NT Accounts: A Starting Point

by Phil Cox
<[email protected]>

Phil is a member of the Computer Incident Advisory Capability (CIAC) for the Department of Energy. He also consults and writes on issues bridging the gap between UNIX and Windows NT.


I have often been asked about the different types of accounts in Windows NT. This time I'll talk a little bit about each of them, how they differ, and what they can be used for.

NT and UNIX Parallels

I find it's simplest to describe Windows NT accounts to experienced UNIX users by using NIS as a reference. To begin, think of the NT domain as an NIS domain (and for those of you who care, NT5 domains are similar to NIS+ domains). Similarly, the NT Security Accounts Manager Database (SAM) is roughly equivalent to the UNIX passwd file. An NT Member server is roughly equivalent to a UNIX server which is NOT an NIS master or slave (but is part of the NIS domain). A Windows NT Primary Domain Controller (PDC) is roughly equivalent to a UNIX NIS master, and a Windows NT Backup Domain Controller (BDC) to a UNIX NIS slave server (NOTE: Unlike UNIX slave serves, the BDC does not have it's own separate SAM; it uses the Domain SAM exclusively). Whew! That's a lot of relationships! See the table below for reference.

Windows NT		UNIX Equivalent
NT Domain		NIS Domain
SAM		password file
PDC		NIS Master
BDC		NIS Slave
Member Server		Server that uses the NIS domain

Trust

Before we go any further, we have to talk about "trust" and how it is used in Windows NT Domain structures. When one NT domain "trusts" another, then the accounts and groups defined in the "trusted" domain can be used for authentication and authorization in the "trusting" domain. For example, let's say the account "pcc" is a member of the Windows NT domain "NTS" (noted by the syntax "NTS\pcc"). Further, let the Windows NT domain "IWI" trust "NTS" (so that NTS is trusted, and IWI is trusting). Then I can log on to a machine that is part of the IWI domain with the account "NTS\pcc". The IWI domain would know to contact the trusted domain and validate my logon credentials. For the sake of this article, it is important just to understand that Windows NT domain accounts can be used in other domains, if a trust relationship has been established.

Account Types

With these analogies, let's look at the three types of Windows NT accounts and their usage.

The first type of account is the Local account. It is like a user account in the /etc/passwd file on the UNIX workstation. Although the machine is part of an NIS domain, the accounts in the local /etc/passwd file are valid for that machine alone. This is true for NT as well. Any account defined in the SAM of the individual workstation or member server is for that host alone. Local accounts are only valid when used on the machine for which they were created. There is also a special class of local accounts that are called "built-in." These accounts are used mostly for system purposes and are not usually modified. Some of the built-in, or special accounts, are: Creator/Owner, System, and others. These accounts are seen when setting access control entries, but are not seen when managing regular local user accounts.

The second type of account is the Domain account. These accounts are defined in the SAM on the PDC, much as NIS accounts are defined in the /etc/passwd file on the NIS master server. These accounts, like NIS accounts, are valid for any/all machines that participate in the domain, and any domain for which this domain is trusted.

The third type of account is the Domain Local account. It is actually a Local account on the PDC as defined above. Since the machine is the PDC, and the PDC's SAM is the SAM for the BDCs as well, this account becomes "local" to the PDC and all BDCs in the domain. Normally, a user defined in the SAM on the PDC would become a "Domain User" and would have the characteristics (described in the paragraph above) of such an account. A Domain Local account, however, is specially marked and is not seen in the regular list of "Domain Users."

Which Account To Use

You might wonder, "When might I choose one account type over another?" Local accounts are typically used when you desire to restrict access to an individual machine. Domain accounts (by far the most common) are applicable when you want to allow access to a wide range of resources. Finally, use Domain Local accounts when you require an account that will have access to resources on Domain Controllers but isn't trusted outside of the Domain itself.

All NT accounts are administered through a "User Manager," but, depending on the account, you'll need the right manager! All local accounts are administered through the "User Manager" (musrmgr.exe) directly on the host itself. All domain-related accounts are administered with the "User Manager for Domains" (usrmgr.exe) from any host that has the program and has permission to connect to the domain.

While the naming convention may be new, many of the same concepts that apply to accounts in UNIX also apply to NT. If you've mastered the fundamentals of UNIX logins and NIS domains and servers, you're well on your way to understanding NT accounts and domains controllers.