An individual who participates in a domain must have a user account to log on to the network and use domain resources, such as files, directories, and printers.
An administrator creates a user account by assigning a user name to an account, specifying the user's identification data, and defining the user's rights on the system. The account includes user information, group memberships, and security-policy information. Windows NT Server then assigns a unique security identifier (SID) to the new account.
Each SID is unique for all time. For example, suppose Sally, who has a Windows NT account, leaves her job at a company but later returns to a different job at the same company. When Sally leaves, the administrator deletes her account, and Windows NT no longer accepts her security ID as valid. When Sally returns, the administrator creates a new account, and Windows NT generates a new security ID for that account. The new security ID does not match the old one, so nothing from the old account is transferred to the new account.
When a user logs on, Windows NT creates a security-access token. This includes a security ID for the user, other security IDs for the groups to which the user belongs, and other information, such as the user's name and the names of the groups to which that user belongs. Every process that runs on behalf of this user will have a copy of his or her access token. For example, when Sally starts Notepad, the Notepad process receives a copy of Sally's access token.
Windows NT refers to the security IDs within a user's access token when he or she tries to access an object. The security IDs are compared to the list of access permissions for the object to ensure that the user has sufficient permission to access the object.
For more information about access tokens, see Chapter 6, "Windows NT Security Model," in the Microsoft Windows NT Workstation 4.0 Resource Guide.