User and computer accounts
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
User and computer accounts
Active Directory user accounts and computer accounts represent a physical entity such as a computer or person. User accounts can also be used as dedicated service accounts for some applications.
User accounts and computer accounts (as well as groups) are also referred to as security principals. Security principals are directory objects that are automatically assigned security IDs (SIDs), which can be used to access domain resources. A user or computer account is used to:
Authenticate the identity of a user or computer.
A user account enables a user to log on to computers and domains with an identity that can be authenticated by the domain. For information about authentication, see Access control in Active Directory. Each user who logs on to the network should have his or her own unique user account and password. To maximize security, you should avoid multiple users sharing one account.
Authorize or deny access to domain resources.
Once the user has been authenticated, the user is authorized or denied access to domain resources based on the explicit permissions assigned to that user on the resource. For more information, see Security information for Active Directory.
Administer other security principals.
Active Directory creates a foreign security principal object in the local domain to represent each security principal from a trusted external domain. For more information about foreign security principals, see When to create an external trust.
Audit actions performed using the user or computer account.
Auditing can help you monitor account security. For more information about auditing, see Auditing overview.
User accounts
The Users container located in Active Directory Users and Computers displays the three built-in user accounts: Administrator, Guest, and HelpAssistant. These built-in user accounts are created automatically when you create the domain.
Each built-in account has a different combination of rights and permissions. The Administrator account has the most extensive rights and permissions over the domain, while the Guest account has limited rights and permissions. The table below describes each default user account on domain controllers running Windows Server 2003.
Default user account | Description |
---|---|
Administrator account |
The Administrator account has full control of the domain and can assign user rights and access control permissions to domain users as necessary. This account must be used only for tasks that require administrative credentials. It is recommended that you set up this account with a strong password. For more information, see Strong passwords. For additional security considerations for accounts with administrative credentials, see Active Directory Best practices. The Administrator account is a default member of the Administrators, Domain Admins, Enterprise Admins, Group Policy Creator Owners, and Schema Admins groups in Active Directory. The Administrator account can never be deleted or removed from the Administrators group, but it can be renamed or disabled. Because the Administrator account is known to exist on many versions of Windows, renaming or disabling this account will make it more difficult for malicious users to try and gain access to it. For more information about how to rename or disable a user account, see Rename a local user account or Disable or enable a user account. The Administrator account is the first account created when you set up a new domain using the Active Directory Installation Wizard.
|
Guest account |
The Guest account is used by people who do not have an actual account in the domain. A user whose account is disabled (but not deleted) can also use the Guest account. The Guest account does not require a password. You can set rights and permissions for the Guest account just like any user account. By default, the Guest account is a member of the built-in Guests group and the Domain Guests global group, which allows a user to log on to a domain. The Guest account is disabled by default, and it is recommended that it stay disabled. |
HelpAssistant account (installed with a Remote Assistance session) |
The primary account used to establish a Remote Assistance session. This account is created automatically when you request a Remote Assistance session and has limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service and will be automatically deleted if no Remote Assistance requests are pending. For more information about Remote Assistance, see Administering Remote Assistance. |
Securing user accounts
If built-in account rights and permissions are not modified or disabled by a network administrator, they could be used by a malicious user (or service) to illegally log on to a domain using the Administrator or Guest identity. A good security practice for protecting these accounts is to rename or disable them. Because it retains its security ID (SID), a renamed user account retains all its other properties, such as its description, password, group memberships, user profile, account information, and any assigned permissions and user rights.
To obtain the security of user authentication and authorization, create an individual user account for each user who will participate on your network by using Active Directory Users and Computers. Each user account (including the Administrator and Guest account) can then be added to a group to control the rights and permissions assigned to the account. Using accounts and groups that are appropriate for your network ensures that users logging on to a network can be identified and can access only the permitted resources.
You can help defend your domain from attackers by requiring strong passwords and implementing an account lockout policy. Strong passwords reduce the risk of intelligent guessing and dictionary attacks on passwords. For more information, see Strong passwords and Password Best practices for passwords.
An account lockout policy decreases the possibility of an attacker compromising your domain through repeated logon attempts. This is because an account lockout policy determines how many failed logon attempts a user account can have before it is disabled. For more information, see Apply or modify account lockout policy.
For more information about securing user accounts, see Securing Active Directory.
Account options
Each Active Directory user account has a number of account options that determine how someone logging on with that particular user account is authenticated on the network. You can use the following options to configure password settings and security-specific information for user accounts:
Account option | Description |
---|---|
User must change password at next logon |
Forces a user to change their password the next time the user logs on to the network. Use this option when you want to ensure that the user will be the only person to know their password. |
User cannot change password |
Prevents a user from changing their password. Use this option when you want to maintain control over a user account, such as for a guest or temporary account. |
Password never expires |
Prevents a user password from expiring. It is recommended that Service accounts should have this option enabled and should use strong passwords. For more information about strong passwords, see Strong passwords. |
Store passwords using reversible encryption |
Allows a user to log on to a Windows network from Apple computers. If a user is not logging on from an Apple computer, this option should not be used. For more information, see Store passwords using reversible encryption. |
Account is disabled |
Prevents a user from logging on with the selected account. Many administrators use disabled accounts as templates for common user accounts. For more information, see Disable or enable a user account. |
Smart card is required for interactive logon |
Requires that a user possess a smart card to log on to the network interactively. The user must also have a smart card reader attached to their computer and a valid personal identification number (PIN) for the smart card. When this option is selected, the password for the user account is automatically set to a random and complex value. For more information about smart cards, see Logging on to a computer with a smart card and Authentication process. |
Account is trusted for delegation |
Allows a service running under this account to perform operations on behalf of other user accounts on the network. A service running under a user account (otherwise known as a service account) that is trusted for delegation can impersonate a client to gain access to resources on the computer where the service is running or on other computers. In a forest set to the Windows Server 2003 functional level, this setting is found on the Delegation tab, and is only available for accounts that have been assigned service principal names (SPNs), as set using the setspn command from the Windows Support Tools. This is a security-sensitive capability and should be cautiously assigned. For more information, see Allow a user to be trusted for delegation and Delegating authentication. This option is only available on domain controllers running Windows Server 2003 where the domain functionality is set to Windows 2000 mixed or Windows 2000 native. On domain controllers running Windows Server 2003 where the domain functional level is set to Windows Server 2003, the Delegation tab is used to configure delegation settings. The Delegation tab only appears for accounts which have an assigned SPN. For more information about domain functionality, see Domain and forest functionality. For more information about configuring delegation in a Windows Server 2003 domain, see Allow a user to be trusted for delegation. |
Account is sensitive and cannot be delegated |
Allows control over a user account, such as for a guest or temporary account. This option can be used if this account cannot be assigned for delegation by another account. |
Use DES encryption types for this account |
Provides support for the Data Encryption Standard (DES). DES supports multiple levels of encryption, including MPPE Standard (40-bit), MPPE Standard (56-bit), MPPE Strong (128-bit), IPSec DES (40-bit), IPSec 56-bit DES, and IPSec Triple DES (3DES). For more information about DES encryption, see Data encryption. |
Do not require Kerberos preauthentication |
Provides support for alternate implementations of the Kerberos protocol. Domain controllers running Windows 2000 or Windows Server 2003 can use other mechanisms to synchronize time. Because preauthentication provides additional security, use caution when enabling this option. For more information about Kerberos, see Kerberos V5 authentication. |
InetOrgPerson accounts
Active Directory provides support for the InetOrgPerson object class and its associated attributes defined in RFC 2798. The InetOrgPerson object class is used in several non-Microsoft LDAP and X.500 directory services to represent people within an organization.
Support for InetOrgPerson makes migrations from other LDAP directories to Active Directory more efficient. The InetOrgPerson object is derived from the user class and can be used as a security principal just like the user class. For information about creating an inetOrgPerson user account, see Create a new user account.
When the domain functional level has been set to Windows Server 2003, you can set the userPassword attribute on InetOrgPerson and user objects as being the effective password just like you can with the unicodePwd attribute.
Computer accounts
Every computer running Windows NT, Windows 2000, Windows XP, or a server running Windows Server 2003 that joins a domain has a computer account. Similar to user accounts, computer accounts provide a means for authenticating and auditing computer access to the network and to domain resources. Each computer account must be unique.
Note Computers running Windows 95 and Windows 98 do not have advanced security features and are not assigned computer accounts.
User and computer accounts can be added, disabled, reset, and deleted using Active Directory Users and Computers. A computer account can also be created when you join a computer to a domain. For more information about user and computer accounts, see Active Directory naming and Object names.
When the domain functional level has been set to Windows Server 2003, a new lastLogonTimestamp attribute is used to track the last logon time of a user or computer account. This attribute is replicated within the domain and can provide you with important information regarding the history of a user or computer.