Introducing Users and Groups

User Accounts

Every user account in the domain has a unique ID called the security ID (SID). The SID is the primary way in which NT tracks permissions. These permissions are placed in an Access Control List (ACL).

At the time of logon, each user is assigned a security access token, which includes the user's SID and information on group memberships and the associated SIDs for those groups. The security access token is created by Windows NT, and a copy is passed to whatever process the user requests to access. Validation of permission to perform that process[md]whether the process is running a program or just accessing a file[md]is based on the security access token interacting with the ACL.

A user account (UA) is the external identification used for clients of the Windows NT domain that want to have an authenticated logon to the domain (the SID is used only internally and is never seen by users or Administrators). The user account includes information about the client, such as the user name (the ID used for logging onto a Windows NT network); permissions; and, among other administrative items, rules, which are known as profiles.

When a user account is deleted from a domain, the SID associated with that account is never reused. Even if the same user name is used with a new account, a new SID is generated.

By default, an account named Guest is established on a Microsoft Windows NT Server. This account is given the default permissions that have been established for the domain in which the server participates. The Guest account must be enabled if you want to use it.

Other information that is part of a user account includes a full name, a free-form description, a password for logging into the domain, domain group memberships, password restrictions, the location of a home directory, a logon script, and the range of hours allowed for a permissible logon, among other items.


Microsoft Windows NT Server domain groups are containers that can logically group together multiple user accounts. This way, permissions can be assigned to a group, and then any user account placed in that group is assigned those permissions. Each group has a SID associated with it, and that SID is included in a user's security access token.

There are two types of Microsoft Windows NT Server domain groups: local groups and global groups.

A local group is generally created to provide access to a specific resource. For example accounts with access to upload files using the FTP server would be added to an account called FTP users. A local group can contain a user accounts or global groups.

A global group is a way to organize user accounts. You may create a global group for all of the administrative staff.

Microsoft Windows NT Server comes with predefined groups that already have permissions assigned based on the permission (or lack of) to perform administrative tasks. The Administrators group, which already includes the default user account, Administrator, gives permission to all system functions. The Backup Operators group only has access to the Windows NT Backup applet, it can log onto the server at the server console, and it can shut down the server. The Domain Users group only allows access to the server from a remote computer (not from the server console itself).

The User Manager for Domains enables Administrators to add user accounts to groups, create user accounts, and create groups.

In addition to the User Manager for Domains there is also an NT Administrative Wizard that can be used to create accounts. There is a known problem with this Wizard and the creation of home directories. For this reason I do not recommend the use of the Wizard.