|
Name |
Description |
|
Null Authority |
An identifier authority. |
|
Nobody |
No security principal. |
|
World Authority |
An identifier authority. |
|
Everyone |
A group that includes all users, even anonymous users and
guests. Membership is controlled by the operating system. |
|
Local Authority |
An identifier authority. |
|
Creator Authority |
An identifier authority. |
|
Creator Owner |
A placeholder in an inheritable access control entry
(ACE). When the ACE is inherited, the system replaces this SID with the
SID for the object's current owner. |
|
Creator Group |
A placeholder in an inheritable ACE. When the ACE is
inherited, the system replaces this SID with the SID for the primary group
of the object's current owner. The primary group is used only by the POSIX
subsystem. |
|
Creator Owner Server |
[SID not used in Windows 2000.] |
|
Creator Group Server |
[SID not used in Windows 2000.] |
|
Nonunique Authority |
An identifier authority. |
|
NT Authority |
An identifier authority. |
|
Dialup |
A group that implicitly includes all users who are logged
on to the system through a dial-up connection. Membership is controlled by
the operating system. |
|
Network |
A group that implicitly includes all users who are logged
on through a network connection. Membership is controlled by the operating
system. |
|
Batch |
A group that implicitly includes all users who have
logged on through a batch queue facility such as task scheduler jobs.
Membership is controlled by the operating system. |
|
Interactive |
A group that includes all users who have logged on
interactively. Membership is controlled by the operating system. |
|
Logon Session |
A logon session. The X and Y values for
these SIDs uniquely identify a particular logon session. |
|
Service |
A group that includes all security principals that have
logged on as a service. Membership is controlled by the operating system. |
|
Anonymous |
A user who has logged on anonymously. |
|
Proxy |
[SID not used in Windows 2000.] |
|
Enterprise Controllers |
A group that includes all domain controllers an Active
Directory™ directory service forest of domains. Membership is
controlled by the operating system. |
|
Principal Self (or Self) |
A placeholder in an ACE on a user, group, or computer
object in Active Directory. When you grant permissions to Principal Self,
you grant them to the security principal represented by the object. During
an access check, the operating system replaces the SID for Principal Self
with the SID for the security principal represented by the object. |
|
Authenticated Users |
A group that includes all users whose identities were
authenticated when they logged on. Membership is controlled by the
operating system. |
|
Restricted Code |
[SID reserved for future use.] |
|
Terminal Server Users |
A group that includes all users who have logged on to a
Terminal Services server. Membership is controlled by the operating
system. |
|
Local System |
A service account that is used by the operating system. |
|
Administrator |
A user account for the system administrator. This account
is the first account created during operating system installation. The
account cannot be deleted or locked out. It is a member of the
Administrators group and cannot be removed from that group. |
|
Guest |
A user account for people who do not have individual
accounts. This user account does not require a password. By default, the
Guest account is disabled. |
|
KRBTGT |
A service account that is used by the Key Distribution
Center (KDC) service. |
|
Domain Admins |
A global group whose members are authorized to administer
the domain. By default, the Domain Admins group is a member of the
Administrators group on all computers that have joined a domain, including
the domain controllers. Domain
Admins is the default owner of any object that is created in the domain's
Active Directory by any member of the group. If members of the group
create other objects, such as files, the default owner is the
Administrators group. |
|
Domain Users |
A global group that, by default, includes all user
accounts in a domain. When you create a user account in a domain, it is
added to this group automatically. |
|
Domain Guests |
A global group that, by default, has only one member, the
domain's built-in Guest account. |
|
Domain Computers |
A global group that includes all computers that have
joined the domain, excluding domain controllers. |
|
Domain Controllers |
A global group that includes all domain controllers in
the domain. New domain controllers are added to this group automatically. |
|
Cert Publishers |
A global group that includes all computers that are
running an enterprise certificate authority.
Cert Publishers are authorized to publish certificates for User
objects in Active Directory. |
|
Schema Admins |
A group that exists only in the root domain of an Active
Directory forest of domains. It is a universal group if the domain is in
native mode , a global group if the domain is in mixed mode . The group is
authorized to make schema changes in Active Directory. By default,
the only member of the group is the Administrator account for the forest
root domain. |
|
Enterprise Admins |
A group that exists only in the root domain of an Active
Directory forest of domains. It is a universal group if the domain is in
native mode, a global group if the domain is in mixed mode. The group is
authorized to make forest-wide changes in Active Directory, such as adding
child domains. By default, the only member of the group is the
Administrator account for the forest root domain. |
|
Group Policy Creators Owners |
A global group that is authorized to create new Group
Policy objects in Active Directory. By default, the only member of
the group is Administrator. The default owner of a new Group Policy object is usually
the user who created it. If the user is a member of Administrators or
Domain Admins, all objects that are created by the user are owned by the
group. Owners have full control of the objects they own. |
|
RAS and IAS Servers |
A domain local group . By default, this group has no
members. Computers that are running the Routing and Remote Access service
are added to the group automatically.
Members of this group have access to certain properties of User
objects, such as Read Account Restrictions, Read Logon Information, and
Read Remote Access Information. |
|
Administrators |
A built-in group . After the initial installation of the
operating system, the only member of the group is the Administrator
account. When a computer joins a domain, the Domain Admins group is added
to the Administrators group. When a server becomes a domain controller,
the Enterprise Admins group also is added to the Administrators group.
The Administrators group has built-in capabilties that give its
members full control over the system. The group is the default owner of
any object that is created by a member of the group. |
|
Users |
A built-in group. After the initial installation of the
operating system, the only member is the Authenticated Users group. When a
computer joins a domain, the Domain Users group is added to the Users
group on the computer. Users
can perform tasks such as running applications, using local and network
printers, shutting down the computer, and locking the computer. Users can
install applications that only they are allowed to use if the installation
program of the application supports per-user installation. |
|
Guests |
A built-in group. By default, the only member is the
Guest account. The Guests
group allows occasional or one-time users to log on with limited
privileges to a computer's built-in Guest account. |
|
Power Users |
A built-in group. By default, the group has no members.
This group does not exist on domain controllers. Power Users can create local users and groups; modify and
delete accounts that they have created; and remove users from the Power
Users, Users, and Guests groups. Power Users also can install most
applications; create, manage, and delete local printers; and create and
delete file shares. |
|
Account Operators |
A built-in group that exists only on domain controllers.
By default, the group has no members.
By default, Account Operators have permission to create, modify,
and delete accounts for users, groups, and computers in all containers and
organizational units (OUs) of Active Directory except the Builtin
container and the Domain Controllers OU. Account Operators do not have
permission to modify the Administrators and Domain Admins groups, nor do
they have permission to modify the accounts for members of those groups. |
|
Server Operators |
A built-in group that exists only on domain controllers.
By default, the group has no members.
Server Operators can log on to a server interactively; create and
delete network shares; start and stop services; back up and restore files;
format the hard disk of the computer; and shut down the computer. |
|
Print Operators |
A built-in group that exists only on domain controllers.
By default, the only member is the Domain Users group.
Print Operators can manage printers and document queues. |
|
Backup Operators |
A built-in group. By default, the group has no members.
Backup Operators can back up and restore all files on a computer,
regardless of the permissions that protect those files. Backup Operators
also can log on to the computer and shut it down. |
|
Replicators |
Not used in Windows 2000. In Windows NT domains, it is a built-in group used by the
File Replication service on domain controllers. |