Problem solve Get help with specific problems with your technologies, process and projects.

Using Active Directory security principles

Details on what security principles are and what they do in Microsoft Active Directory.

A security principle is a fixed account defined and managed automatically by Active Directory. There are many security principles within Windows 2000, some of which are simple user accounts while others are groups. These security principles appear only in permission-assigning dialog boxes. Thus they cannot be managed or adjusted by administrators. Instead, your only access to these entities is to assign or restrict access for them on objects.

The security principles should be used to simplify how access is distributed for unique or variable circumstances. Users are assigned a security principle membership when they meet a specific criterion, such as dialing in or using a Terminal Services session. This makes the security principle a type of dynamic container for managing user access and privileges.

Here is a list of the security principles:

(Note: a subject can be an actual user account or a process)

Anonymous Logon - any subject accessing a server or service without providing logon credentials. This is also called a null session.

Authenticated Users - any subject that has been properly authenticated (i.e. through a username and password or other authentication factor). This dynamic group includes all defined user accounts except for the Guest account.

Batch - any subject who's authentication was performed under the User Right of "logon as a batch job" or execution was launched through task scheduler.

Creator Owner - the subject who created an object and/or who currently owns an object.

Creator Group - the primary group of an object's current owner.

Dialup - any subject logged on via dial-up or a VPN connection

Enterprise Domain Controllers - all of the Active Directory domain controllers within the forest

Everyone - all possible subjects, both those with enumerated user accounts and those without a name. Includes Authenticated Users, Anonymous Logon and Guest.

Interactive - any subject who logged on via the local hardware on the same computer where a resource resides

Network - any subject who's authentication request originated from a different computer

Self - a placeholder used to grant permissions to the object for the object itself. Often used on container objects like OUs.

Service - any subject that was authenticated as a service (i.e. via the user right "logon as a service")

System - the primary identity of the Windows 2000 core, also known as the Local System, all services run under the System principle by default, this account has the widest range of access and privileges of any account under Windows 2000

Terminal Server - any subject that connected or logged on via a Terminal Services session

James Michael Stewart is a researcher and writer for Lanwrights, Inc.

Dig Deeper on Windows systems and network management