Accounts

Windows NT security requires users to be identified to the system. Therefore, each person who regularly uses the network must have a user account on a domain in the network. Guest access may be allowed for users without user accounts who need limited access to the network. User accounts are also subdivided into two types: global user accounts and local user accounts. Most or all user accounts you create will be global user accounts.

User Accounts

In order to identify users to the system, an administrator creates user accounts by assigning user names to new user accounts. When this happens, Windows NT generates a security identifier (SID) for each new account. Each user account SID uniquely identifies the user, regardless of when or where the account was created. This information is stored in the Security Accounts Manager (SAM) database in the Windows NT Registry and includes such data as:

• • The user name that identifies an individual account.
• • The account's password.
• • Groups of which the account is a member.
• • Initialization information, including home directory and logon script.
• • Restrictions on how the user can use the network.

Each user account requires approximately 1K in the SAM. The database is located on the PDC for the domain or on a PDC in the master domain. The password information for the account is stored doubly encrypted for security purposes.

Regardless of the domain model selected, an administrator only needs to define a user account once. Windows NT Server 3.5/3.51 allows a user to maintain a single user account to gain access to the domain, including other servers in the domain. If trust relationships are established, that single user account can also gain access to servers in other domains that trust the account domain.

On a regular basis, the user account database is replicated between the PDCs and all BDCs in the domain. The replication allows the logon process to be handled by the PDC or any BDC, which will increase throughput and help eliminate bottlenecks during the logon process.

Machine Accounts

When a workstation, server, or BDC is added to a domain, Windows NT generates an account for the machine name. The machine accounts serve various purposes, including linking BDCs with the PDC and pairing up the trusting and trusted domains. Each machine account requires approximately 0.5K in the SAM.