Basic PC Terms and Concepts

User Account in Windows

Before you start

Objectives: learn what is a user account, what is SID, how to switch between users and which database is used for local authentication.

Prerequisites: no prerequisites.

Key terms: user account, security, SID, user switching, SAM database, credentials

User Account

Since Windows XP, anyone who wants to use the computer must authenticate before being allowed to do anything on the system. The user account basically identifies some specific user. When signing in to the system the user has to supply two things, and those are the user name and the password. Every user will have specific rights on the system. User rights determine what actions are allowed for certain users. For example, some users will have rights to install applications, some will have rights to modify system settings, etc. Permissions identify what a specific user can do with files, folders, and other objects on the system. For example, some users will have the permission to only read some file, and some users will have permission to read and to edit some file.

In Windows we have an environment that supports multiple-logged in users simultaneously. We can leave the computer, our applications could still be running, and someone else can log on and use the resource on the same machine. When they are done, they can log off, and we can switch back to our account and continue our work. In order for this feature to work we need user accounts. User accounts simplify the control of access to the computer resources in a great way.

User accounts are created either during the installation, or after the installation with the utility which enables us to control our user accounts. With each user account comes user profile which contains user-specific settings that the system uses to customize their Windows environment. The profiles are unique settings for our users, like different desktop backgrounds, favorites, files, etc. 

Security Identifier (SID)

As we get into the user account management, we need to understand how is a user account created inside the system. In Windows each user account is represented by something known as Security Identifier (SID). The system identifies each user account using the Security Identifier, not the user account name. When we create new user account, what we really do is create a new SID. As a user logs in, the system activates the SID and loads the specific user profile. The user name is really nothing more than an attribute of the SID. There is a lot of information that we can store about users (address, telephone numbers, e-mail address, company information, etc.), but the key thing to remember is that all that information really revolves around the SID. Example of a SID would be: "S-1-5-21-3623811015-3361044348-30300820-1013".

Types of Accounts 

There are two types of accounts that we can create:

• Local user account - stored in the local system
• Domain user account - stored in a centralized database

Domain is a grouping of computers that has a centralized collection of user accounts to ease the management of all those users. Domain user accounts are stored on the server called Domain Controller (DC). When some user tries to log on to some workstation which is on a domain, its credentials will be validated on the Domain Controller. So, domain accounts are used in Active Directory environment, and the database where all user accounts (among other things) are stored is called the Active Directory. If our computer is not on a domain, it will use local authentication trough the local SAM database.

Security Accounts Manager (SAM) Database

The process of local authentication requires that we authenticate through Security Accounts Manager (SAM) database which is located on the local machine itself. As a user goes to log on, the user must provide a valid credentials for the log in process. These valid credentials include a user name and a users password. Once these credentials are entered, they are checked in the local SAM database. If they are validated, the user is permitted to log on to the computer. When the user logs in, the system will load its user profile.

User Groups

User Groups in Windows are simply groups of user accounts. We can assign rights and permissions to groups of users the same way we apply rights and permissions to individual users. This is great if we have many users who have to have the same privileges on the system. We simply put all those users in the same group and then apply privileges to that group. All users in the group will receive settings that are applied to the group. Once we have all groups configured, we can simply add new users to the group to apply certain settings to new users. Remember that the same user account can be a member of multiple user groups.

Windows operating systems will come with some built-in user groups. Some Windows versions will have all mentioned groups here, and some won't. These gorups have preassigned permissions and rights. Typical user groups in Windows are:

• Administrators - users in this group will have all privileges on the computer. They can do anything they want on the system. Administrators also have access to files from other users. 
• Power Users - users in this group are similar to the Administrators group, however they don't have access to other users files. They can create user accounts, create local groups, change the system date and time, and install applications. However, they can't change membership ot the Administrators group, they can't take ownership of files, and load device drivers. In Windows Vista and Windows 8 this group only exists for backwards compatibility, and it is no longer used.
• Users - users in this group can use the computer but are not allowed install applications or new hardware. They don't have access to the system files and other users files, and they can't make any registry changes. Any user created in the Local Users and Groups snap-in is automatically a member of this group.
• Backup Operators - members of this group have similar privileges as users in the Users group, but the difference is that they are allowed to access any file on the system in order to back it up. They can't open it and change it, but they can back it up and restore it. 
• Replicator - members of this group can replicate files within a domain. 
• Everyone - by default, all users are members of the Everyone group. We should be careful when allowing things to this group, since all users will get those permissions. 
• Guests - on some systems we can enable the Guest access. This way we can enable access to some person who doesn't have a user account on the system (the Guest account will be used). Guest typically have minimal access to the system.

User Management

When we find that we no longer need one of those user accounts, it's possible to either delete the account, or to disable the account. If we delete the user account we will delete the corresponding SID. Once the SID is deleted, it can never be reused. That doesn't sound like a huge issue, but sometimes when we want to remove a user account, it's because we want to remove it for a temporary reason. For example, if we are getting rid of a user who will be replaced by another person, we can reuse the old user account. So rather then deleting the user account (read - deleting the SID), we may want to temporary disable it. That way when the new user starts to use computer, we can just rename the old user account to correspond to the new persons name, and we re-enable the user account (the SID hasn't changed). What does that mean? Well, all the resources that the previous person had access to, the new user has by default, because the SID did not change (the SID governs access to the resources). In most cases we will want to simply disable the user account.

Built-in and Predefined User Accounts

Windows XP

Windows XP Professional includes two built-in user accounts:

• Administrator - has all system rights and privileges to manage the local computer.
• Guest - has very limited rights and privileges.

We cannot delete those accounts. We should rename those accounts to make it harder for unauthorized users to guess a user account name. Guest account is disabled by default.

Predefined user accounts are created during the installation of certain software components. These are normal user accounts with a specific name that are used by the software to perform system or other functions. Although we can delete or rename these accounts, the software that created them might not function properly if we do. Following is a list of some of the most common automatically-created user accounts:

• HelpAssistant - lets another user provide remote assistance.
• IUSR_ComputerName - lets network users access the computer anonymously when the computer is acting as a Web server.
• IWAM_ComputerName - used by the computer to run programs when it is acting as a Web server.
• SUPPORT_IDNumber - A vendor user account used to provide help and support.

Example Configuration

We have separate articles in which we describe how to work with user accounts and groups in Windows:

• Manage Users in Windows XP
• Group Management in Windows XP