Export (0) Print
Expand All
5 out of 7 rated this helpful - Rate this topic

How Security Principals Work

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

How Security Principals Work

In this section

Security principals include the following:

  • Any entity that can be authenticated by the system, such as a user account, a computer account, or a thread or process that runs in the security context of a user or computer account.

  • Security groups of these accounts.

Every security principal is automatically assigned a security identifier (SID) when it is created.

Security principals that are created in an Active Directory domain are Active Directory objects, which can be used to manage access to domain resources. Local users and security groups are created on a local computer and can be used to manage access to resources on that computer. Local user accounts and groups are managed by the Security Accounts Manager (SAM) on the local computer.

Active Directory Accounts and Security Groups

Active Directory user accounts and computer accounts can represent a physical entity, such as a computer or person. User accounts can also be used as dedicated service accounts for some applications. Groups are used to collect user accounts, computer accounts, and other groups into manageable units.

In Windows Server 2003 there are several built-in accounts and security groups that are preconfigured with the appropriate rights and permissions to perform specific tasks. For Active Directory, there are two types of administrative responsibility. Service administrators are responsible for maintaining and delivering the directory service, including domain controller management and directory service configuration. Data administrators are responsible for maintaining the data that is stored in the directory service and on domain member servers and workstations.

It is important to understand which default accounts and groups are service administrators. Service administration accounts and groups have the most widespread power in the network environment and require the most protection.

User Accounts

User accounts can be created, disabled, reset, and deleted by using the Active Directory Users and Computers snap-in in Microsoft Management Console (MMC) and by using command-line tools. In addition, built-in accounts are created when you create the Active Directory domain.

Built-in User Accounts

The Users container in Active Directory Users and Computers displays the built-in user accounts: Administrator, Guest, KRBTGT, and Support_388945a0. These built-in user accounts are created automatically when you create the domain. The HelpAssistant account is installed when a Remote Assistance session is established.

Each built-in account has a different combination of rights and permissions. The Administrator account has the most extensive rights and permissions over the domain, while the Guest account has limited rights and permissions.

Some of the administrative accounts that are listed in these tables are protected by a background process that periodically checks and applies a specific security descriptor, which is a data structure that contains security information that is associated with a protected object. This process ensures that any successful unauthorized attempt to modify the security descriptor on one of the administrative accounts or groups will be overwritten with the protected settings.

This security descriptor is present on the AdminSDHolder object. This means that if you want to modify the permissions on one of the service administrator groups or on any of its member accounts, you must modify the security descriptor on the AdminSDHolder object so that it will be applied consistently. Be careful when making these modifications, because you are also changing the default settings that will be applied to all of your protected administrative accounts.

The following table describes each default user account on domain controllers running Windows Server 2003.

Built-in User Accounts on Domain Controllers Running Windows Server 2003

Administrator

 

Attribute Value

Well-Known SID/RID

S-1-5-<domain>-500

Type

User

Default container

CN=Users, DC=<domain>, DC=

Default members

N/A

Default member of

Administrators, Domain Admins, Enterprise Administrators, Domain Users

(Membership in Domain Users is due to the fact that the Primary Group ID of all user accounts is Domain Users.)

Protected by ADMINSDHOLDER?

Yes

Safe to move out of default container?

Yes

Safe to delegate management of this group to non-Service admins?

No

Notes

This account is the first account created during installation of the operating system. The account cannot be deleted or locked out, but it can be renamed or disabled. It is a member of the Administrators group and cannot be removed from that group.

The Administrator account is a default member of the Administrators, Domain Admins, Enterprise Admins, Group Policy Creator Owners, and Schema Admins groups in Active Directory. The Administrator account is known to exist on many versions of Windows; therefore, renaming or disabling this account makes it more difficult for malicious users to try and gain access to it.

When the Administrator account is disabled, it can still be used to gain access to a domain controller using Safe Mode.

Guest

 

Attribute Value

Well-Known SID/RID

S-1-5-<domain>-501

Type

User

Default container

CN=Users, DC=<domain>, DC=

Default members

None

Default member of

Domain Guests, Guests

Protected by ADMINSDHOLDER?

No

Safe to move out of default container?

Can be moved out, but it is not recommended.

Safe to delegate management of this group to non-Service admins?

No

Notes

A user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled, and it is recommended that it stay disabled.

You can set rights and permissions for the Guest account just like any user account. By default, the Guest account is a member of the built-in Guests group and the Domain Guests global group, which allows a user to log on to a domain.

HelpAssistant

 

Attribute Value

Type

User

Default container

CN=Users, DC=<domain>, DC=

Notes

The primary account that is used to establish a Remote Assistance session. This account has limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service and is automatically deleted if no Remote Assistance requests are pending.

KRBTGT

 

Attribute Value

Well-Known SID/RID

S-1-5-<domain>-502

Type

User

Default container

CN=Users, DC=<domain>, DC=

Default members

None

Default member of

Domain Users (This membership is due to the fact that the Primary Group ID of all user accounts is Domain Users.)

Protected by ADMINSDHOLDER?

Yes

Safe to move out of default container?

Can be moved out, but it is not recommended.

Safe to delegate management of this group to non-Service admins?

No

Notes

A service account that is used by the Key Distribution Center (KDC) service.

Support_388945a0

 

Attribute Value

Type

User

Default container

CN=Users, DC=<domain>, DC=

Notes

The Support_388945a0 account enables Help and Support Service interoperability with signed scripts. This account is primarily used to control access to signed scripts that are accessible from within Help and Support Services. Administrators can use this account to delegate the ability for an ordinary user, who does not have administrative access over a computer, to run signed scripts from links embedded within Help and Support Services. These scripts can be programmed to use the Support_388945a0 account credentials instead of the user’s credentials to perform specific administrative operations on the local computer that otherwise would not be supported by the ordinary user’s account. When the delegated user clicks on a link in Help and Support Services, the script executes under the security context of the Support_388945a0 account. This account has limited access to the computer and is disabled by default.

Account Options

Each Active Directory user account has a number of account options. The following table describes options that you can use to configure password settings and security-specific information for user accounts.

Account Options for User Accounts

 

Account Option Description

User must change password at next logon

Forces user to change their password the next time that the user logs on to the network. Use this option when you want to ensure that the user will be the only person to know their password.

User cannot change password

Prevents users from changing their password. Use this option when you want to maintain control over a user account, such as for a guest or temporary account.

Password never expires

Prevents a user password from expiring. It is recommended that service accounts have this option enabled and use strong passwords.

Store passwords using reversible encryption

Provides support for applications that use protocols that require knowledge of the plaintext form of the user’s password for authentication purposes.

This option is required when using Challenge-Handshake Authentication Protocol (CHAP) in Internet Authentication Services (IAS), and when using Digest Authentication in Internet Information Services (IIS).

Account is disabled

Prevents user from logging on with the selected account. Many administrators use disabled accounts as templates for common user accounts.

Smart card is required for interactive logon

Requires that a user possess a smart card to log on to the network interactively. The user must also have a smart card reader attached to their computer and a valid personal identification number (PIN) for the smart card.

Account is trusted for delegation

Allows a service running under this account to perform operations on behalf of other user accounts on the network. A service running under a user account (otherwise known as a service account) that is trusted for delegation can impersonate a client to gain access to resources, either on the computer where the service is running or on other computers. In a forest that is set to the Windows Server 2003 functional level, this setting is found on the Delegation tab, and it is available only for accounts that have been assigned service principal names (SPNs), as set using the setspn command from Windows Support Tools. This is a security-sensitive capability, and it should be assigned cautiously.

This option is available only on domain controllers running Windows Server 2003 where the domain functionality is set to Windows 2000 mixed or Windows 2000 native. On domain controllers running Windows Server 2003 where the domain functional level is set to Windows Server 2003, the Delegation tab is used to configure delegation settings. The Delegation tab appears only for accounts that have an assigned SPN.

Account is sensitive and cannot be delegated

Allows control over a user account, such as for a guest or temporary account. This option can be used if this account cannot be assigned for delegation by another account.

Use DES encryption types for this account

Provides support for the Data Encryption Standard (DES). DES supports multiple levels of encryption, including Microsoft Point-to-Point Encryption (MPPE) Standard (40-bit and 56-bit), MPPE Strong (128-bit), Internet Protocol security (IPSec) DES (40-bit), IPSec 56-bit DES, and IPSec Triple DES (3DES).

Do not require Kerberos preauthentication

Provides support for alternate implementations of the Kerberos protocol. Domain controllers running Windows 2000 or Windows Server 2003 can use other mechanisms to synchronize time. Because preauthentication provides additional security, use caution when enabling this option.

Active Directory Groups

Groups are used to collect user accounts, computer accounts, and other groups into manageable units. Working with groups instead of with individual users helps simplify network maintenance and administration.

There are two types of groups in Active Directory: distribution groups and security groups. You can use distribution groups to create e-mail distribution lists and security groups to assign permissions to shared resources.

Distribution Groups

Distribution groups can be used only with e-mail applications (such as Exchange) to send e-mail to collections of users. Distribution groups are not security enabled, which means that they cannot be listed in discretionary access control lists (DACLs). Distribution groups are not covered in this Technical Reference subject.

Security Groups

When they are used with care, security groups provide an efficient way to assign access to resources on your network. Using security groups, you can:

  • Assign user rights to security groups in Active Directory.

    User rights are assigned to a security group to determine what members of that group can do within the scope of a domain (or forest). User rights are automatically assigned to some security groups when Active Directory is installed to help administrators define a person’s administrative role in the domain. For example, a user who is added to the Backup Operators group in Active Directory has the ability to back up and restore files and directories that are located on each domain controller in the domain.

    This is possible because, by default, the user rights Backup files and directories and Restore files and directories are automatically assigned to the Backup Operators group. Therefore, members of this group inherit the user rights that are assigned to that group.

    You can assign user rights to security groups, by using Group Policy, to help delegate specific tasks. You should always use discretion when assigning delegated tasks because an untrained user who is assigned too many rights can potentially cause significant harm to your network.

  • Assign permissions to security groups on resources.

    Permissions should not be confused with user rights. Permissions are assigned to the security group on the shared resource. Permissions determine who can access the resource and the level of access, such as Full Control. Some permissions that are set on domain objects are automatically assigned to allow various levels of access to default security groups such as the Account Operators group or the Domain Admins group.

    Security groups are listed in DACLs that define permissions on resources and objects. When assigning permissions for resources (file shares, printers, and so on), administrators should assign those permissions to a security group rather than to individual users. The permissions are assigned once to the group, instead of several times to each individual user. Each account that is added to a group receives the rights that are assigned to that group in Active Directory and receives the permissions that are defined for that group at the resource.

Like distribution groups, security groups can also be used as an e-mail entity. Sending an e-mail message to the group sends the message to all the members of the group.

Converting Between Security and Distribution Groups

A group can be converted from a security group to a distribution group, and vice versa, at any time, but only if the domain functional level is set to Windows 2000 native or higher. No groups can be converted while the domain functional level is set to Windows 2000 mixed.

Note

  • Although a contact can be added to a security group as well as to a distribution group, contacts cannot be assigned rights and permissions. Contacts in a group can be sent e-mail.

Group Scope

Groups are characterized by a scope that identifies the extent to which the group is applied in the domain tree or forest. There are three group scopes that are defined by Active Directory: Universal, Global, and Domain Local.

Note

  • In addition to these three scopes, the default groups in the Builtin container have a Group Scope of Builtin Local. Their Group Scope and Group Type cannot be changed.

The scope of the group defines where the group can be granted permissions. Universal groups are only available when the domain functional level is set to Windows 2000 native or Windows Server 2003.

The following table lists the three group scopes and more information about each scope for a security group.

Group Scopes

 

Scope Possible Members Scope Conversion Can Grant Permissions Possible Member of

Universal

Accounts from any domain in the same forest

Global groups from any domain in the same forest

Other universal groups from any domain in the same forest

Can be converted to domain local scope

Can be converted to global scope as long as the group does not contain any other universal groups

On any domain in the same forest or trusting forests

Other universal groups in the same forest

Domain local groups in the same forest or trusting forests

Local groups on computers in the same forest or trusting forests

Global

Accounts from the same domain

Other global groups from the same domain

Can be converted to universal scope as long as the group is not a member of any other global group

On any domain in the same forest or trusting domains or forests

Universal groups from any domain in the same forest

Other global groups from the same domain

Domain local groups from any domain in the same forest or from any trusting domain

Domain Local

Accounts from any domain or any trusted domain

Global groups from any domain or any trusted domain

Universal groups from any domain in the same forest

Other domain local groups from the same domain

Accounts, global groups, and universal groups from other forests and from external and Windows NT 4.0 domains

Can be converted to universal scope as long as the group does not contain any other domain local groups

Within the same domain

Other domain local groups from the same domain

Local groups on computers in the same domain, excluding built-in groups that have well-known SIDs

Default Groups

Default groups, such as the Domain Admins group, are security groups that are created automatically when you create an Active Directory domain. You can use these predefined groups to help control access to shared resources and to delegate specific domain-wide administrative roles.

Many default groups are automatically assigned a set of user rights that authorize members of the group to perform specific actions in a domain, such as logging on to a local system or backing up files and folders. For example, a member of the Backup Operators group has the right to perform backup operations for all domain controllers in the domain.

When you add a user to a group, the user receives all the user rights that are assigned to the group and all the permissions that are assigned to the group on any shared resources.

Default groups are located in the Builtin container and the Users container in Active Directory Users and Computers. The Builtin container contains groups that are defined with domain local scope. The Users container contains groups that are defined with global scope and groups that are defined with domain local scope. You can move groups that are located in these containers to other groups or organizational units (OU) within the domain, but you cannot move them to other domains.

Some of the administrative groups that are listed in these tables and all members of these groups are protected by a background process that periodically checks and applies a specific security descriptor, which is a data structure that contains security information that is associated with a protected object. This process ensures that any successful unauthorized attempt to modify the security descriptor on one of the administrative accounts or groups will be overwritten with the protected settings.

This security descriptor is present on the AdminSDHolder object. This means that if you want to modify the permissions on one of the service administrator groups or on any of its member accounts, you must modify the security descriptor on the AdminSDHolder object so that it will be applied consistently. Be careful when making these modifications because you are also changing the default settings that will be applied to all of your protected administrative accounts.

The following tables provide descriptions of the default groups that are located in the Builtin and Users containers.

Account Operators

 

Attribute Value

Well-Known SID/RID

S-1-5-32-548

Type

BuiltIn Local

Default container

CN=BuiltIn, DC=<domain>, DC=

Default members

None

Default member of

None

Protected by ADMINSDHOLDER?

Yes

Safe to move out of default container?

Cannot be moved

Safe to delegate management of this group to non-Service admins?

No

Default User Rights

Allow log on locally

Shut down the system

Notes

By default, this built-in group has no members, and it can create and manage users and groups in the domain, including its own membership and that of the Server Operators. This group is a service administrator because it can modify Server Operators, which in turn can modify domain controller settings. As a best practice, leave the membership of this group empty and do not use it at all for any delegated administration. This group cannot be renamed, deleted, or moved.

Administrators

 

Attribute Value

Well-Known SID/RID

S-1-5-32-544

Type

BuiltIn Local

Default container

CN=BuiltIn, DC=<domain>, DC=

Default members

Administrator, Domain Admins, Enterprise Admins

Default member of

None

Protected by ADMINSDHOLDER?

Yes

Safe to move out of default container?

Cannot be moved

Safe to delegate management of this group to non-Service admins?

No

Default User Rights

Access this computer from the network

Adjust memory quotas for a process

Back up files and directories

Bypass traverse checking

Change the system time

Create a pagefile

Debug programs

Enable computer and user accounts to be trusted for delegation

Force a shutdown from a remote system

Increase scheduling priority

Load and unload device drivers

Allow log on locally

Manage auditing and security log

Modify firmware environment values

Profile single process

Profile system performance

Remove computer from docking station

Restore files and directories

Shut down the system

Take ownership of files or other objects

Notes

The Administrators group has built-in capabilities that give its members full control over the system. This group cannot be renamed, deleted, or moved. This built-in group controls access to all the domain controllers in its domain, and it can change the membership of all administrative groups. Its own membership can be modified by the default service administrator groups Administrators and Domain Admins in the domain, as well as by the Enterprise Admins group. This group has the special privilege to take ownership of any object in the directory or any resource on a domain controller. This account is considered a service administrator because its members have full access to the domain controllers in the domain.

Backup Operators

 

Attribute Value

Well-Known SID/RID

S-1-5-32-551

Type

Builtin Local

Default container

CN=BuiltIn, DC=<domain>, DC=

Default members

None

Default member of

None

Protected by ADMINSDHOLDER?

Yes

Safe to move out of default container?

Cannot be moved

Safe to delegate management of this group to non-Service admins?

No

Default User Rights

Back up files and directories

Allow log on locally

Restore files and directories

Shut down the system

Notes

Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down. This group cannot be renamed, deleted, or moved. By default, this built-in group has no members, and it can perform backup and restore operations on domain controllers. Its membership can be modified by the default service administrator groups Administrators and Domain Admins in the domain, as well as by the Enterprise Admins group. It cannot modify the membership of any administrative groups. While members of this group cannot change server settings or modify the configuration of the directory, they do have the permissions needed to replace files (including operating system files) on domain controllers. Because of this, members of this group are considered service administrators.

Cert Publishers

 

Attribute Value

Well-Known SID/RID

S-1-5-<domain>-517

Type

Domain Local

Default container

CN=Users, DC=<domain>, DC=

Default members

None

Default member of

None

Protected by ADMINSDHOLDER?

Yes

Safe to move out of default container?

No

Safe to delegate management of this group to non-Service admins?

No

Default User Rights

No default user rights

Notes

A group that includes all computers that are running an enterprise certification authority. Cert Publishers are authorized to publish certificates for User objects in Active Directory.

Domain Admins

 

Attribute Value

Well-Known SID/RID

S-1-5-<domain>-512

Type

Domain Global

Default container

CN=Users, DC=<domain>, DC=

Default members

Administrator

Default member of

Administrators

Protected by ADMINSDHOLDER?

Yes

Safe to move out of default container?

Yes

Safe to delegate management of this group to non-Service admins?

No

Default User Rights

Access this computer from the network

Adjust memory quotas for a process

Back up files and directories

Bypass traverse checking

Change the system time

Create a pagefile

Debug programs

Enable computer and user accounts to be trusted for delegation

Force a shutdown from a remote system

Increase scheduling priority

Load and unload device drivers

Allow log on locally

Manage auditing and security log

Modify firmware environment values

Profile single process

Profile system performance

Remove computer from docking station

Restore files and directories

Shut down the system

Take ownership of files or other objects

Notes

A group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created in Active Directory for the domain by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group. This group controls access to all domain controllers in a domain, and it can modify the membership of all administrative accounts in the domain. Its own membership can be modified by the service administrator groups Administrators and Domain Admins in its domain, as well as the Enterprise Admins group. This is a service administrator account because its members have full access to a domain’s domain controllers.

Domain Computers

 

Attribute Value

Well-Known SID/RID

S-1-5-<domain>-515

Type

Domain Global

Default container

CN=Users, DC=<domain>, DC=

Default members

All computers joined to the domain, excluding domain controllers

Default member of

None

Protected by ADMINSDHOLDER?

No

Safe to move out of default container?

Yes (but not required)

Safe to delegate management of this group to non-Service admins?

Yes

Default User Rights

No default user rights

Notes

The group includes all computers that have joined the domain, excluding domain controllers.

Domain Controllers

 

Attribute Value

Well-Known SID/RID

S-1-5-<domain>-516

Type

Domain Global

Default container

CN=Users, DC=<domain>, DC=

Default members

Computer accounts for all Domain Controllers of the domain

Default member of

None

Protected by ADMINSDHOLDER?

No

Safe to move out of default container?

No

Safe to delegate management of this group to non-Service admins?

No

Default User Rights

No default user rights

Notes

The group includes all domain controllers in the domain. New domain controllers are added to this group automatically.

Domain Guests

 

Attribute Value

Well-Known SID/RID

S-1-5-<domain>-514

Type

Domain Global

Default container

CN=Users, DC=<domain>, DC=

Default members

Guest

Default member of

Guests

Protected by ADMINSDHOLDER?

No

Safe to move out of default container?

Can be moved out but it is not recommended

Safe to delegate management of this group to non-Service admins?

No

Default User Rights

No default user rights

Notes

This group includes the domain’s built-in Guest account.

Domain Users

 

Attribute Value

Well-Known SID/RID

S-1-5-<domain>-513

Type

Domain Global

Default container

CN=Users, DC=<domain>, DC=

Default members

All user accounts in the domain

Default member of

Users

Protected by ADMINSDHOLDER?

No

Safe to move out of default container?

Yes

Safe to delegate management of this group to non-Service admins?

No

Default User Rights

No default user rights

Notes

This group includes all user accounts in a domain. When you create a user account in a domain, it is added to this group automatically.

Enterprise Admins

 

Attribute Value

Well-Known SID/RID

S-1-5-<root domain>-519

Type

Universal (if Domain is in Native-Mode) else Domain Global

Default container

CN=Users, DC=<domain>, DC=

Default members

Administrator

Default member of

Administrators

Protected by ADMINSDHOLDER?

Yes

Safe to move out of default container?

Yes

Safe to delegate management of this group to non-Service admins?

No

Default User Rights

Access this computer from the network

Adjust memory quotas for a process

Back up files and directories

Bypass traverse checking

Change the system time

Create a pagefile

Debug programs

Enable computer and user accounts to be trusted for delegation

Force shutdown from a remote system

Increase scheduling priority

Load and unload device drivers

Allow log on locally

Manage auditing and security log

Modify firmware environment values

Profile single process

Profile system performance

Remove computer from docking station

Restore files and directories

Shut down the system

Take ownership of files or other objects

Notes

This group exists only in the root domain of an Active Directory forest of domains. It is a universal group if the domain is in native mode; it is a global group if the domain is in mixed mode. The group is authorized to make forest-wide changes in Active Directory, such as adding child domains. By default, the only member of the group is the Administrator account for the forest root domain. This group is automatically added to the Administrators group in every domain in the forest, providing complete access to the configuration of all domain controllers. This group can modify the membership of all administrative groups. Its own membership can be modified only by the default service administrator groups in the root domain. This account is considered a service administrator.

Group Policy Creators Owners

 

Attribute Value

Well-Known SID/RID

S-1-5-<domain>-520

Type

Domain Global

Default container

CN=Users, DC=<domain>, DC=

Default members

Administrator

Default member of

None

Protected by ADMINSDHOLDER?

No

Safe to move out of default container?

No

Safe to delegate management of this group to non-Service admins?

No

Default User Rights

No default user rights

Notes

This group that is authorized to create new Group Policy objects in Active Directory. By default, the only member of the group is Administrator.

Guests

 

Attribute Value

Well-Known SID/RID

S-1-5-32-546

Type

Builtin Local

Default container

CN=BuiltIn, DC=<domain>, DC=

Default members

Guest

Default member of

Guest, Domain Guests

Protected by ADMINSDHOLDER?

No

Safe to move out of default container?

Cannot be moved

Safe to delegate management of this group to non-Service admins?

No

Default User Rights

No default user rights

Notes

A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer’s built-in Guest account.

Incoming Forest Trust Builders

 

Attribute Value

Well-Known SID/RID

S-1-5-32-557

Type

BuiltIn Local

Default container

CN=BuiltIn, DC=<domain>, DC=

Default members

None

Default member of

None

Protected by ADMINSDHOLDER?

No

Safe to move out of default container?

Cannot be moved

Safe to delegate management of this group to non-Service admins?

No

Default User Rights

No default user rights

Notes

This group cannot be renamed, deleted, or moved.

Network Configuration Operators

 

Attribute Value

Well-Known SID/RID

S-1-5-32-556

Type

BuiltIn Local

Default container

CN=BuiltIn, DC=<domain>, DC=

Default members

None

Default member of

None

Protected by ADMINSDHOLDER?

No

Safe to move out of default container?

Cannot be moved

Safe to delegate management of this group to non-Service admins?

Yes

Default User Rights

No default user rights

Notes

This group cannot be renamed, deleted, or moved.

Performance Log Users

 

Attribute Value

Well-Known SID/RID

S-1-5-32-559

Type

BuiltIn Local

Default container

CN=BuiltIn, DC=<domain>, DC=

Default members

None

Default member of

None

Protected by ADMINSDHOLDER?

No

Safe to move out of default container?

Cannot be moved

Safe to delegate management of this group to non-Service admins?

Yes

Default User Rights

No default user rights

Notes

This account cannot be renamed, deleted, or moved.

Performance Monitor Users

 

Attribute Value

Well-Known SID/RID

S-1-5-32-558

Type

BuiltIn Local

Default container

CN=BuiltIn, DC=<domain>, DC=

Default members

None

Default member of

None

Protected by ADMINSDHOLDER?

No

Safe to move out of default container?

Cannot be moved

Safe to delegate management of this group to non-Service admins?

Yes

Default User Rights

No default user rights

Notes

This group cannot be renamed, deleted, or moved.

Pre–Windows 2000 Compatible Access

 

Attribute Value

Well-Known SID/RID

S-1-5-32-554

Type

BuiltIn Local

Default container

CN=BuiltIn, DC=<domain>, DC=

Default members

Refer to the Notes column

Default member of

None

Protected by ADMINSDHOLDER?

No

Safe to move out of default container?

Cannot be moved

Safe to delegate management of this group to non-Service admins?

No

Default User Rights

Access this computer from the network

Bypass traverse checking

Notes

In Windows 2000, if you choose the Pre–Windows 2000 Compatible Permissions mode, Everyone (including Anonymous) is a member, and if you choose the Windows 2000–only permissions mode, the membership is empty. In Windows Server 2003, if you choose the Pre–Windows 2000 Compatible Permissions mode, Everyone and Anonymous are members, and if you choose the Windows 2000-only permissions mode, Authenticated Users are members.

Print Operators

 

Attribute Value

Well-Known SID/RID

S-1-5-32-550

Type

BuiltIn Local

Default container

CN=BuiltIn, DC=<domain>, DC=

Default members

None

Default member of

None

Protected by ADMINSDHOLDER?

Yes

Safe to move out of default container?

Cannot be moved

Safe to delegate management of this group to non-Service admins?

No

Default User Rights

Allow log on locally

Shut down the system

Notes

A built-in group that exists only on domain controllers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues. This group cannot be renamed, deleted, or moved.

RAS and IAS Servers

 

Attribute Value

Well-Known SID/RID

S-1-5-<domain>-553

Type

Domain Local

Default container

CN=Users, DC=<domain>, DC=

Default members

None

Default member of

None

Protected by ADMINSDHOLDER?

No

Safe to move out of default container?

Yes

Safe to delegate management of this group to non-Service admins?

Yes

Default User Rights

No default user rights

Notes

By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically. Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information.

Remote Desktop Users

 

Attribute Value

Well-Known SID/RID

S-1-5-32-555

Type

BuiltIn Local

Default container

CN=BuiltIn, DC=<domain>, DC=

Default members

None

Default member of

None

Protected by ADMINSDHOLDER?

No

Safe to move out of default container?

Cannot be moved

Safe to delegate management of this group to non-Service admins?

Yes

Default User Rights

No default user rights

Notes

This group cannot be renamed, deleted or moved.

Schema Admins

 

Attribute Value

Well-Known SID/RID

S-1-5-<root domain>-518

Type

Universal (if Domain is in Native-Mode) else Domain Global

Default container

CN=Users, DC=<domain>, DC=

Default members

Administrator

Default member of

None

Protected by ADMINSDHOLDER?

Yes

Safe to move out of default container?

Yes

Safe to delegate management of this group to non-Service admins?

No

Default User Rights

No default user rights

Notes

This group exists only in the root domain of an Active Directory forest of domains. It is a universal group if the domain is in native mode; it is a global group if the domain is in mixed mode. The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain. This group has full administrative access to the schema. The membership of this group can be modified by any of the service administrator groups in the root domain. This account is considered a service administrator because its members can modify the schema, which governs the structure and content of the entire directory.

Server Operators

 

Attribute Value

Well-Known SID/RID

S-1-5-32-549

Type

BuiltIn Local

Default container

CN=BuiltIn, DC=<domain>, DC=

Default members

None

Default member of

None

Protected by ADMINSDHOLDER?

Yes

Safe to move out of default container?

Cannot be moved

Safe to delegate management of this group to non-Service admins?

No

Default User Rights

Back up files and directories

Change the system time

Force shutdown from a remote system

Allow log on locally

Restore files and directories

Shut down the system

Notes

This group exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively, create and delete network shares, start and stop services, back up and restore files, format the hard disk of the computer, and shut down the computer. This group cannot be renamed, deleted, or moved. By default, this built-in group has no members, and it has access to server configuration options on domain controllers. Its membership is controlled by the service administrator groups Administrators and Domain Admins in the domain, as well as the Enterprise Admins group. It cannot change any administrative group memberships. This is a service administrator account because its members have physical access to domain controllers and they can perform maintenance tasks (such as backup and restore), and they have the ability to change binaries that are installed on the domain controllers.

Terminal Server License Servers

 

Attribute Value

Well-Known SID/RID

S-1-5-32-561

Type

BuiltIn Local

Default container

CN=BuiltIn, DC=<domain>, DC=

Default members

None

Default member of

None

Protected by ADMINSDHOLDER?

No

Safe to move out of default container?

Cannot be moved

Safe to delegate management of this group to non-Service admins?

Yes

Notes

This group cannot be renamed, deleted, or moved.

Users

 

Attribute Value

Well-Known SID/RID

S-1-5-32-545

Type

Builtin Local

Default container

CN=BuiltIn, DC=<domain>, DC=

Default members

Authenticated Users, Domain Users

Default member of

Domain Users (This membership is due to the fact that the Primary Group ID of all user accounts is Domain Users.)

Protected by ADMINSDHOLDER?

No

Safe to move out of default container?

Cannot be moved

Safe to delegate management of this group to non-Service admins?

No

Default User Rights

No default user rights

Notes

After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer. Users can perform tasks such as running applications, using local and network printers, shutting down the computer, and locking the computer. Users can install applications that only they are allowed to use if the installation program of the application supports per-user installation. This group cannot be renamed, deleted, or moved.

Windows Authorization Access Group

 

Attribute Value

Well-Known SID/RID

S-1-5-32-560

Type

Builtin Local

Default container

CN=BuiltIn, DC=<domain>, DC=

Default members

Enterprise Domain Controllers

Default member of

None

Protected by ADMINSDHOLDER?

No

Safe to move out of default container?

Cannot be moved

Safe to delegate management of this group to non-Service admins?

Yes

Notes

This group cannot be renamed, deleted, or moved.

Special Identities

In addition to the groups in the Users and Builtin containers, servers running Windows Server 2003 include several special identities. For convenience, these identities are generally referred to as groups. These special groups do not have specific memberships that can be modified, but they can represent different users at different times, depending on the circumstances.

Although the special identities can be assigned rights and permissions to resources, the memberships cannot be modified or viewed. Group scopes do not apply to special identities. Users are automatically assigned to these special identities whenever they log on or access a particular resource.

The special groups are described in the following tables.

Anonymous Logon

 

Attribute Value

Well-Known SID/RID

S-1-5-7

Object Class

Foreign Security Principal

Default Location in Active Directory

cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

Description

A user who has logged on anonymously.

Authenticated User

 

Attribute Value

Well-Known SID/RID

S-1-5-11

Object Class

Foreign Security Principal

Default Location in Active Directory

cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

Description

A group that includes all users whose identities were authenticated when they logged on. Membership is controlled by the operating system.

Batch

 

Attribute Value

Well-Known SID/RID

S-1-5-3

Object Class

Foreign Security Principal

Default Location in Active Directory

cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

Description

A group that implicitly includes all users who have logged on through a batch queue facility such as task scheduler jobs. Membership is controlled by the operating system.

Creator Group

 

Attribute Value

Well-Known SID/RID

S-1-3-1

Object Class

Foreign Security Principal

Default Location in Active Directory

cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

Description

A placeholder in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces this SID with the SID for the primary group of the object’s current owner. The primary group is used only by the Portable Operating System Interface for UNIX (POSIX subsystem.

Creator Owner

 

Attribute Value

Well-Known SID/RID

S-1-3-0

Object Class

Foreign Security Principal

Default Location in Active Directory

cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

Description

A placeholder in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the object’s current owner.

Dialup

 

Attribute Value

Well-Known SID/RID

S-1-5-1

Object Class

Foreign Security Principal

Default Location in Active Directory

cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

Description

Used for accounts that are connected to the computer over a dial-up connection.

Digest Authentication

 

Attribute Value

Well-Known SID/RID

S-1-5-64-21

Object Class

Foreign Security Principal

Default Location in Active Directory

cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

Enterprise Domain Controllers

 

Attribute Value

Well-Known SID/RID

S-1-5-9

Object Class

Foreign Security Principal

Default Location in Active Directory

cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

Description

A group that includes all domain controllers in an Active Directory forest of domains. Membership is controlled by the operating system.

Everyone

 

Attribute Value

Well-Known SID/RID

S-1-1-0

Object Class

Foreign Security Principal

Default Location in Active Directory

cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

Description

A group that includes Authenticated Users and Guest. Whenever a user logs on to the network, the user is automatically added to the Everyone group. On computers running Windows 2000 and earlier, the Everyone group included the Anonymous Logon group as a default member, but in Windows Server 2003, the Everyone group contains only Authenticated Users and Guest; it no longer includes Anonymous Logon by default (although this can be changed).

Membership is controlled by the operating system.

Interactive

 

Attribute Value

Well-Known SID/RID

S-1-5-4

Object Class

Foreign Security Principal

Default Location in Active Directory

cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

Description

A group that includes all users who have logged on interactively. Membership is controlled by the operating system.

Local Service

 

Attribute Value

Well-Known SID/RID

S-1-5-19

Object Class

Foreign Security Principal

Default Location in Active Directory

cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

Description

The Local Service account is similar to an authenticated user account. The Local Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session with anonymous credentials. The name of the account is NT AUTHORITY\LocalService. This account does not have a password.

LocalSystem

 

Attribute Value

Well-Known SID/RID

S-1-5-18

Object Class

Foreign Security Principal

Default Location in Active Directory

cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

Description

A service account that is used by the operating system. The Local System account is a powerful account that has full access to the system and acts as the computer on the network. If a service logs on to the Local System account on a domain controller, that service has access to the entire domain. Some services are configured by default to log on to the Local System account. Do not change the default service setting. The name of the account is LocalSystem. This account does not have a password.

Network

 

Attribute Value

Well-Known SID/RID

S-1-5-2

Object Class

Foreign Security Principal

Default Location in Active Directory

cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

Description

A group that implicitly includes all users who are logged on through a network connection. Membership is controlled by the operating system.

Network Service

 

Attribute Value

Well-Known SID/RID

S-1-5-20

Object Class

Foreign Security Principal

Default Location in Active Directory

cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

Description

The Network Service account is similar to an authenticated user account. The Network Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Network Service account access network resources using the credentials of the computer account. The name of the account is NT AUTHORITY\NetworkService. This account does not have a password.

NTLM Authentication

 

Attribute Value

Well-Known SID/RID

S-1-5-64-10

Object Class

Foreign Security Principal

Default Location in Active Directory

cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

Other Organization

 

Attribute Value

Well-Known SID/RID

S-1-5-1000

Object Class

Foreign Security Principal

Default Location in Active Directory

cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

Description

A group that implicitly includes all users who are logged on to the system through a dial-up connection. Membership is controlled by the operating system.

Principal Self

 

Attribute Value

Well-Known SID/RID

S-1-5-10

Object Class

Foreign Security Principal

Default Location in Active Directory

cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

Description

A placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal that is represented by the object.

Proxy

 

Attribute Value

Well-Known SID/RID

S-1-5-8

Object Class

Foreign Security Principal

Default Location in Active Directory

cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

Description

Does not currently apply: this SID is not used in Windows 2000 Server or Windows Server 2003.

Remote Interactive Logon

 

Attribute Value

Well-Known SID/RID

S-1-5-14

Object Class

Foreign Security Principal

Default Location in Active Directory

cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

Description

Represents all users who are currently logged on to the computer using a Remote Desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.

Restricted Code

 

Attribute Value

Well-Known SID/RID

S-1-5-12

Object Class

Foreign Security Principal

Default Location in Active Directory

cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

Description

Used by a process that is executing in a restricted security context, such as running an application with the RunAs service. When code executes at the restricted security level, the Restricted SID is added to the user’s access token.

SChannel Authentication

 

Attribute Value

Well-Known SID/RID

S-1-5-64-14

Object Class

Foreign Security Principal

Default Location in Active Directory

cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

Service

 

Attribute Value

Well-Known SID/RID

S-1-5-6

Object Class

Foreign Security Principal

Default Location in Active Directory

cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

Description

A group that includes all security principals that have logged on as a service. Membership is controlled by the operating system.

Terminal Server User

 

Attribute Value

Well-Known SID/RID

S-1-5-13

Object Class

Foreign Security Principal

Default Location in Active Directory

cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

Description

A group that includes all users who have logged on to a Terminal Services server. Membership is controlled by the operating system.

This Organization

 

Attribute Value

Well-Known SID/RID

S-1-5-15

Object Class

Foreign Security Principal

Default Location in Active Directory

cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

Local Accounts and Security Groups

You manage local user accounts and security groups by using Local Users and Groups, which is located in Computer Management, a collection of administrative tools that you can use to manage a single local or remote computer. You can use Local Users and Groups to secure and manage user accounts and groups that are stored locally on your computer. A local user or group can be assigned permissions and rights on a particular computer and that computer only. Local Users and Groups is available on the following client and server operating systems:

  • Client computers running Windows 2000 Professional or Windows XP Professional.

  • Member servers running Windows 2000 Server or Windows Server 2003.

  • Stand-alone servers running Windows 2000 Server or Windows Server 2003.

You can use Local Users and Groups to limit the ability of users and groups to perform certain actions by assigning them rights and permissions. A right authorizes a user to perform certain actions on a computer, such as backing up files and folders or shutting down a computer. A permission is a rule that is associated with an object (usually a file, folder, or printer), and it regulates which users can have access to the object and in what manner.

You cannot use Local Users and Groups to view local users and groups after a member server has been promoted to a domain controller. However, you can use Local Users and Groups on a domain controller to target remote computers (that are not domain controllers) on the network.

Use Active Directory Users and Computers to manage users and groups in Active Directory.

Local User Accounts

The Users folder that is located in the Local Users and Groups snap-in in MMC displays the default user accounts as well as the user accounts that you create. The default user accounts are created automatically when you install a stand-alone server or member server running Windows Server 2003. The following table describes the default user accounts on servers running Windows Server 2003.

Default Local User Accounts on Servers Running Windows Server 2003

 

Default User Account Description

Administrator account

The Administrator account has full control of the server and can assign user rights and access control permissions to users as necessary. This account must be used only for tasks that require administrative credentials. It is highly recommended that you set up this account to use a strong password.

The Administrator account is a member of the Administrators group on the server. The Administrator account can never be deleted or removed from the Administrators group, but it can be renamed or disabled. Because the Administrator account is known to exist on many versions of Windows, renaming or disabling this account will make it more difficult for malicious users to try and gain access to it.

The Administrator account is the account you use when you first set up the server. You use this account before you create an account for yourself.

Even when the Administrator account has been disabled, it can still be used to gain access to a computer by using Safe Mode.

Guest account

The Guest account is used by people who do not have an actual account on the computer. A user whose account is disabled, but not deleted, can also use the Guest account. The Guest account does not require a password. The Guest account is disabled by default, but you can enable it.

You can set rights and permissions for the Guest account just like any user account. By default, the Guest account is a member of the default Guests group, which allows a user to log on to a server. Additional rights, as well as any permissions, must be granted to the Guests group by a member of the Administrators group. The Guest account is disabled by default, and it is recommended that it stay disabled.

Support_388945a0 account

The Support_388945a0 account enables Help and Support Service interoperability with signed scripts. This account is primarily used to control access to signed scripts that are accessible from within Help and Support Services. Administrators can use this account to delegate the ability for an ordinary user, who does not have administrative access over a computer, to run signed scripts from links that are embedded in Help and Support Services. These scripts can be programmed to use the Support_388945a0 account credentials instead of the user’s credentials to perform specific administrative operations on the local computer that otherwise would not be supported by the ordinary user’s account. When the delegated user clicks on a link in Help and Support Services, the script will execute under the security context of the Support_388945a0 account. This account has limited access to the computer and is disabled by default.

HelpAssistant account (installed with a Remote Assistance session)

The primary account that is used to establish a Remote Assistance session. This account is created automatically when you request a Remote Assistance session, and it has limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service, and it will be automatically deleted if no Remote Assistance requests are pending.

Local Groups

The Groups folder that is located in Local Users and Groups displays the default local groups as well as the local groups that you create. The default local groups are automatically created when you install a stand-alone server or a member server running Windows Server 2003. Belonging to a local group gives a user the rights and abilities to perform various tasks on the local computer.

You can add local user accounts, domain user accounts, computer accounts, and security groups to local groups. However, you cannot add local user accounts and local groups to domain group accounts.

The following table provides descriptions of the default groups that are located in the Groups folder, and it lists the assigned user rights for each group. These rights are assigned within the local security policy.

Default Local Groups on Servers Running Windows Server 2003

 

Group Description Default User Rights

Administrators

Members of this group have full control of the server and can assign user rights and access control permissions to users as necessary. The Administrator account is also a default member. When this server is joined to a domain, the Domain Admins group is automatically added to this group. Because this group has full control of the server, add users with caution.

Access this computer from the network

Adjust memory quotas for a process

Allow log on locally

Allow log on through Terminal Services

Back up files and directories

Bypass traverse checking

Change the system time

Create a pagefile; Debug programs

Force shutdown from a remote system

Increase scheduling priority

Load and unload device drivers

Manage auditing and security log

Modify firmware environment variables

Perform volume maintenance tasks

Profile single process

Profile system performance

Remove computer from docking station

Restore files and directories

Shut down the system

Take ownership of files or other objects

Backup Operators

Members of this group can back up and restore files on the server, regardless of any permissions that protect these files. This is because the right to perform a backup takes precedence over all file permissions. File permissions cannot change security settings.

Access this computer from the network

Allow log on locally

Back up files and directories

Bypass traverse checking

Restore files and directories

Shut down the system

DHCP Administrators (installed with the DHCP Server service)

Members of this group have administrative access to the Dynamic Host Configuration Protocol (DHCP) Server service. This group provides a way to assign limited administrative access to the DHCP server only, while not providing full access to the server. Members of this group can administer DHCP on a server using the DHCP console or the Netsh command, but they are not able to perform other administrative actions on the server.

No default user rights

DHCP Users (installed with the DHCP Server service)

Members of this group have read-only access to the DHCP Server service. This allows members to view information and properties that are stored at a specified DHCP server. This information is useful to support staff when they need to obtain DHCP status reports.

No default user rights

Guests

Members of this group have a temporary profile created at log on, and when the member logs off, the profile is deleted. The Guest account (which is disabled by default) is also a default member of this group.

No default user rights

HelpServicesGroup

This group allows administrators to set rights that are common to all support applications. By default, the only group member is the account that is associated with Microsoft support applications, such as Remote Assistance. Do not add users to this group.

No default user rights

Network Configuration Operators

Members of this group can make changes to TCP/IP settings and renew and release TCP/IP addresses. This group has no default members.

No default user rights

Performance Monitor Users

Members of this group can monitor performance counters on the server locally and from remote clients without being a member of the Administrators or Performance Log Users groups.

No default user rights

Performance Log Users

Members of this group can manage performance counters, logs, and alerts on the server locally and from remote clients without being a member of the Administrators group.

No default user rights

Power Users

Members of this group can create user accounts and then modify and delete the accounts that they have created. They can create local groups and then add or remove users from the local groups that they have created. They can also add or remove users from the Power Users, Users, and Guests groups. Members can create shared resources and administer the shared resources that they have created. They cannot take ownership of files, back up or restore directories, load or unload device drivers, or manage security and auditing logs.

Access this computer from the network

Allow log on locally

Bypass traverse checking

Change the system time

Profile single process

Remove computer from docking station

Shut down the system

Print Operators

Members of this group can manage printers and print queues.

No default user rights

Remote Desktop Users

Members of this group can remotely log on to a server.

Allow log on through Terminal Services

Replicator

The Replicator group supports replication functions. The only member of the Replicator group should be a domain user account that is used to log on the Replicator services of a domain controller. Do not add user accounts of actual users to this group.

No default user rights

Users

Members of this group can perform common tasks, such as running applications, using local and network printers, and locking the server. Users cannot share directories or create local printers. By default, the Domain Users, Authenticated Users, and Interactive groups are members of this group. Therefore, any user account that is created in the domain becomes a member of this group.

Access this computer from the network

Allow log on locally

Bypass traverse checking

WINS Users (installed with WINS service)

Members of this group are permitted read-only access to Windows Internet Name Service (WINS). This allows members to view information and properties that are stored at a specified WINS server. This information is useful to support staff when they need to obtain WINS status reports.

No default user rights

Related Information

The following resources contain additional information that is relevant to this section:

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.