To successfully logon, users must identify themselves and satisfy a number of security restrictions.

	â
ä
Pass Name and password security check?
ä
Pass account restrictions? - Account enabled? - Within time restrictions? - From an appropriate computer?	â
ä
Build SAT Security Access Token containing + User SID   + Group SIDs + Group SIDs from nested membership + Rights as an individual user + Rights from group membership	â
ä
Does the user have the right to logon?
ä
Success

Predefined Users

Windows installs with builtin accounts Administrator and Guest.

• Administrator has full control of the system. The user account can be renamed by not deleted. The account should only be used in emergencies and the password should be guarded carefully. Regular administration should be done with other user accounts that can be members of the Domain Admins group.
• The Guest users account is to allow infrequent users to access the system. If this account is enabled, users without a valid user account will automatically be logged on as the guest account. The Guest account is a potential security hazard and is disabled by default. If you intend to enable this user account, ensure that resources are properly secured with DACLs. Note that Guest is a member of Everyone.

Additional users accounts are easily created with the Active Directory Users and Computers console.

Rights

Users can be granted administrative rights using policies as shown below. Users can also obtain these same rights by becoming a member of a group that has the right.

SID Security ID

A unique number or SID is generated for each account that is created. Internal user references like those in a DACL, use the SID rather than the user name. Renaming a user does not cause any problem for other user references because the SID number does not change. If a user object is deleted the SID is deleted and cannot be recovered.  All references to that user become invalid. Recreating a user with the same name will not recover lost references in a DACL, because the SID for the new user will be different than the old user with the same name.

If a new user replaces someone who has left your organization, it is easier to rename the old user object than to create a new one and also create all security references.

Warning! Never delete a user account unless you also want to delete all references to the user, such as all references in DACLs.

User Principal Names

A user can logon with a pre-Windows 2000 user name and a specified domain name. An alternative is to use the UPN User Principal Name. The UPN is the same format as an e-mail address, eg. jsmith@newdomain.com. The UPN has two parts; the user's common name and the UPN suffix. The UPN suffix is normally the users's logon domain, but can also be set to match the user's e-mail address.  A user's UPN must be unique in the forest.

UPN suffixes can be created via the Active Directory Domains and Trusts console

Searching

Many of the user properties are only descriptive or not needed for basic operation of Windows. In many cases, administrators do not use these properties. When descriptive properties like phone numbers are specified, directory searches can then use these properties as the search criteria.

Keyboard Exercise

Use the Active Directory Users and Computers console to create a user and examine the user properties.