Skip to main content

Security Principals

User accounts and computer accounts (as well as groups) are also referred to as security principals.

A security principal is an account holder that is automatically assigned a security identifier (SID) to control access to resources. A security principal can be a user, group, service or computer. Security principals are directory objects that are automatically assigned security IDs (SIDs)

A Security ID (SID) is a data structure of variable length that identifies user, group, and computer accounts. Every account on a network is issued a unique SID when the account is first created. Internal processes in Window refer to an account's SID rather than the account's user or group name to access domain resources.

A user or computer account is used to:

  • authenticate the identity of a user or computer. A user account enables a user to log on to computers and domains with an identity that can be authenticated by the domain. Each user who logs on to the network should have his or her own unique user account and password. To maximize security, you should avoid multiple users sharing one account.
  • authorise or deny access to domain resources. Once the user has been authenticated, the user is authorized or denied access to domain resources based on the explicit permissions assigned to that user on the resource.

Explicit permissions are object permissions that are defined when the object is created, specifically assigned, or changed by the owner of the object.

Active Directory creates a foreign security principal object in the local domain to represent each security principal from a trusted external domain.

Auditing is the process that tracks the activities of users by recording selected types of events in the security log of a server or a workstation.

Next: User Accounts