For more information, see Security Principals.Ī security principal is represented by a unique security identifier (SID).The SIDs that are related to each of the default local accounts in Active Directory are described in the sections below. A security principal includes objects such as user accounts, computer accounts, security groups, or the threads or processes that run in the security context of a user or computer account. A security principal is a directory object that is used to secure and manage Active Directory services that provide access to domain controller resources. On an Active Directory domain controller, each default local account is referred to as a security principal. For more information, see Active Directory Security Groups. Active Directory security groups collect user accounts, computer accounts, and other groups into manageable units. Active Directory User accounts and Computer accounts can represent a physical entity, such as a computer or person, or act as dedicated service accounts for some applications.Įach default local account is automatically assigned to a security group that is preconfigured with the appropriate rights and permissions to perform specific tasks. Active Directory accounts provide access to network resources. In Active Directory, default local accounts are used by administrators to manage domain and member servers directly and from dedicated administrative workstations. After a user’s credentials have been authenticated, the user is authorized to access the network and domain resources based on the user’s explicitly assigned rights on the resource.Īudit the actions that are carried out on a user account. A user account lets a user sign in to computers, networks, and domains with a unique identifier that can be authenticated by the computer, network, or domain.Īuthorize (grant or deny) access to resources. Multiple users are not allowed to share one account. It is a best practice to assign each user to a single account to ensure maximum security. Let the domain represent, identify, and authenticate the identity of the user that is assigned to the account by using unique credentials (user name and password). Primarily, default local accounts do the following: The following sections describe the default local accounts and their use in Active Directory. The HelpAssistant account is installed when a Remote Assistance session is established. The default local accounts in the Users container include: Administrator, Guest, and KRBTGT. It is a best practice to keep the default local accounts in the User container and not attempt to move these accounts, for example, to a different organizational unit (OU). After the default local accounts are installed, they are stored in the Users container in Active Directory Users and Computers. You can assign rights and permissions to default local accounts on a particular domain controller, and only on that domain controller.
These accounts also have domain-wide access and are completely separate from the default local user accounts for a member or standalone server. These default local accounts have counterparts in Active Directory.
Restrict administrator logon access to servers and workstationsĭisable the account delegation right for administrator accountsĭefault local accounts are built-in accounts that are created automatically when a Windows Server domain controller is installed and the domain is created. Separate administrator accounts from user accountsĬreate dedicated workstation hosts without Internet and email access
Restrict and protect sensitive domain accounts Manage default local accounts in Active Directory Settings for default local accounts in Active Directory HelpAssistant account (installed with a Remote Assistance session) About this topicĭefault local accounts in Active Directory For more information, see Local Accounts. This reference topic does not describe default local user accounts for a member or standalone server or for a Windows client.
This reference topic for the IT professional describes the Windows Server default local accounts that are stored locally on the domain controller and are used in Active Directory. In addition, you can create user accounts to meet the requirements of your organization. Windows Server operating systems are installed with default local accounts.