Tip

Using Active Directory security principles

A security principle is a fixed account defined and managed automatically by Active Directory. There are many security principles within Windows 2000, some of which are simple user accounts while others are groups. These security principles appear only in permission-assigning dialog boxes. Thus they cannot be managed or adjusted by administrators. Instead, your only access to these entities is to assign or restrict access for them on objects.

The security principles should be used to simplify how access is distributed for unique or variable circumstances. Users are assigned a security principle membership when they meet a specific criterion, such as dialing in or using a Terminal Services session. This makes the security principle a type of dynamic container for managing user access and privileges.

Here is a list of the security principles:

(Note: a subject can be an actual user account or a process)

Anonymous Logon - any subject accessing a server or service without providing logon credentials. This is also called a null session.

Authenticated Users - any subject that has been properly authenticated (i.e. through a username and password or other authentication factor). This dynamic group includes all defined user accounts except for the Guest account.

Batch - any subject who's authentication was performed under the User Right of "logon as a batch job" or execution was launched through task scheduler.

    Requires Free Membership to View

Creator Owner - the subject who created an object and/or who currently owns an object.

Creator Group - the primary group of an object's current owner.

Dialup - any subject logged on via dial-up or a VPN connection

Enterprise Domain Controllers - all of the Active Directory domain controllers within the forest

Everyone - all possible subjects, both those with enumerated user accounts and those without a name. Includes Authenticated Users, Anonymous Logon and Guest.

Interactive - any subject who logged on via the local hardware on the same computer where a resource resides

Network - any subject who's authentication request originated from a different computer

Self - a placeholder used to grant permissions to the object for the object itself. Often used on container objects like OUs.

Service - any subject that was authenticated as a service (i.e. via the user right "logon as a service")

System - the primary identity of the Windows 2000 core, also known as the Local System, all services run under the System principle by default, this account has the widest range of access and privileges of any account under Windows 2000

Terminal Server - any subject that connected or logged on via a Terminal Services session


James Michael Stewart is a researcher and writer for Lanwrights, Inc.


This was first published in August 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.