Objectives: learn what is a user account, what is SID, how to switch between users and which database is used for local authentication.
Prerequisites: no prerequisites.
Key terms: user account, security, SID, user switching, SAM database, credentials
Since Windows XP, anyone who wants to use the computer must authenticate before being allowed to do anything on the system. The user account basically identifies some specific user. When signing in to the system the user has to supply two things, and those are the user name and the password. Every user will have specific rights on the system. User rights determine what actions are allowed for certain users. For example, some users will have rights to install applications, some will have rights to modify system settings, etc. Permissions identify what a specific user can do with files, folders, and other objects on the system. For example, some users will have the permission to only read some file, and some users will have permission to read and to edit some file.
In Windows we have an environment that supports multiple-logged in users simultaneously. We can leave the computer, our applications could still be running, and someone else can log on and use the resource on the same machine. When they are done, they can log off, and we can switch back to our account and continue our work. In order for this feature to work we need user accounts. User accounts simplify the control of access to the computer resources in a great way.
User accounts are created either during the installation, or after the installation with the utility which enables us to control our user accounts. With each user account comes user profile which contains user-specific settings that the system uses to customize their Windows environment. The profiles are unique settings for our users, like different desktop backgrounds, favorites, files, etc.
As we get into the user account management, we need to understand how is a user account created inside the system. In Windows each user account is represented by something known as Security Identifier (SID). The system identifies each user account using the Security Identifier, not the user account name. When we create new user account, what we really do is create a new SID. As a user logs in, the system activates the SID and loads the specific user profile. The user name is really nothing more than an attribute of the SID. There is a lot of information that we can store about users (address, telephone numbers, e-mail address, company information, etc.), but the key thing to remember is that all that information really revolves around the SID. Example of a SID would be: "S-1-5-21-3623811015-3361044348-30300820-1013".
There are two types of accounts that we can create:
Domain is a grouping of computers that has a centralized collection of user accounts to ease the management of all those users. Domain user accounts are stored on the server called Domain Controller (DC). When some user tries to log on to some workstation which is on a domain, its credentials will be validated on the Domain Controller. So, domain accounts are used in Active Directory environment, and the database where all user accounts (among other things) are stored is called the Active Directory. If our computer is not on a domain, it will use local authentication trough the local SAM database.
The process of local authentication requires that we authenticate through Security Accounts Manager (SAM) database which is located on the local machine itself. As a user goes to log on, the user must provide a valid credentials for the log in process. These valid credentials include a user name and a users password. Once these credentials are entered, they are checked in the local SAM database. If they are validated, the user is permitted to log on to the computer. When the user logs in, the system will load its user profile.
User Groups in Windows are simply groups of user accounts. We can assign rights and permissions to groups of users the same way we apply rights and permissions to individual users. This is great if we have many users who have to have the same privileges on the system. We simply put all those users in the same group and then apply privileges to that group. All users in the group will receive settings that are applied to the group. Once we have all groups configured, we can simply add new users to the group to apply certain settings to new users. Remember that the same user account can be a member of multiple user groups.
Windows operating systems will come with some built-in user groups. Some Windows versions will have all mentioned groups here, and some won't. These gorups have preassigned permissions and rights. Typical user groups in Windows are:
When we find that we no longer need one of those user accounts, it's possible to either delete the account, or to disable the account. If we delete the user account we will delete the corresponding SID. Once the SID is deleted, it can never be reused. That doesn't sound like a huge issue, but sometimes when we want to remove a user account, it's because we want to remove it for a temporary reason. For example, if we are getting rid of a user who will be replaced by another person, we can reuse the old user account. So rather then deleting the user account (read - deleting the SID), we may want to temporary disable it. That way when the new user starts to use computer, we can just rename the old user account to correspond to the new persons name, and we re-enable the user account (the SID hasn't changed). What does that mean? Well, all the resources that the previous person had access to, the new user has by default, because the SID did not change (the SID governs access to the resources). In most cases we will want to simply disable the user account.
Windows XP Professional includes two built-in user accounts:
We cannot delete those accounts. We should rename those accounts to make it harder for unauthorized users to guess a user account name. Guest account is disabled by default.
Predefined user accounts are created during the installation of certain software components. These are normal user accounts with a specific name that are used by the software to perform system or other functions. Although we can delete or rename these accounts, the software that created them might not function properly if we do. Following is a list of some of the most common automatically-created user accounts:
We have separate articles in which we describe how to work with user accounts and groups in Windows: