Most of us are probably familiar with user accounts whether you’re in a business environment or working on a single computer in a home office. What do user accounts actually do? In simple terms, they provide individuals with the ability to log on to a network or computer. User accounts provide local computers or domain controllers with a way of authenticating the identity of a user and they are used to grant or deny users access to resources.
Every single person in the world has their own unique identity. This should be the same for users logging onto a computer or network. Every person that logs on to a network or local computer should have their own unique user account. Not only is it a good security practice but it also lets each user benefit from such things as unique profile settings.
As you begin working with Windows Server 2003, you will soon see that there are a few changes to user accounts from Windows 2000. In terms of the types of user accounts, there still remains the three: local user accounts, domain user accounts, and built-in user accounts.
Local User Accounts
Like the name implies, local user accounts are local to a specific computer. A local user account gives a user the ability to log on to a local computer and access local resources only. Once a local user account is created it is stored within the local security database only. So if you create a local user account on a member server within a domain, the information would not be replicated to any domain controllers. When you log on with a local account, the local computer authenticates the log on request using its local security database.
Local user accounts can be created using the Local Users and Groups found within the Computer Management snap-in. You can create local accounts on client workstations and those running Windows Server 2003 configured as member servers or stand alone servers. The Users folder will list the built in accounts that are created when the operating system is installed as well as any other local accounts you create.
Once you install Active Directory and promote the computer to a domain controller, user accounts have to be created using the Active Directory Users and Computers snap-in. This brings us to our discussion on domain user accounts.
Domain User Accounts
Domain user accounts are stored as objects within Active Directory as replicated between domain controllers in the same domain. A domain user account gives a user the ability to log on to a domain and access resources for which the account has been granted access. They provide users with a single sign on meaning they only need to log on once to access network resources.
During the logon process a user provides a valid name and password. A domain controller within the domain uses the information provided by the user to authenticate them and generate an access token. An access token is similar to a form of identification that you might present to someone to identify yourself. The access token then identifies the user to other computers when they attempt to access resources.
Built-in User Accounts
The third type of user account is those that are built-in. Once you install Windows Server 2003 several user accounts are automatically created. These include the Administrator, Guest, and HelpAssistant accounts. Logging on with the Administrator account gives you the right to administer the computer/domain. The Guest account is designed mainly for those users requiring occasional access to the network. The HelpAssistant account is installed with a Remote Assistance session. By default, both the Guest and HelpAssistant account are disabled.