User Account Types

Microsoft® Windows® 2000 Scripting Guide

In most cases, a user account is created so that a person or a program, such as a service, can log on to a computer or a domain. To access resources in an Active Directory forest, each user or application must have an account in Active Directory. Domain controllers running Windows 2000 use accounts to verify that the user or application has permission to use a resource.

Active Directory defines two types of user account objects: User and Contact.

User Account

The User account is the primary Active Directory object type used to represent users. Users can be people who log on to the network or services that must log on in order to run. An Active Directory User account is a security principal that the Windows 2000 security subsystem recognizes.

When a user logs on to the domain, the domain controller verifies the users password by comparing it with the corresponding user account object in the Active Directory database. If the password presented matches the password stored in the corresponding Active Directory user account object, the domain controller produces an access token, which is subsequently used to verify access to computing resources throughout the forest.

Contact Account

The Contact user account object type is used to represent human users for address book, distribution list, and e-mail purposes; however, a contact account is not a security principal. A Contact account has no security context and therefore cannot be used to log on to a domain or to control access to computing resources.