Active Directory accounts are required for security for users and computers. An account contains a Security Identifier or SID to uniquely identify the account. The account also contains a password and the attributes associated with that account. This video looks at how accounts work and how they are used with security.
Security Identifier (SID)
A SID is used in security to identify a user or computer account. Short SID’s like S-1-1-0 are used in local accounts. Regardless of which computer it is used on, whether in a domain or not, a short SID like this always represents the same thing. For example, S-1-1-0 will always mean everyone on any Windows system.
Longer SID’s like S-1-5-21-1218951425-845968048-208583963-2209 are used in a domain. Since a SID provides a unique way of representing a user, attributes of the user can change. For example, the user’s first and last names are free to change at any time and do not affect which objects the SID has been used on.
When you change the attributes of a user like their name, since the account is associated with the SID rather than their name, changing these attributes will not affect security or other systems. Some changes may be noticeable; for example, the folder the user profile is stored in will be stored under their old user name after the username is changed.
If a person leaves the company, it is a common practice for the account to be disabled rather than deleted. Disabling the account preserves the SID, the security applied to that user, and any certificates associated with that user. When the user’s replacement is hired, the account can simply be enabled and renamed to the new user.
User Authentication Process
When a user logs on to a network, an access token is generated for that user. Inside the access token is the user’s SID. When this access token is presented to another system, the other system can read the user’s SID from the access token.
If the user is a member of any group, the SID for that group will also be placed inside the access token. Another system can look at this access token and also determine the group membership for that user.
Any changes made to group membership for a user will require a new token to be created. For this to occur, the user must log off and log back on again to create a new token.
User Naming Standards
Before you start creating accounts in Active Directory, your company should come up with a standard for these accounts. For user accounts, you could use first initial dot last name. Whichever standard you come up with, it should be designed to reduce the number of people that will have the same username. For example, John Doe and Jane Doe will both have the username J.Doe using the standard first initial dot last name. Since Active Directory does not support two or more users having the same usernames, one of the usernames will need to change. A lot of administrators will add a number to the end of the username to ensure that it is unique in the organization.
User Log On Standards
Active Directory supports two Log On Standards for accessing the Domain. The first dates back to Windows NT and is the form of domain \ username. The second is just like an e-mail address in the form username@domainname.
Pre Windows 2000 Logon Name
When creating a new account in Active Directory, a pre-Windows 2000 logon name will be configured that will match the username where possible. You are free to change the pre-Windows 2000 logon name but in most cases, it is best to keep it the same as the username. The pre-Windows 2000 logon name is limited to 20 characters. Very old clients like Windows NT will only use the pre-Windows 2000 logon name. Modern non-Microsoft systems should not need the pre-Windows 2000 logon, but if you are using a very old system it may require it.
“What Are Security Identifiers?” http://technet.microsoft.com/en-us/library/cc786606(WS.10).aspx
“Security Identifier” http://en.wikipedia.org/wiki/Security_Identifier
“Users Can Log On Using User Name or User Principal Name” http://support.microsoft.com/kb/243280
“SAM-Account-Name attribute” http://msdn.microsoft.com/en-us/library/ms679635.aspx
“Active Directory Maximum Limits – Scalability” http://technet.microsoft.com/en-us/library/cc756101.aspx