Objectives: learn what is a user account, what is SID, how to switch between users and which database is used for local authentication, and which for domain authentication.
Prerequisites: no prerequisites.
Key terms: user account, security, SID, user switching, SAM database, credentials, Active Directory
Since Windows XP, anyone who wants to use the computer must authenticate before being allowed to do anything on the system. The user account basically identifies some specific user. When signing in to the system the user has to supply two things, and those are the user name and the password. This process is known as the logon. Every user will have specific rights on the system. User rights determine what actions are allowed for certain users. For example, some users will have rights to install applications, some will have rights to modify system settings, etc. Permissions identify what a specific user can do with files, folders, and other objects on the system. For example, some users will have the permission to only read some file, and some users will have permission to read and to edit some file.
In Windows we have an environment that supports multiple-logged in users simultaneously. We can leave the computer, our applications could still be running, and someone else can log on and use the resource on the same machine. When they are done, they can log off, and we can switch back to our account and continue our work. In order for this feature to work we need user accounts. User accounts simplify the control of access to the computer resources in a great way.
User accounts are created either during the installation, or after the installation with the utility which enables us to control our user accounts. With each user account comes user profile which contains user-specific settings that the system uses to customize their Windows environment. The profiles are unique settings for our users, like different desktop backgrounds, favorites, files, etc.
As we get into the user account management, we need to understand how is a user account created inside the system. In Windows each user account is represented by something known as Security Identifier (SID). The system identifies each user account using the Security Identifier, not the user account name. When we create new user account, what we really do is create a new SID. As a user logs in, the system activates the SID and loads the specific user profile. The user name is really nothing more than an attribute of the SID. There is a lot of information that we can store about users (address, telephone numbers, e-mail address, company information, etc.), but the key thing to remember is that all that information really revolves around the SID. Example of a SID would be: "S-1-5-21-3623811015-3361044348-30300820-1013".
There are two general types of accounts that we can create in Windows environment:
The process of local authentication requires that we authenticate through Security Accounts Manager (SAM) database which is located on the local machine itself. As a user goes to log on, the user must provide a valid credentials for the log in process. These valid credentials include a user name and a users password. Once these credentials are entered, they are checked in the local SAM database. If they are validated, the user is permitted to log on to the computer. When the user logs in, the system will load its user profile.
Environment in which we don't use a centralized database for user management is typically called a Workgroup (at least when we are talking about Windows OS). Workgroup computers are computers that are not members of a domain. Workgroup environment is great if we have relatively small number of users and computers to manage. For example, if we have one user on one machine, and we want to allow that user access to another machine, we would have to create additional user account on that other machine with the same properties in order to allow access. This could work for up to 5 users or even for up to 10 users, but there would be a lot of duplication of data during the whole process. If we compare this to Active Directory (AD), we would only need to to create one user account which is centrally stored in the AD database.
Domain is a grouping of computers that has a centralized collection of user accounts to ease the management of all those users. Domain user accounts are stored on the server called Domain Controller (DC). When some user tries to log on to some workstation that is a member of the domain, its credentials will be validated on the Domain Controller. Users can access resources on all computers in the domain for which the user account has permissions. Domain user accounts have many properties that we can configure. So, domain accounts are used in Active Directory environment, and the database where all user accounts (among other things) are stored is called the Active Directory. If our computer is not on a domain, it will use local authentication trough the local SAM database.
The great advantage of domain user accounts is that they can be centrally managed. This way we can easily control large number of users. Since we will be managing users centrally, we should come up with some naming convention for our users. For that we have to be aware of how the different types of names are stored in Active Directory, and whether they have to be unique or not.
User Groups in Windows are simply groups of user accounts. We can assign rights and permissions to groups of users the same way we apply rights and permissions to individual users. This is great if we have many users who have to have the same privileges on the system. We simply put all those users in the same group and then apply privileges to that group. All users in the group will receive settings that are applied to the group. Once we have all groups configured, we can simply add new users to the group to apply certain settings to new users. Remember that the same user account can be a member of multiple user groups.
Windows operating systems will come with some built-in user groups. Some Windows versions will have all mentioned groups here, and some won't. These groups have preassigned permissions and rights. Typical user groups in Windows are:
When we find that we no longer need one of those user accounts, it's possible to either delete the account, or to disable the account. If we delete the user account we will delete the corresponding SID. Once the SID is deleted, it can never be reused. That doesn't sound like a huge issue, but sometimes when we want to remove a user account, it's because we want to remove it for a temporary reason. For example, if we are getting rid of a user who will be replaced by another person, we can reuse the old user account. So rather then deleting the user account (read - deleting the SID), we may want to temporary disable it. That way when the new user starts to use computer, we can just rename the old user account to correspond to the new persons name, and we re-enable the user account (the SID hasn't changed). What does that mean? Well, all the resources that the previous person had access to, the new user has by default, because the SID did not change (the SID governs access to the resources). In most cases we will want to simply disable the user account.
Windows XP, Windows Vista, and Windows 7, and Windows 8 include two built-in user accounts:
We cannot delete those accounts. We should rename those accounts to make it harder for unauthorized users to guess a user account name. Guest account is disabled by default.
Predefined user accounts are created during the installation of certain software components. These are normal user accounts with a specific name that are used by the software to perform system or other functions. Although we can delete or rename these accounts, the software that created them might not function properly if we do. Following is a list of some of the most common automatically-created user accounts:
We have separate articles in which we describe how to work with user accounts and groups in Windows: