Built-In Accounts

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Archived content - No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

from Chapter 4, Windows NT Administrator's Pocket Consultant by William R. Stanek.

When you install Windows NT, the operating system installs the built-in user and group accounts. These accounts are designed to provide the basic setup necessary to grow your network. Although you can modify these user and group accounts, you can't delete them.

Note: The reason you can't delete built-in accounts is that you wouldn't be able to re-create them. The SIDs of the old and new accounts wouldn't match, and the permissions and privileges of these accounts would be lost. Because of this, Windows NT doesn't let you delete built-in accounts.

Built-In User Accounts

Built-in user accounts are installed with all Windows NT workstations and servers. These accounts are local to the individual system they are installed on and may have domain-wide access depending on how the computer is set up. The built-in accounts include Administrator, Guest, and System.

The Administrator Account

Administrator provides complete access to files, directories, services, and other facilities. The account cannot be deleted or disabled. If a computer is connected to a domain, the Administrator account has domain-wide access and privileges. Otherwise, the Administrator account generally has access only to the local system. Although files and directories can be protected from the Administrator temporarily, the Administrator can take control of these resources at any time by changing the access permissions. For more information, see Chapter 9, "Managing Files and Directories."

Tip To prevent unauthorized access to the system, be sure to give the account an especially secure password. Also, because this is a known Windows NT account, as an extra security precaution you may want to rename the account.

Figure 4-3 shows the User Properties dialog box for the Administrator account on a newly installed system. In most instances you won't need to change the basic settings for this account. However, you may need to change the advanced settings for the account, such as membership in particular groups. By default, the Administrator is a member of these groups: Administrators, Domain Admins, and Domain Users. You'll find more information on these groups in the next section.

Real World In a domain environment, you will use the Administrator account primarily to manage the system when you first install it. This allows you to set up the system without getting locked out. You probably won't use the account once the system has been installed. Instead, you'll probably want to make your administrators members of the Administrators group. This ensures that you can revoke administrator privileges without having to change the passwords for all Administrator accounts.

For a system that is part of a workgroup where each individual computer is managed separately, you'll typically rely on this account anytime you need to perform your system administration duties. Here, you probably won't want to set up individual accounts for each person who has administrative access to a system. Instead, you'll use a single Administrator account on each computer.

Cc722455.04wnta03(en-us,TechNet.10).gif

Figure 4-3: When you install Windows NT, the Administrator account has these basic settings. To ensure that the account remains valid, the Password Never Expires check box should remain checked.

The Guest Account

Guest is designed for users who need one-time or occasional access. While guests have limited system privileges, you should be very careful about using this account. Whenever you use this account, you open the system up to potential security problems. The potential is so great that the account is initially disabled when you install Windows NT 4.0.

Tip If you decide to enable the Guest account, be sure to restrict its use and to change the password regularly. As with the Administrator account, as an added security precaution you may want to rename the account.

Figure 4-4 shows the User Properties dialog box for the Guest account on a newly installed system. If you decide to use the account, you will need to deselect the Account Disabled check box. By default, the Guest account is the only member of the group Domain Guests. Domain Guests are in turn members of the Guests group. Because of these settings, the Guest account has domain-wide access in a Windows NT domain.

Caution: The Guest account can inadvertently provide access to the default shares on a computer. When you install a new Windows NT system, the network drives are shared by default so they can be accessed from other systems. If a user attempts to log on to a computer and the attempt fails, Windows NT tries to use the Guest account to access the shares. If the Guest account doesn't have a password, the user is connected to the shared drive automatically.

Cc722455.04wnta04(en-us,TechNet.10).gif

Figure 4-4: When you first install Windows NT, the Guest account has these basic settings. As you see, the account is disabled by default. To enable the account, deselect the Account Disabled check box.

The System Account

System is a pseudo-account for running system processes and handling system-level tasks. You can't change the settings for the System account with the user administration tools. Users can't log on to a computer with this account.

Note: While users cannot log on to a computer with the System account, certain processes can log on using this account. For example, Windows NT services can be configured to log on to a computer using the System account. For more information, see Chapter 3, "Configuring Service Logon."

When you install add-ons or other applications on a workstation or server, other default accounts may be installed. For example, when you install the Windows NT 4.0 Option Pack, you may find several new accounts including IUSR_host and IWAM_host, where host is the computer name. These accounts are designed to be used with the applications in the Option Pack.

Built-In Group Accounts

Built-in group accounts are installed with all Windows NT workstations and servers. Use the built-in group accounts to grant a user the group's privileges and permissions. You do this by making the user a member of the group. For example, by making a user a member of the Administrators group, you give the user administrative access to the system.

Built-in groups include both local and global group types as well as implicit group types. Membership in an implicit group is based solely on how the user accesses the network resource. You cannot explicitly make a person a member of an implicit group. Because of this, implicit groups are only available when setting file access permissions and are not displayed in the User Manager.

Unlike built-in user accounts, which are always available, the availability of a specific built-in group depends on the current configuration. Use Table 4-2 to determine the availability of the various built-in groups. Each of these groups is discussed in detail later in this chapter.

Table 4-2 Availability of Built-In Groups Based on the Type of Network Resource

Group Name

Group Type

Domain Controllers in a Windows NT Domain

Other Windows NT Servers and Work-stations in Domain

Windows NT Computers Not Part of a Domain

Account Operators

Local

Yes

No

No

Administrators

Local

Yes

Yes

Yes

Backup Operators

Local

Yes

Yes

Yes

Creator Owner

Implicit

Yes

Yes

Yes

Domain Admins

Global

Yes

Yes

No

Domain Guests

Global

Yes

Yes

No

Domain Users

Global

Yes

Yes

No

Everyone

Implicit

Yes

Yes

Yes

Guests

Local

Yes

Yes

Yes

Interactive

Implicit

Yes

Yes

Yes

Network

Implicit

Yes

Yes

Yes

Power Users

Local

No

Yes

Yes

Print Operators

Local

Yes

No

No

Replicator

Local

Yes

Yes

Yes

Server Operators

Local

Yes

No

No

System

Implicit

Yes

Yes

Yes

Account Privileges and Permissions

When you set up a user account, you can grant the user specific privileges. Generally, these privileges are assigned by making the user a member of one or more groups and thus giving the user the privileges of these groups. You can assign additional privileges by making a user a member of the appropriate groups. You can withdraw privileges by removing group membership.

In Windows NT, various types of privileges can be assigned to an account. These privileges include

  • Built-in capabilities Assigned to group accounts and include the automatic privileges of the account. These capabilities are predefined and unchangeable. An example of a built-in capability is the ability to create and manage user accounts. This capability is assigned to Administrators and Account Operators. Thus, if a user is a member of the Administrators Group, the user can create and manage user accounts.

  • Access permissions Define the operations that can be performed on network resources. You can assign access permissions to both user and group accounts. An example of an access permission is the ability to create a file in a directory. Access permissions are discussed in Chapter 8.

  • User rights Set privileges for specific administrative tasks. As with access permissions, you can assign user rights to both user and group accounts. An example of a user right is the ability to shut down the system. You manage user rights with the User Manager administration tools. Select User Rights on the Policies menu. (For additional information and descriptions of rights, see Chapter 5.)

As an administrator, you'll be dealing with account privileges on a daily basis. To help track built-in capabilities and default user rights, refer to Tables 4-3, 4-4, 4-5, and 4-6. These tables summarize the built-in capabilities and rights for groups. As you study the tables, please note how they are organized. Capabilities and rights are listed in alphabetical order. Groups are listed according to their level of privilege. Administrators have the most privileges and are listed on the far left. Guests have the fewest privileges and are listed on the far right.

Keep in mind that while you can't change the built-in capabilities of a group, you can change the default rights of a group. For example, an administrator could revoke network access to a computer by removing a group's right to access the computer from the network.

User Rights for Domain Controllers

Table 4-3 shows the default user rights on Windows NT servers that are acting as primary or backup domain controllers. As you read the table, note that all user rights—both basic and advanced—are shown. An X in a column means the group has the privilege. If the column is empty, it means the group does not have the privilege. For example, using the table, you can see that only Administrators have permission to add workstations to a Windows NT domain.

Table 4-3 Default User Rights for Groups on Windows NT Domain Controllers

User Rights

Administrators

Server Operators

Account Operators

Back Up Operators

Print Operators

Everyone

Users

Guests

Access computer from network

X

 

 

 

 

X

 

 

Act as part of operating system

 

 

 

 

 

 

 

 

Add workstations to domain

X

 

 

 

 

 

 

 

Backup files and directories

X

X

 

X

 

 

 

 

Bypass directory traverse checking

 

 

 

 

 

X

 

 

Change system time

X

X

 

 

 

 

 

 

Create a page file

X

 

 

 

 

 

 

 

Create a token object

 

 

 

 

 

 

 

 

Create permanent shared objects

 

 

 

 

 

 

 

 

Debug programs

X

 

 

 

 

 

 

 

Force shutdown from remote system

X

X

 

 

 

 

 

 

Generate security audits

 

 

 

 

 

 

 

 

Increase quotas

X

 

 

 

 

 

 

 

Increase scheduling priority

X

 

 

 

 

 

 

 

Load and unload device drivers

X

 

 

 

 

 

 

 

Lock pages in memory

 

 

 

 

 

 

 

 

Log on as a batch job

 

 

 

 

 

 

 

 

Log on as a service

 

 

 

 

 

 

 

 

Log on locally

X

X

X

X

X

 

 

 

Manage auditing and security log

X

 

 

 

 

 

 

 

Modify firmware

X

 

 

 

 

 

 

 

Profile single process

X

 

 

 

 

 

 

 

Profile system performance

X

 

 

 

 

 

 

 

Replace a process level token

 

 

 

 

 

 

 

 

Restore files and directories

X

X

 

X

 

 

 

 

Shutdown the system

X

X

X

X

X

 

 

 

Take ownership of files

X

 

 

 

 

 

 

 

Built-In Capabilities for Domain Controllers

Table 4-4 shows the built-in capabilities for Windows NT servers acting as primary or backup domain controllers. As you study the table, note that restricted accounts include the Administrator user account, the user accounts of administrators, and the group accounts for Administrators, Server Operators, Account Operators, Backup Operators, and Print Operators. Because these accounts are restricted, Account Operators can't create or modify them.

Table 4-4 Built-In Capabilities for Groups on Domain Controllers

Built-In Capabilities

Administrators

Server Operators

Account Operators

Back Up Operators

Print Operators

Everyone

Users

Guests

Assign user rights

X

 

 

 

 

 

 

 

Create and manage restricted groups and users

X

 

 

 

 

 

 

 

Create and manage unrestricted groups and users

X

 

X

 

 

 

 

 

Create common program groups

X

X

 

 

 

 

 

 

Format server's disk drive

X

X

 

 

 

 

 

 

Have local profile

X

X

X

X

X

 

 

 

Lock server

X

X

 

 

 

X

 

 

Manage auditing of system events

X

 

 

 

 

 

 

 

Override server lock

X

X

 

 

 

 

 

 

Share directories

X

X

 

 

 

 

 

 

Share printers

X

X

 

 

X

 

 

 

User Rights for Non-Domain Controllers

Table 4-5 shows the default user rights on stand-alone Windows NT servers and Windows NT workstations. Note that on these systems, Power Users have privileges that normal users don't. Note also that any action that is available to the Everyone group is available to all groups, including the Guests group. This means that although the Guests group does not have explicit permission to access the computer from the network, Guests can still access the system because the Everyone group has this right.

Table 4-5 Default User Rights for Other Computers in Windows NT Domains

User Rights

Administrators

Power Users

Back Up Operators

Everyone

Users

Guests

Access computer from network

X

X

 

X

 

 

Act as part of operating system

 

 

 

 

 

 

Add workstations to domain

X

 

 

 

 

 

Backup files and directories

X

 

X

 

 

 

Bypass traverse checking

 

 

 

X

 

 

Change system time

X

X

 

 

 

 

Create a pagefile

X

 

 

 

 

 

Create a token object

 

 

 

 

 

 

Create permanent shared objects

 

 

 

 

 

 

Debug programs

X

 

 

 

 

 

Force shutdown from remote system

X

X

 

 

 

 

Generate security audits

 

 

 

 

 

 

Increase quotas

X

 

 

 

 

 

Increase scheduling priority

X

 

 

 

 

 

Load and unload device drivers

X

 

 

 

 

 

Lock pages in memory

 

 

 

 

 

 

Log on as a batch job

 

 

 

 

 

 

Log on as a service

 

 

 

 

 

 

Log on locally

X

X

X

X

X

X

Manage auditing and security log

X

 

 

 

 

 

Modify firmware

X

 

 

 

 

 

Profile single process

X

 

 

 

 

 

Profile system performance

X

 

 

 

 

 

Replace a process level token

 

 

 

 

 

 

Restore files and directories

X

 

X

 

 

 

Shutdown the system

X

X

X

X

X

 

Take ownership of files

X

 

 

 

 

 

Built-In Capabilities for Non-Domain Controllers

Table 4-6 shows the built-in capabilities for stand-alone Windows NT servers and workstations. Note that members of the Users group can only modify local groups they create. Note also that although Power Users can work with user and group accounts, there are many restrictions. Power Users can only modify user accounts that they create. Further, although they can create new local groups, they can only modify these local groups and the groups for Users, Guests, and Power Users.

Table 4-6 Built-In Capabilities for Other Computers in Windows NT Domains

Built-In Capabilities

Administrators

Power Users

Back Up Operators

Everyone

Users

Guests

Assign user rights

X

 

 

 

 

 

Create and manage local groups

X

X

 

 

X

 

Create and manage users

X

X

 

 

 

 

Create common program groups

X

X

 

 

 

 

Format computer's disk drive

X

 

 

 

 

 

Have local profile

X

X

X

 

X

 

Lock computer

X

X

 

X

 

 

Manage auditing of system events

X

 

 

 

 

 

Override computer lock

X

 

 

 

 

 

Share directories

X

X

 

 

 

 

Share printers

X

X

 

 

 

 

from Windows NT Administrator's Pocket Consultant by William R. Stanek. Copyright © 1999 Microsoft Corporation.

Link
Click to order