Section 8.1: Types of User Accounts
User accounts are required for accessing local and network resources. Windows Server 2003 provides three
types of user accounts:
• Local User Accounts, which allows a user to log on to a specific computer to gain access to resources on that computer. Local user accounts reside in Security Accounts Manager (SAM) and must be created on each computer in a workgroup;
• Domain User Accounts, which allows a user to log on to the domain to gain access to network resources and reside in Active Directory; and
• Built-in User Accounts, which allows a user to perform administrative tasks or to gain access to local or network resources. These can be local built-in user accounts, which reside in SAM, or domain built-in user accounts, which reside in Active Directory
8.1.1: Local User Accounts
A Local user account allows a user to log on at a local computer and gain access to resources only on the computer where you create the local user account. When you create a local user account, Windows 2000, Windows XP Professional and Windows Server 2003 creates local user accounts only in that computer's security database, which is called the local security database. After the local user account exists, the computer uses its local security database to authenticate the local user account, which allows the user to log on to that computer.
8.1.2: Domain User Accounts
Active Directory
You create a domain user account in the Active Directory database on a domain controller. The domain controller replicates the new user account information to all domain controllers in the domain. There after, any of the domain controllers in the domain can authenticate the user during the logon process.
A Domain user account allows a user to log on to the domain and gain access to resources on the network. The user provides his or her password and user name during the logon process. By using this information, Windows Server 2003 authenticates the user and then builds an access token that contains information about the user and security settings. The access token identifies the user to computers running Windows NT on which the user tries to gain access to resources and is provided for the duration of the logon session.
8.1.3: Built-In User Accounts
Built-in user accounts are automatically created by Windows 2000, Windows XP Professional and Windows Server 2003. Windows Server 2003 creates four built-in user accounts: the Administrator account; the Guest account; the HelpAssistant account; and the Support_388945a0 account.
8.1.3.1: Administrator
The built-in Administrator user account is placed in the built-in Administrators group. It has the widest range of permissions and is used for computer management. If your computer is part of a domain, the built-in Administrator user account is used to manage the domain configuration. Tasks that can be performed using the Administrator user account include creating and modifying user accounts and groups, managing security policies, creating printers, and assigning permissions and rights to user accounts to gain access to resources. You cannot delete or remove the account from the built-in Administrators group, but you can disable or rename it. As a security precaution, you should create a user account that you use to perform non-administrative tasks. You should log on by using the Administrator user account only when you perform administrative tasks.
8.1.3.2: Guest
The built-in Guest user account is used to give occasional users the ability to log on and gain access to local and network resources. By default the built-in guest user account is disabled in Windows XP Professional and Windows Server 2003. You can configure the permissions for the guest account and you can rename it but you cannot delete it.
8.1.3.3: HelpAssistant
The HelpAssistant account is the primary account used to establish a Remote Assistance session. This account has limited rights and permissions on the computer. Remote Assistance allows a user at one computer to ask for assistance from a user at another computer, on the network or across the Internet. The assistant can remotely and actively assist someone with a computer problem, and can view the screen of the user requesting assistance and offer advice. In addition, the assistant can take control of the user's computer and perform tasks remotely.
8.1.3.4: Support_388945a0
The Support_388945a0 account is primarily used to control access to signed scripts that are accessible from within Help and Support Services. Administrators can use this account to delegate the ability for an ordinary user, who does not have administrative access over a computer, to run signed scripts from links embedded within Help and Support Services. These scripts can be programmed to use the Support_388945a0 account credentials instead of the users credentials to perform specific administrative operations on the local computer that otherwise would not be supported by the ordinary users account.