantage of domain user accounts is that they can be centrally managed. This way we can easily control large number of users. Since we will be managing users centrally, we should come up with some naming convention for our users. For that we have to be aware of how the different types of names are stored in Active Directory, and whether they have to be unique or not.
The first name type that we should mention is the User Logon Name or simply User Name. User Logon Name is simply the name of the user account, and it must be unique in the domain. For example, if we had the person who is called Marko Ivančić, the User Logon Name could be marko(only first name of the user) or ivancic (only last name), or combination likemivancic or ivancicm, etc. In domain environment we will often use this in a form of “domainuser” when we log on to the domain. This was intended for pre-Windows 2000 systems but it’s still used today. For example, if we want to log on to some domain, we would enter the domain name and then the user name, like utilizewindows.commivancic. The second name type is the User Principle Name (UPN). This name type combines the user name with the DNS domain name, so it basically looks like an e-mail. It comes in a form of user@domain. For example, UPN name could be email@example.com. The next name type is the LDAP Distinguished Name. It references the domain and the container where the object (user in this case) resides. The attributes of LDAP Distinguished Name are Domain Component (DC), Organizational Unit (OU) and Common Name (CN). So, this name type would contain entries like CN=mivancic,OU=admins, DC=utilizewindows, DC=com. LDAP Distinguished Names have to be unique in the Forest. In the end we have a Relative Distinguished Name (RDN), which has to be unique in withing the object’s container. For example, the Relative Distinguished Name would be CN=mivancic.
User Groups in Windows are simply groups of user accounts. We can assign rights and permissions to groups of users the same way we apply rights and permissions to individual users. This is great if we have many users who have to have the same privileges on the system. We simply put all those users in the same group and then apply privileges to that group. All users in the group will receive settings that are applied to the group. Once we have all groups configured, we can simply add new users to the group to apply certain settings to new users. Remember that the same user account can be a member of multiple user groups.
Windows operating systems will come with some built-in user groups. Some Windows versions will have all mentioned groups here, and some won’t. These groups have preassigned permissions and rights. Typical user groups in Windows are:
- Administrators – users in this group will have all privileges on the computer. This group is the most common group found in most versions of Windows. Members can do anything they want on the system. Administrators also have access to files from other users.
- Power Users – users in this group are similar to the Administrators group, however they don’t have access to other users files. They can create user accounts, create local groups, change the system date and time, and install applications. However, they can’t change membership of the Administrators group, they can’t take ownership of files, and load device drivers. In Windows Vista, Windows 7 and Windows 8 this group only exists for backwards compatibility, and it is no longer used.
- Users – users in this group can use the computer but are not allowed install applications or new hardware. They don’t have access to the system files and other users files, and they can’t make any registry changes. Any user created in the Local Users and Groups snap-in is automatically a member of this group.
- Backup Operators – members of this group have similar privileges as users in the Users group, but the difference is that they are allowed to access any file on the system in order to back it up, regardles of the NTFS permissions on the file. They can’t open it and change it, but they can back it up and restore it. Note that they can also restore files that they have backed up. This can be dangerous, as a user can back up files that they don’t have access to, and restore them to a non-NTFS partition, and in that way gain access to them. To deal with this, we should create a sepparate group called, for example, “Restore Operators”, give rights to restore files to users in that group, and take away rights to restore files from the Backup Operators group. This way we get more granular control over user rights.
- Replicator – members of this group can replicate files within a domain.
- Network Configuration Operators – members can change network options such as IP address, etc.
- Event Log Readers – members can read Event Logs.
- Remote Desktop Users – members are allowed to use Remote Desktop to log in to the computer remotely. By default, only members of the Administrators group are allowed to use Remote Desktop feature.
- Everyone – by default, all users are members of the Everyone group. We should be careful when allowing things to this group, since all users will get those permissions.
- Guests – on some systems we can enable the Guest access. This way we can enable access to some person who doesn’t have a user account on the system (the Guest account will be used). Guest typically have minimal access to the system.
When we find that we no longer need one of those user accounts, it’s possible to either delete the account, or to disable the account. If we delete the user account we will delete the corresponding SID. Once the SID is deleted, it can never be reused. That doesn’t sound like a huge issue, but sometimes when we want to remove a user account, it’s because we want to remove it for a temporary reason. For example, if we are getting rid of a user who will be replaced by another person, we can reuse the old user account. So rather then deleting the user account (read – deleting the SID), we may want to temporary disable it. That way when the new user starts to use computer, we can just rename the old user account to correspond to the new persons name, and we re-enable the user account (the SID hasn’t changed). What does that mean? Well, all the resources that the previous person had access to, the new user has by default, because the SID did not change (the SID governs access to the resources). In most cases we will want to simply disable the user account.
Built-in and Predefined User Accounts
Windows XP, Windows Vista, and Windows 7, and Windows 8 include two built-in user accounts:
- Administrator – has all system rights and privileges to manage the local computer.
- Guest – has very limited rights and privileges.
We cannot delete those accounts. We should rename those accounts to make it harder for unauthorized users to guess a user account name. Guest account is disabled by default.
Predefined user accounts are created during the installation of certain software components. These are normal user accounts with a specific name that are used by the software to perform system or other functions. Although we can delete or rename these accounts, the software that created them might not function properly if we do. Following is a list of some of the most common automatically-created user accounts:
- HelpAssistant – lets another user provide remote assistance.
- IUSR_ComputerName – lets network users access the computer anonymously when the computer is acting as a Web server.
- IWAM_ComputerName – used by the computer to run programs when it is acting as a Web server.
- SUPPORT_IDNumber – A vendor user account used to provide help and support.
We have separate articles in which we describe how to work with user accounts and groups in Windows: