Windows 2000 SAM Storage

In Windows NT 4.0, both domain controllers and workstations store security principal accounts in the SAM database, which uses the registry as its underlying persistent storage. In Windows 2000, domain security principal accounts are stored in Active Directory instead of the registry. Although security accounts are stored in Active Directory, SAM is retained on Windows 2000 domain controllers for compatibility with those domains and applications that depend on it. SAM also is used by Windows 2000–based computers that are not domain controllers for local account storage. Thus, SAM manages security principal accounts. It uses Active Directory for storage of these accounts on a domain controller, and it uses the SAM database in the registry on workstations, stand-alone servers, and member servers SAM (Samsrv.dll) provides a simple form of name resolution, minimal transactions, replication, and secure storage for the security database.

In Windows 2000, there are two types of accounts: workstation accounts and domain accounts . Workstation accounts, which include user and group accounts on workstations, member servers, and stand-alone servers, are limited in scope to the physical computer where the accounts reside. A domain account has a broader scope than a workstation account; it extends to all physical computers within the domain. A workstation administrator, for example, has administrative privileges on the local computer (a workstation or member server), but a domain administrator has administrative privileges on all computers within the domain.

In Windows NT 3.51 and Windows NT 4.0, both categories of accounts are stored in the SAM database (in the registry). In Windows 2000, domain controllers store domain user, group, and computer accounts only in Active Directory; workstations and member servers continue to store local accounts in the SAM database. On Windows 2000 domain controllers, the existing SAM database is deleted and replaced by a new registry key that stores a small SAM database, which is used principally for Directory Services Restore Mode. When you start a domain controller in Directory Services Restore Mode, the SAM registry database is used for the security principal database instead of Active Directory.

In addition, Windows 2000 SAM supports the following:

  • Multimaster account replication among peer domain controllers

  • Creation and deletion of user properties

  • Read, write, and query third-party properties as defined by supplemental security packages in the LSA. (For more information about the LSA, see "Access Control" in this book.)

Domain controllers that are running Windows 2000 Server are completely compatible with domain controllers that are running Windows NT 4.0 — that is, a Windows NT 4.0–based client can be authenticated by a Windows 2000–based domain controller, and a Windows NT 4.0–based backup domain controller can continue to replicate with Windows 2000–based domain controllers. In a Windows 2000 domain, a Windows 2000–based domain controller can be configured to assume, or "emulate," the role of a primary domain controller (the PDC emulator flexible single-master operation role).

For more information about the PDC emulator role of a Windows 2000 domain controller, see "Managing Flexible Single-Master Operations" in this book, see "Determining Domain Migration Strategies" in the Deployment Planning Guide , and see Windows 2000 Server Help.

Mixed-Mode Storage Considerations

In mixed mode, account storage capacity is limited by the SAM database, which is still used for domain accounts on the backup domain controllers. A Windows NT 4.0–based backup domain controller is able to store approximately 40,000 security principal accounts (users, groups, and computers). The SAM database size does not decrease when you delete objects, but the database becomes fragmented and contains "empty" space. This empty space is reclaimed as new objects are added, which can result in less available storage than the number of accounts might indicate. For example, changing group membership leaves an unoccupied storage space for the membership that was removed.


Running Regback against the SAM database can remove the spaces, but only if the physical RAM of the computer is at least twice as large as the current SAM (because of the way Regback works). For information about techniques for compressing the SAM database, see the Knowledge Base link on the Web Resources page at . Search the Knowledge Base using the keywords "database" and "shrink."

SAM Structure

The Windows NT 4.0 and Windows 2000 SAM both contain collections of domain security accounts. A "domain" in the SAM sense can refer either to all of the accounts on a single computer or all of the accounts in a Windows domain. The Builtin container contains default local group accounts (such as Administrators and Users) that are installed whenever a new workstation, server, or domain controller is set up. It provides some basic account types, such as Administrator and Guest, that give the operator sufficient capability to add further accounts to the computer or domain. The Builtin container account SIDs are the same on every Windows 2000 or earlier system. These fixed SIDs allow the predefined groups to be placed in access control lists without regard to the domain of the system. For this reason, the objects in the Builtin container cannot be changed.

In Windows 2000, domains continue to contain the same objects as in Windows NT 4.0, as well as several additional properties on certain objects.

SAM Accounts on a Windows 2000 Server That Becomes a Domain Controller

When you install Active Directory on a computer that is running Windows 2000 Server to create a domain controller, you can either create a new domain or configure the domain controller to contain a copy of an existing domain. In both cases, the existing registry key that contains the SAM database is deleted and is replaced by a new, smaller SAM database. The security principals in this database are used only when the server is started in Directory Services Restore Mode.

The disposition of the security principals in the SAM database on the server is different in each case, as follows:

  • If you create an additional domain controller in an existing domain, the security accounts in the existing SAM database on the server are deleted. The accounts from the existing domain are replicated to Active Directory on the new domain controller.

  • If you create a new domain, the security accounts in the existing SAM database are preserved as follows:

    • User accounts become user objects in Active Directory.

    • Local groups in the account domain become group objects in Active Directory. The group type indicates a local group.

    • Built-in local groups become group objects in Active Directory. The group type indicates a built-in local group. These groups retain their constant SIDs and are stored in the Builtin container.

Migration of Windows NT 4.0 SAM Accounts to Active Directory Objects

When a Windows NT 4.0 domain controller is upgraded to Windows 2000, SAM security accounts are migrated to Active Directory objects. The relationship between Windows NT 4.0 accounts and Windows 2000 Active Directory objects is as follows:

  • "Normal" user accounts, which represent people, are stored as objects of the class user in Active Directory.

  • Computer user accounts (called "machine accounts" in Windows NT 4.0), which represent devices, are stored as objects of the class computer , which is a derived class of user and is exposed as the base class user to clients and domain controllers that are running earlier versions of Windows. (For more information about derived classes and base classes, see "Active Directory Schema" in this book.) By default, these accounts are placed in the Computers container after an upgrade, although there is no restriction that requires computer accounts to be confined to the Computers container. A control flag on the user account identifies the account type as a server or workstation, domain controller, or normal user account. Windows 2000 maintains the Windows NT 4.0 semantics (the flags that determine the nature of objects — for example, a computer versus a user object) for workstation accounts.


In Active Directory Users and Computers, the Role property ("attribute") on computer accounts indicates the account type. This property represents the userAccountControl flag value on the machineRole property of 4096 for a server or workstation or 8192 for a domain controller.

  • Global group accounts are stored as group objects in Active Directory.

  • Local group accounts from the SAM account domain are stored as group objects in Active Directory.

  • Built-in local group accounts from the SAM Builtin domain (for example, the Administrators group) are stored as domain local group objects in Active Directory in the Builtin container. Groups from the SAM Builtin domain have constant SIDs.

  • Backup domain controller computer accounts are represented identically to workstation computer accounts, except that a different flag is set to distinguish them.

  • LSA account objects grant privileges on the workstation computer to a particular account. They are maintained in the registry and synchronized between the domain controllers by being replicated to the workstation policy. By default, each domain controller in the domain has the same workstation policy. Therefore, a change to an LSA account object updates the corresponding workstation policy for the PDC emulator. The workstation policy change replicates to every other Windows 2000 domain controller in the domain.

The upgrade from a given Windows NT 4.0 SAM account to the corresponding Windows 2000 Active Directory object is summarized in Table 2.7.

Table   2.7 Upgrade of Windows   NT   4.0 Accounts to Windows   2000 Active Directory Objects

Windows NT 4.0 SAM

Windows 2000 Active Directory

Normal user account

User object.

Computer user account

Computer object, where the user account control flag indicates a workstation trust account.

Domain controller account

Computer object, where the user account control flag indicates a server trust account.

Global group in an account domain

Group object, where the group type indicates a global group.

Local group in an account domain

Group object, where the group type indicates a local group.

Local group in the Builtin domain

Group object, where the group type indicates a local group as well as Builtin group (for example, Administrators, Backup Operators, and so forth).

Domain trust account

Trusted domain object. (Assumes the role of both inbound and outbound halves of the trust relationship; there is also a domain trust account of class user for backward compatibility.)

Trusted domain object

Trusted domain object, upgraded.

For more information about upgrade issues, see "Determining Domain Migration Strategies" in the Deployment Planning Guide .