Active Directory user accounts and computer accounts can represent a physical entity, such as a computer or person. User accounts can also be used as dedicated service accounts for some applications. Groups are used to collect user accounts, computer accounts, and other groups into manageable units.
In Windows Server 2003 there are several built-in accounts and security groups that are preconfigured with the appropriate rights and permissions to perform specific tasks. For Active Directory, there are two types of administrative responsibility. Service administrators are responsible for maintaining and delivering the directory service, including domain controller management and directory service configuration. Data administrators are responsible for maintaining the data that is stored in the directory service and on domain member servers and workstations.
It is important to understand which default accounts and groups are service administrators. Service administration accounts and groups have the most widespread power in the network environment and require the most protection.
User accounts can be created, disabled, reset, and deleted by using the Active Directory Users and Computers snap-in in Microsoft Management Console (MMC) and by using command-line tools. In addition, built-in accounts are created when you create the Active Directory domain.
Built-in User Accounts
The Users container in Active Directory Users and Computers displays the built-in user accounts: Administrator, Guest, KRBTGT, and Support_388945a0. These built-in user accounts are created automatically when you create the domain. The HelpAssistant account is installed when a Remote Assistance session is established.
Each built-in account has a different combination of rights and permissions. The Administrator account has the most extensive rights and permissions over the domain, while the Guest account has limited rights and permissions.
Some of the administrative accounts that are listed in these tables are protected by a background process that periodically checks and applies a specific security descriptor, which is a data structure that contains security information that is associated with a protected object. This process ensures that any successful unauthorized attempt to modify the security descriptor on one of the administrative accounts or groups will be overwritten with the protected settings.
This security descriptor is present on the AdminSDHolder object. This means that if you want to modify the permissions on one of the service administrator groups or on any of its member accounts, you must modify the security descriptor on the AdminSDHolder object so that it will be applied consistently. Be careful when making these modifications, because you are also changing the default settings that will be applied to all of your protected administrative accounts.
The following table describes each default user account on domain controllers running Windows Server 2003.
Built-in User Accounts on Domain Controllers Running Windows Server 2003
Administrator
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-<domain>-500
|
|
Type
|
User
|
|
Default container
|
CN=Users, DC=<domain>, DC=
|
|
Default members
|
N/A
|
|
Default member of
|
Administrators, Domain Admins, Enterprise Administrators, Domain Users
(Membership in Domain Users is due to the fact that the Primary Group ID of all user accounts is Domain Users.)
|
|
Protected by ADMINSDHOLDER?
|
Yes
|
|
Safe to move out of default container?
|
Yes
|
|
Safe to delegate management of this group to non-Service admins?
|
No
|
|
Notes
|
This account is the first account created during installation of the operating system. The account cannot be deleted or locked out, but it can be renamed or disabled. It is a member of the Administrators group and cannot be removed from that group.
The Administrator account is a default member of the Administrators, Domain Admins, Enterprise Admins, Group Policy Creator Owners, and Schema Admins groups in Active Directory. The Administrator account is known to exist on many versions of Windows; therefore, renaming or disabling this account makes it more difficult for malicious users to try and gain access to it.
When the Administrator account is disabled, it can still be used to gain access to a domain controller using Safe Mode.
|
Guest
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-<domain>-501
|
|
Type
|
User
|
|
Default container
|
CN=Users, DC=<domain>, DC=
|
|
Default members
|
None
|
|
Default member of
|
Domain Guests, Guests
|
|
Protected by ADMINSDHOLDER?
|
No
|
|
Safe to move out of default container?
|
Can be moved out, but it is not recommended.
|
|
Safe to delegate management of this group to non-Service admins?
|
No
|
|
Notes
|
A user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled, and it is recommended that it stay disabled.
You can set rights and permissions for the Guest account just like any user account. By default, the Guest account is a member of the built-in Guests group and the Domain Guests global group, which allows a user to log on to a domain.
|
HelpAssistant
|
Attribute
|
Value
|
|
Type
|
User
|
|
Default container
|
CN=Users, DC=<domain>, DC=
|
|
Notes
|
The primary account that is used to establish a Remote Assistance session. This account has limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service and is automatically deleted if no Remote Assistance requests are pending.
|
KRBTGT
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-<domain>-502
|
|
Type
|
User
|
|
Default container
|
CN=Users, DC=<domain>, DC=
|
|
Default members
|
None
|
|
Default member of
|
Domain Users (This membership is due to the fact that the Primary Group ID of all user accounts is Domain Users.)
|
|
Protected by ADMINSDHOLDER?
|
Yes
|
|
Safe to move out of default container?
|
Can be moved out, but it is not recommended.
|
|
Safe to delegate management of this group to non-Service admins?
|
No
|
|
Notes
|
A service account that is used by the Key Distribution Center (KDC) service.
|
Support_388945a0
|
Attribute
|
Value
|
|
Type
|
User
|
|
Default container
|
CN=Users, DC=<domain>, DC=
|
|
Notes
|
The Support_388945a0 account enables Help and Support Service interoperability with signed scripts. This account is primarily used to control access to signed scripts that are accessible from within Help and Support Services. Administrators can use this account to delegate the ability for an ordinary user, who does not have administrative access over a computer, to run signed scripts from links embedded within Help and Support Services. These scripts can be programmed to use the Support_388945a0 account credentials instead of the user’s credentials to perform specific administrative operations on the local computer that otherwise would not be supported by the ordinary user’s account. When the delegated user clicks on a link in Help and Support Services, the script executes under the security context of the Support_388945a0 account. This account has limited access to the computer and is disabled by default.
|
Account Options
Each Active Directory user account has a number of account options. The following table describes options that you can use to configure password settings and security-specific information for user accounts.
Account Options for User Accounts
|
Account Option
|
Description
|
|
User must change password at next logon
|
Forces user to change their password the next time that the user logs on to the network. Use this option when you want to ensure that the user will be the only person to know their password.
|
|
User cannot change password
|
Prevents users from changing their password. Use this option when you want to maintain control over a user account, such as for a guest or temporary account.
|
|
Password never expires
|
Prevents a user password from expiring. It is recommended that service accounts have this option enabled and use strong passwords.
|
|
Store passwords using reversible encryption
|
Provides support for applications that use protocols that require knowledge of the plaintext form of the user’s password for authentication purposes.
This option is required when using Challenge-Handshake Authentication Protocol (CHAP) in Internet Authentication Services (IAS), and when using Digest Authentication in Internet Information Services (IIS).
|
|
Account is disabled
|
Prevents user from logging on with the selected account. Many administrators use disabled accounts as templates for common user accounts.
|
|
Smart card is required for interactive logon
|
Requires that a user possess a smart card to log on to the network interactively. The user must also have a smart card reader attached to their computer and a valid personal identification number (PIN) for the smart card.
|
|
Account is trusted for delegation
|
Allows a service running under this account to perform operations on behalf of other user accounts on the network. A service running under a user account (otherwise known as a service account) that is trusted for delegation can impersonate a client to gain access to resources, either on the computer where the service is running or on other computers. In a forest that is set to the Windows Server 2003 functional level, this setting is found on the Delegation tab, and it is available only for accounts that have been assigned service principal names (SPNs), as set using the setspn command from Windows Support Tools. This is a security-sensitive capability, and it should be assigned cautiously.
This option is available only on domain controllers running Windows Server 2003 where the domain functionality is set to Windows 2000 mixed or Windows 2000 native. On domain controllers running Windows Server 2003 where the domain functional level is set to Windows Server 2003, the Delegation tab is used to configure delegation settings. The Delegation tab appears only for accounts that have an assigned SPN.
|
|
Account is sensitive and cannot be delegated
|
Allows control over a user account, such as for a guest or temporary account. This option can be used if this account cannot be assigned for delegation by another account.
|
|
Use DES encryption types for this account
|
Provides support for the Data Encryption Standard (DES). DES supports multiple levels of encryption, including Microsoft Point-to-Point Encryption (MPPE) Standard (40-bit and 56-bit), MPPE Strong (128-bit), Internet Protocol security (IPSec) DES (40-bit), IPSec 56-bit DES, and IPSec Triple DES (3DES).
|
|
Do not require Kerberos preauthentication
|
Provides support for alternate implementations of the Kerberos protocol. Domain controllers running Windows 2000 or Windows Server 2003 can use other mechanisms to synchronize time. Because preauthentication provides additional security, use caution when enabling this option.
|
Groups are used to collect user accounts, computer accounts, and other groups into manageable units. Working with groups instead of with individual users helps simplify network maintenance and administration.
There are two types of groups in Active Directory: distribution groups and security groups. You can use distribution groups to create e-mail distribution lists and security groups to assign permissions to shared resources.
Distribution Groups
Distribution groups can be used only with e-mail applications (such as Exchange) to send e-mail to collections of users. Distribution groups are not security enabled, which means that they cannot be listed in discretionary access control lists (DACLs). Distribution groups are not covered in this Technical Reference subject.
Security Groups
When they are used with care, security groups provide an efficient way to assign access to resources on your network. Using security groups, you can:
-
Assign user rights to security groups in Active Directory.
User rights are assigned to a security group to determine what members of that group can do within the scope of a domain (or forest). User rights are automatically assigned to some security groups when Active Directory is installed to help administrators define a person’s administrative role in the domain. For example, a user who is added to the Backup Operators group in Active Directory has the ability to back up and restore files and directories that are located on each domain controller in the domain.
This is possible because, by default, the user rights Backup files and directories and Restore files and directories are automatically assigned to the Backup Operators group. Therefore, members of this group inherit the user rights that are assigned to that group.
You can assign user rights to security groups, by using Group Policy, to help delegate specific tasks. You should always use discretion when assigning delegated tasks because an untrained user who is assigned too many rights can potentially cause significant harm to your network.
-
Assign permissions to security groups on resources.
Permissions should not be confused with user rights. Permissions are assigned to the security group on the shared resource. Permissions determine who can access the resource and the level of access, such as Full Control. Some permissions that are set on domain objects are automatically assigned to allow various levels of access to default security groups such as the Account Operators group or the Domain Admins group.
Security groups are listed in DACLs that define permissions on resources and objects. When assigning permissions for resources (file shares, printers, and so on), administrators should assign those permissions to a security group rather than to individual users. The permissions are assigned once to the group, instead of several times to each individual user. Each account that is added to a group receives the rights that are assigned to that group in Active Directory and receives the permissions that are defined for that group at the resource.
Like distribution groups, security groups can also be used as an e-mail entity. Sending an e-mail message to the group sends the message to all the members of the group.
Converting Between Security and Distribution Groups
A group can be converted from a security group to a distribution group, and vice versa, at any time, but only if the domain functional level is set to Windows 2000 native or higher. No groups can be converted while the domain functional level is set to Windows 2000 mixed.
Note
-
Although a contact can be added to a security group as well as to a distribution group, contacts cannot be assigned rights and permissions. Contacts in a group can be sent e-mail.
Group Scope
Groups are characterized by a scope that identifies the extent to which the group is applied in the domain tree or forest. There are three group scopes that are defined by Active Directory: Universal, Global, and Domain Local.
Note
-
In addition to these three scopes, the default groups in the Builtin container have a Group Scope of Builtin Local. Their Group Scope and Group Type cannot be changed.
The scope of the group defines where the group can be granted permissions. Universal groups are only available when the domain functional level is set to Windows 2000 native or Windows Server 2003.
The following table lists the three group scopes and more information about each scope for a security group.
Group Scopes
|
Scope
|
Possible Members
|
Scope Conversion
|
Can Grant Permissions
|
Possible Member of
|
|
Universal
|
Accounts from any domain in the same forest
Global groups from any domain in the same forest
Other universal groups from any domain in the same forest
|
Can be converted to domain local scope
Can be converted to global scope as long as the group does not contain any other universal groups
|
On any domain in the same forest or trusting forests
|
Other universal groups in the same forest
Domain local groups in the same forest or trusting forests
Local groups on computers in the same forest or trusting forests
|
|
Global
|
Accounts from the same domain
Other global groups from the same domain
|
Can be converted to universal scope as long as the group is not a member of any other global group
|
On any domain in the same forest or trusting domains or forests
|
Universal groups from any domain in the same forest
Other global groups from the same domain
Domain local groups from any domain in the same forest or from any trusting domain
|
|
Domain Local
|
Accounts from any domain or any trusted domain
Global groups from any domain or any trusted domain
Universal groups from any domain in the same forest
Other domain local groups from the same domain
Accounts, global groups, and universal groups from other forests and from external and Windows NT 4.0 domains
|
Can be converted to universal scope as long as the group does not contain any other domain local groups
|
Within the same domain
|
Other domain local groups from the same domain
Local groups on computers in the same domain, excluding built-in groups that have well-known SIDs
|
Default Groups
Default groups, such as the Domain Admins group, are security groups that are created automatically when you create an Active Directory domain. You can use these predefined groups to help control access to shared resources and to delegate specific domain-wide administrative roles.
Many default groups are automatically assigned a set of user rights that authorize members of the group to perform specific actions in a domain, such as logging on to a local system or backing up files and folders. For example, a member of the Backup Operators group has the right to perform backup operations for all domain controllers in the domain.
When you add a user to a group, the user receives all the user rights that are assigned to the group and all the permissions that are assigned to the group on any shared resources.
Default groups are located in the Builtin container and the Users container in Active Directory Users and Computers. The Builtin container contains groups that are defined with domain local scope. The Users container contains groups that are defined with global scope and groups that are defined with domain local scope. You can move groups that are located in these containers to other groups or organizational units (OU) within the domain, but you cannot move them to other domains.
Some of the administrative groups that are listed in these tables and all members of these groups are protected by a background process that periodically checks and applies a specific security descriptor, which is a data structure that contains security information that is associated with a protected object. This process ensures that any successful unauthorized attempt to modify the security descriptor on one of the administrative accounts or groups will be overwritten with the protected settings.
This security descriptor is present on the AdminSDHolder object. This means that if you want to modify the permissions on one of the service administrator groups or on any of its member accounts, you must modify the security descriptor on the AdminSDHolder object so that it will be applied consistently. Be careful when making these modifications because you are also changing the default settings that will be applied to all of your protected administrative accounts.
The following tables provide descriptions of the default groups that are located in the Builtin and Users containers.
Account Operators
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-32-548
|
|
Type
|
BuiltIn Local
|
|
Default container
|
CN=BuiltIn, DC=<domain>, DC=
|
|
Default members
|
None
|
|
Default member of
|
None
|
|
Protected by ADMINSDHOLDER?
|
Yes
|
|
Safe to move out of default container?
|
Cannot be moved
|
|
Safe to delegate management of this group to non-Service admins?
|
No
|
|
Default User Rights
|
Allow log on locally
Shut down the system
|
|
Notes
|
By default, this built-in group has no members, and it can create and manage users and groups in the domain, including its own membership and that of the Server Operators. This group is a service administrator because it can modify Server Operators, which in turn can modify domain controller settings. As a best practice, leave the membership of this group empty and do not use it at all for any delegated administration. This group cannot be renamed, deleted, or moved.
|
Administrators
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-32-544
|
|
Type
|
BuiltIn Local
|
|
Default container
|
CN=BuiltIn, DC=<domain>, DC=
|
|
Default members
|
Administrator, Domain Admins, Enterprise Admins
|
|
Default member of
|
None
|
|
Protected by ADMINSDHOLDER?
|
Yes
|
|
Safe to move out of default container?
|
Cannot be moved
|
|
Safe to delegate management of this group to non-Service admins?
|
No
|
|
Default User Rights
|
Access this computer from the network
Adjust memory quotas for a process
Back up files and directories
Bypass traverse checking
Change the system time
Create a pagefile
Debug programs
Enable computer and user accounts to be trusted for delegation
Force a shutdown from a remote system
Increase scheduling priority
Load and unload device drivers
Allow log on locally
Manage auditing and security log
Modify firmware environment values
Profile single process
Profile system performance
Remove computer from docking station
Restore files and directories
Shut down the system
Take ownership of files or other objects
|
|
Notes
|
The Administrators group has built-in capabilities that give its members full control over the system. This group cannot be renamed, deleted, or moved. This built-in group controls access to all the domain controllers in its domain, and it can change the membership of all administrative groups. Its own membership can be modified by the default service administrator groups Administrators and Domain Admins in the domain, as well as by the Enterprise Admins group. This group has the special privilege to take ownership of any object in the directory or any resource on a domain controller. This account is considered a service administrator because its members have full access to the domain controllers in the domain.
|
Backup Operators
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-32-551
|
|
Type
|
Builtin Local
|
|
Default container
|
CN=BuiltIn, DC=<domain>, DC=
|
|
Default members
|
None
|
|
Default member of
|
None
|
|
Protected by ADMINSDHOLDER?
|
Yes
|
|
Safe to move out of default container?
|
Cannot be moved
|
|
Safe to delegate management of this group to non-Service admins?
|
No
|
|
Default User Rights
|
Back up files and directories
Allow log on locally
Restore files and directories
Shut down the system
|
|
Notes
|
Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down. This group cannot be renamed, deleted, or moved. By default, this built-in group has no members, and it can perform backup and restore operations on domain controllers. Its membership can be modified by the default service administrator groups Administrators and Domain Admins in the domain, as well as by the Enterprise Admins group. It cannot modify the membership of any administrative groups. While members of this group cannot change server settings or modify the configuration of the directory, they do have the permissions needed to replace files (including operating system files) on domain controllers. Because of this, members of this group are considered service administrators.
|
Cert Publishers
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-<domain>-517
|
|
Type
|
Domain Local
|
|
Default container
|
CN=Users, DC=<domain>, DC=
|
|
Default members
|
None
|
|
Default member of
|
None
|
|
Protected by ADMINSDHOLDER?
|
Yes
|
|
Safe to move out of default container?
|
No
|
|
Safe to delegate management of this group to non-Service admins?
|
No
|
|
Default User Rights
|
No default user rights
|
|
Notes
|
A group that includes all computers that are running an enterprise certification authority. Cert Publishers are authorized to publish certificates for User objects in Active Directory.
|
Domain Admins
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-<domain>-512
|
|
Type
|
Domain Global
|
|
Default container
|
CN=Users, DC=<domain>, DC=
|
|
Default members
|
Administrator
|
|
Default member of
|
Administrators
|
|
Protected by ADMINSDHOLDER?
|
Yes
|
|
Safe to move out of default container?
|
Yes
|
|
Safe to delegate management of this group to non-Service admins?
|
No
|
|
Default User Rights
|
Access this computer from the network
Adjust memory quotas for a process
Back up files and directories
Bypass traverse checking
Change the system time
Create a pagefile
Debug programs
Enable computer and user accounts to be trusted for delegation
Force a shutdown from a remote system
Increase scheduling priority
Load and unload device drivers
Allow log on locally
Manage auditing and security log
Modify firmware environment values
Profile single process
Profile system performance
Remove computer from docking station
Restore files and directories
Shut down the system
Take ownership of files or other objects
|
|
Notes
|
A group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created in Active Directory for the domain by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group. This group controls access to all domain controllers in a domain, and it can modify the membership of all administrative accounts in the domain. Its own membership can be modified by the service administrator groups Administrators and Domain Admins in its domain, as well as the Enterprise Admins group. This is a service administrator account because its members have full access to a domain’s domain controllers.
|
Domain Computers
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-<domain>-515
|
|
Type
|
Domain Global
|
|
Default container
|
CN=Users, DC=<domain>, DC=
|
|
Default members
|
All computers joined to the domain, excluding domain controllers
|
|
Default member of
|
None
|
|
Protected by ADMINSDHOLDER?
|
No
|
|
Safe to move out of default container?
|
Yes (but not required)
|
|
Safe to delegate management of this group to non-Service admins?
|
Yes
|
|
Default User Rights
|
No default user rights
|
|
Notes
|
The group includes all computers that have joined the domain, excluding domain controllers.
|
Domain Controllers
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-<domain>-516
|
|
Type
|
Domain Global
|
|
Default container
|
CN=Users, DC=<domain>, DC=
|
|
Default members
|
Computer accounts for all Domain Controllers of the domain
|
|
Default member of
|
None
|
|
Protected by ADMINSDHOLDER?
|
No
|
|
Safe to move out of default container?
|
No
|
|
Safe to delegate management of this group to non-Service admins?
|
No
|
|
Default User Rights
|
No default user rights
|
|
Notes
|
The group includes all domain controllers in the domain. New domain controllers are added to this group automatically.
|
Domain Guests
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-<domain>-514
|
|
Type
|
Domain Global
|
|
Default container
|
CN=Users, DC=<domain>, DC=
|
|
Default members
|
Guest
|
|
Default member of
|
Guests
|
|
Protected by ADMINSDHOLDER?
|
No
|
|
Safe to move out of default container?
|
Can be moved out but it is not recommended
|
|
Safe to delegate management of this group to non-Service admins?
|
No
|
|
Default User Rights
|
No default user rights
|
|
Notes
|
This group includes the domain’s built-in Guest account.
|
Domain Users
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-<domain>-513
|
|
Type
|
Domain Global
|
|
Default container
|
CN=Users, DC=<domain>, DC=
|
|
Default members
|
All user accounts in the domain
|
|
Default member of
|
Users
|
|
Protected by ADMINSDHOLDER?
|
No
|
|
Safe to move out of default container?
|
Yes
|
|
Safe to delegate management of this group to non-Service admins?
|
No
|
|
Default User Rights
|
No default user rights
|
|
Notes
|
This group includes all user accounts in a domain. When you create a user account in a domain, it is added to this group automatically.
|
Enterprise Admins
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-<root domain>-519
|
|
Type
|
Universal (if Domain is in Native-Mode) else Domain Global
|
|
Default container
|
CN=Users, DC=<domain>, DC=
|
|
Default members
|
Administrator
|
|
Default member of
|
Administrators
|
|
Protected by ADMINSDHOLDER?
|
Yes
|
|
Safe to move out of default container?
|
Yes
|
|
Safe to delegate management of this group to non-Service admins?
|
No
|
|
Default User Rights
|
Access this computer from the network
Adjust memory quotas for a process
Back up files and directories
Bypass traverse checking
Change the system time
Create a pagefile
Debug programs
Enable computer and user accounts to be trusted for delegation
Force shutdown from a remote system
Increase scheduling priority
Load and unload device drivers
Allow log on locally
Manage auditing and security log
Modify firmware environment values
Profile single process
Profile system performance
Remove computer from docking station
Restore files and directories
Shut down the system
Take ownership of files or other objects
|
|
Notes
|
This group exists only in the root domain of an Active Directory forest of domains. It is a universal group if the domain is in native mode; it is a global group if the domain is in mixed mode. The group is authorized to make forest-wide changes in Active Directory, such as adding child domains. By default, the only member of the group is the Administrator account for the forest root domain. This group is automatically added to the Administrators group in every domain in the forest, providing complete access to the configuration of all domain controllers. This group can modify the membership of all administrative groups. Its own membership can be modified only by the default service administrator groups in the root domain. This account is considered a service administrator.
|
Group Policy Creators Owners
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-<domain>-520
|
|
Type
|
Domain Global
|
|
Default container
|
CN=Users, DC=<domain>, DC=
|
|
Default members
|
Administrator
|
|
Default member of
|
None
|
|
Protected by ADMINSDHOLDER?
|
No
|
|
Safe to move out of default container?
|
No
|
|
Safe to delegate management of this group to non-Service admins?
|
No
|
|
Default User Rights
|
No default user rights
|
|
Notes
|
This group that is authorized to create new Group Policy objects in Active Directory. By default, the only member of the group is Administrator.
|
Guests
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-32-546
|
|
Type
|
Builtin Local
|
|
Default container
|
CN=BuiltIn, DC=<domain>, DC=
|
|
Default members
|
Guest
|
|
Default member of
|
Guest, Domain Guests
|
|
Protected by ADMINSDHOLDER?
|
No
|
|
Safe to move out of default container?
|
Cannot be moved
|
|
Safe to delegate management of this group to non-Service admins?
|
No
|
|
Default User Rights
|
No default user rights
|
|
Notes
|
A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer’s built-in Guest account.
|
Incoming Forest Trust Builders
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-32-557
|
|
Type
|
BuiltIn Local
|
|
Default container
|
CN=BuiltIn, DC=<domain>, DC=
|
|
Default members
|
None
|
|
Default member of
|
None
|
|
Protected by ADMINSDHOLDER?
|
No
|
|
Safe to move out of default container?
|
Cannot be moved
|
|
Safe to delegate management of this group to non-Service admins?
|
No
|
|
Default User Rights
|
No default user rights
|
|
Notes
|
This group cannot be renamed, deleted, or moved.
|
Network Configuration Operators
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-32-556
|
|
Type
|
BuiltIn Local
|
|
Default container
|
CN=BuiltIn, DC=<domain>, DC=
|
|
Default members
|
None
|
|
Default member of
|
None
|
|
Protected by ADMINSDHOLDER?
|
No
|
|
Safe to move out of default container?
|
Cannot be moved
|
|
Safe to delegate management of this group to non-Service admins?
|
Yes
|
|
Default User Rights
|
No default user rights
|
|
Notes
|
This group cannot be renamed, deleted, or moved.
|
Performance Log Users
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-32-559
|
|
Type
|
BuiltIn Local
|
|
Default container
|
CN=BuiltIn, DC=<domain>, DC=
|
|
Default members
|
None
|
|
Default member of
|
None
|
|
Protected by ADMINSDHOLDER?
|
No
|
|
Safe to move out of default container?
|
Cannot be moved
|
|
Safe to delegate management of this group to non-Service admins?
|
Yes
|
|
Default User Rights
|
No default user rights
|
|
Notes
|
This account cannot be renamed, deleted, or moved.
|
Performance Monitor Users
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-32-558
|
|
Type
|
BuiltIn Local
|
|
Default container
|
CN=BuiltIn, DC=<domain>, DC=
|
|
Default members
|
None
|
|
Default member of
|
None
|
|
Protected by ADMINSDHOLDER?
|
No
|
|
Safe to move out of default container?
|
Cannot be moved
|
|
Safe to delegate management of this group to non-Service admins?
|
Yes
|
|
Default User Rights
|
No default user rights
|
|
Notes
|
This group cannot be renamed, deleted, or moved.
|
Pre–Windows 2000 Compatible Access
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-32-554
|
|
Type
|
BuiltIn Local
|
|
Default container
|
CN=BuiltIn, DC=<domain>, DC=
|
|
Default members
|
Refer to the Notes column
|
|
Default member of
|
None
|
|
Protected by ADMINSDHOLDER?
|
No
|
|
Safe to move out of default container?
|
Cannot be moved
|
|
Safe to delegate management of this group to non-Service admins?
|
No
|
|
Default User Rights
|
Access this computer from the network
Bypass traverse checking
|
|
Notes
|
In Windows 2000, if you choose the Pre–Windows 2000 Compatible Permissions mode, Everyone (including Anonymous) is a member, and if you choose the Windows 2000–only permissions mode, the membership is empty. In Windows Server 2003, if you choose the Pre–Windows 2000 Compatible Permissions mode, Everyone and Anonymous are members, and if you choose the Windows 2000-only permissions mode, Authenticated Users are members.
|
Print Operators
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-32-550
|
|
Type
|
BuiltIn Local
|
|
Default container
|
CN=BuiltIn, DC=<domain>, DC=
|
|
Default members
|
None
|
|
Default member of
|
None
|
|
Protected by ADMINSDHOLDER?
|
Yes
|
|
Safe to move out of default container?
|
Cannot be moved
|
|
Safe to delegate management of this group to non-Service admins?
|
No
|
|
Default User Rights
|
Allow log on locally
Shut down the system
|
|
Notes
|
A built-in group that exists only on domain controllers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues. This group cannot be renamed, deleted, or moved.
|
RAS and IAS Servers
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-<domain>-553
|
|
Type
|
Domain Local
|
|
Default container
|
CN=Users, DC=<domain>, DC=
|
|
Default members
|
None
|
|
Default member of
|
None
|
|
Protected by ADMINSDHOLDER?
|
No
|
|
Safe to move out of default container?
|
Yes
|
|
Safe to delegate management of this group to non-Service admins?
|
Yes
|
|
Default User Rights
|
No default user rights
|
|
Notes
|
By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically. Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information.
|
Remote Desktop Users
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-32-555
|
|
Type
|
BuiltIn Local
|
|
Default container
|
CN=BuiltIn, DC=<domain>, DC=
|
|
Default members
|
None
|
|
Default member of
|
None
|
|
Protected by ADMINSDHOLDER?
|
No
|
|
Safe to move out of default container?
|
Cannot be moved
|
|
Safe to delegate management of this group to non-Service admins?
|
Yes
|
|
Default User Rights
|
No default user rights
|
|
Notes
|
This group cannot be renamed, deleted or moved.
|
Schema Admins
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-<root domain>-518
|
|
Type
|
Universal (if Domain is in Native-Mode) else Domain Global
|
|
Default container
|
CN=Users, DC=<domain>, DC=
|
|
Default members
|
Administrator
|
|
Default member of
|
None
|
|
Protected by ADMINSDHOLDER?
|
Yes
|
|
Safe to move out of default container?
|
Yes
|
|
Safe to delegate management of this group to non-Service admins?
|
No
|
|
Default User Rights
|
No default user rights
|
|
Notes
|
This group exists only in the root domain of an Active Directory forest of domains. It is a universal group if the domain is in native mode; it is a global group if the domain is in mixed mode. The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain. This group has full administrative access to the schema. The membership of this group can be modified by any of the service administrator groups in the root domain. This account is considered a service administrator because its members can modify the schema, which governs the structure and content of the entire directory.
|
Server Operators
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-32-549
|
|
Type
|
BuiltIn Local
|
|
Default container
|
CN=BuiltIn, DC=<domain>, DC=
|
|
Default members
|
None
|
|
Default member of
|
None
|
|
Protected by ADMINSDHOLDER?
|
Yes
|
|
Safe to move out of default container?
|
Cannot be moved
|
|
Safe to delegate management of this group to non-Service admins?
|
No
|
|
Default User Rights
|
Back up files and directories
Change the system time
Force shutdown from a remote system
Allow log on locally
Restore files and directories
Shut down the system
|
|
Notes
|
This group exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively, create and delete network shares, start and stop services, back up and restore files, format the hard disk of the computer, and shut down the computer. This group cannot be renamed, deleted, or moved. By default, this built-in group has no members, and it has access to server configuration options on domain controllers. Its membership is controlled by the service administrator groups Administrators and Domain Admins in the domain, as well as the Enterprise Admins group. It cannot change any administrative group memberships. This is a service administrator account because its members have physical access to domain controllers and they can perform maintenance tasks (such as backup and restore), and they have the ability to change binaries that are installed on the domain controllers.
|
Terminal Server License Servers
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-32-561
|
|
Type
|
BuiltIn Local
|
|
Default container
|
CN=BuiltIn, DC=<domain>, DC=
|
|
Default members
|
None
|
|
Default member of
|
None
|
|
Protected by ADMINSDHOLDER?
|
No
|
|
Safe to move out of default container?
|
Cannot be moved
|
|
Safe to delegate management of this group to non-Service admins?
|
Yes
|
|
Notes
|
This group cannot be renamed, deleted, or moved.
|
Users
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-32-545
|
|
Type
|
Builtin Local
|
|
Default container
|
CN=BuiltIn, DC=<domain>, DC=
|
|
Default members
|
Authenticated Users, Domain Users
|
|
Default member of
|
Domain Users (This membership is due to the fact that the Primary Group ID of all user accounts is Domain Users.)
|
|
Protected by ADMINSDHOLDER?
|
No
|
|
Safe to move out of default container?
|
Cannot be moved
|
|
Safe to delegate management of this group to non-Service admins?
|
No
|
|
Default User Rights
|
No default user rights
|
|
Notes
|
After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer. Users can perform tasks such as running applications, using local and network printers, shutting down the computer, and locking the computer. Users can install applications that only they are allowed to use if the installation program of the application supports per-user installation. This group cannot be renamed, deleted, or moved.
|
Windows Authorization Access Group
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-32-560
|
|
Type
|
Builtin Local
|
|
Default container
|
CN=BuiltIn, DC=<domain>, DC=
|
|
Default members
|
Enterprise Domain Controllers
|
|
Default member of
|
None
|
|
Protected by ADMINSDHOLDER?
|
No
|
|
Safe to move out of default container?
|
Cannot be moved
|
|
Safe to delegate management of this group to non-Service admins?
|
Yes
|
|
Notes
|
This group cannot be renamed, deleted, or moved.
|
Special Identities
In addition to the groups in the Users and Builtin containers, servers running Windows Server 2003 include several special identities. For convenience, these identities are generally referred to as groups. These special groups do not have specific memberships that can be modified, but they can represent different users at different times, depending on the circumstances.
Although the special identities can be assigned rights and permissions to resources, the memberships cannot be modified or viewed. Group scopes do not apply to special identities. Users are automatically assigned to these special identities whenever they log on or access a particular resource.
The special groups are described in the following tables.
Anonymous Logon
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-7
|
|
Object Class
|
Foreign Security Principal
|
|
Default Location in Active Directory
|
cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>
|
|
Description
|
A user who has logged on anonymously.
|
Authenticated User
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-11
|
|
Object Class
|
Foreign Security Principal
|
|
Default Location in Active Directory
|
cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>
|
|
Description
|
A group that includes all users whose identities were authenticated when they logged on. Membership is controlled by the operating system.
|
Batch
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-3
|
|
Object Class
|
Foreign Security Principal
|
|
Default Location in Active Directory
|
cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>
|
|
Description
|
A group that implicitly includes all users who have logged on through a batch queue facility such as task scheduler jobs. Membership is controlled by the operating system.
|
Creator Group
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-3-1
|
|
Object Class
|
Foreign Security Principal
|
|
Default Location in Active Directory
|
cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>
|
|
Description
|
A placeholder in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces this SID with the SID for the primary group of the object’s current owner. The primary group is used only by the Portable Operating System Interface for UNIX (POSIX subsystem.
|
Creator Owner
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-3-0
|
|
Object Class
|
Foreign Security Principal
|
|
Default Location in Active Directory
|
cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>
|
|
Description
|
A placeholder in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the object’s current owner.
|
Dialup
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-1
|
|
Object Class
|
Foreign Security Principal
|
|
Default Location in Active Directory
|
cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>
|
|
Description
|
Used for accounts that are connected to the computer over a dial-up connection.
|
Digest Authentication
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-64-21
|
|
Object Class
|
Foreign Security Principal
|
|
Default Location in Active Directory
|
cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>
|
Enterprise Domain Controllers
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-9
|
|
Object Class
|
Foreign Security Principal
|
|
Default Location in Active Directory
|
cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>
|
|
Description
|
A group that includes all domain controllers in an Active Directory forest of domains. Membership is controlled by the operating system.
|
Everyone
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-1-0
|
|
Object Class
|
Foreign Security Principal
|
|
Default Location in Active Directory
|
cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>
|
|
Description
|
A group that includes Authenticated Users and Guest. Whenever a user logs on to the network, the user is automatically added to the Everyone group. On computers running Windows 2000 and earlier, the Everyone group included the Anonymous Logon group as a default member, but in Windows Server 2003, the Everyone group contains only Authenticated Users and Guest; it no longer includes Anonymous Logon by default (although this can be changed).
Membership is controlled by the operating system.
|
Interactive
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-4
|
|
Object Class
|
Foreign Security Principal
|
|
Default Location in Active Directory
|
cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>
|
|
Description
|
A group that includes all users who have logged on interactively. Membership is controlled by the operating system.
|
Local Service
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-19
|
|
Object Class
|
Foreign Security Principal
|
|
Default Location in Active Directory
|
cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>
|
|
Description
|
The Local Service account is similar to an authenticated user account. The Local Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session with anonymous credentials. The name of the account is NT AUTHORITY\LocalService. This account does not have a password.
|
LocalSystem
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-18
|
|
Object Class
|
Foreign Security Principal
|
|
Default Location in Active Directory
|
cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>
|
|
Description
|
A service account that is used by the operating system. The Local System account is a powerful account that has full access to the system and acts as the computer on the network. If a service logs on to the Local System account on a domain controller, that service has access to the entire domain. Some services are configured by default to log on to the Local System account. Do not change the default service setting. The name of the account is LocalSystem. This account does not have a password.
|
Network
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-2
|
|
Object Class
|
Foreign Security Principal
|
|
Default Location in Active Directory
|
cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>
|
|
Description
|
A group that implicitly includes all users who are logged on through a network connection. Membership is controlled by the operating system.
|
Network Service
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-20
|
|
Object Class
|
Foreign Security Principal
|
|
Default Location in Active Directory
|
cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>
|
|
Description
|
The Network Service account is similar to an authenticated user account. The Network Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Network Service account access network resources using the credentials of the computer account. The name of the account is NT AUTHORITY\NetworkService. This account does not have a password.
|
NTLM Authentication
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-64-10
|
|
Object Class
|
Foreign Security Principal
|
|
Default Location in Active Directory
|
cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>
|
Other Organization
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-1000
|
|
Object Class
|
Foreign Security Principal
|
|
Default Location in Active Directory
|
cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>
|
|
Description
|
A group that implicitly includes all users who are logged on to the system through a dial-up connection. Membership is controlled by the operating system.
|
Principal Self
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-10
|
|
Object Class
|
Foreign Security Principal
|
|
Default Location in Active Directory
|
cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>
|
|
Description
|
A placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal that is represented by the object.
|
Proxy
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-8
|
|
Object Class
|
Foreign Security Principal
|
|
Default Location in Active Directory
|
cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>
|
|
Description
|
Does not currently apply: this SID is not used in Windows 2000 Server or Windows Server 2003.
|
Remote Interactive Logon
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-14
|
|
Object Class
|
Foreign Security Principal
|
|
Default Location in Active Directory
|
cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>
|
|
Description
|
Represents all users who are currently logged on to the computer using a Remote Desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
|
Restricted Code
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-12
|
|
Object Class
|
Foreign Security Principal
|
|
Default Location in Active Directory
|
cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>
|
|
Description
|
Used by a process that is executing in a restricted security context, such as running an application with the RunAs service. When code executes at the restricted security level, the Restricted SID is added to the user’s access token.
|
SChannel Authentication
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-64-14
|
|
Object Class
|
Foreign Security Principal
|
|
Default Location in Active Directory
|
cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>
|
Service
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-6
|
|
Object Class
|
Foreign Security Principal
|
|
Default Location in Active Directory
|
cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>
|
|
Description
|
A group that includes all security principals that have logged on as a service. Membership is controlled by the operating system.
|
Terminal Server User
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-13
|
|
Object Class
|
Foreign Security Principal
|
|
Default Location in Active Directory
|
cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>
|
|
Description
|
A group that includes all users who have logged on to a Terminal Services server. Membership is controlled by the operating system.
|
This Organization
|
Attribute
|
Value
|
|
Well-Known SID/RID
|
S-1-5-15
|
|
Object Class
|
Foreign Security Principal
|
|
Default Location in Active Directory
|
cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>
|