Information Technology Reference
In-Depth Information
5
Local user
Domain user
Figure 5-1
Local and domain user accounts
User accounts created in Active Directory are referred to as domain user accounts. Generally,
these accounts enable users to log on to any computer that's a domain member in the Active
Directory forest. They also provide single sign-on access to domain resources in the forest and
other trusted entities to which the account has permission. Domain user accounts can be man-
aged by group policies and are subject to account policies linked to the domain.
Built-in user accounts include the Administrator and Guest accounts created during
Windows installation. They can be local or domain user accounts, depending on whether they're
stored in the computer's SAM database or in Active Directory. Built-in accounts have the same
qualities as regular local or domain accounts, except they can't be deleted. When Active
Directory is installed on a Windows Server 2008 computer, the Administrator and Guest
accounts are converted from local user to domain user accounts. These accounts require special
handling because of their unique role in being the two accounts on every Windows computer.
The following guidelines apply to the built-in Administrator account:
• The local Administrator account has full access to all aspects of a computer, and the
domain Administrator account has full access to all aspects of the domain.
• Because the Administrator account is created on every computer and domain, it should be
renamed and given a very strong password to increase security. With these measures in
place, a user attempting to gain unauthorized access has to guess not only the administra-
tor's password, but also the logon name.
• The Administrator account should be used to log on to a computer or domain only when
performing administrative operations is necessary. Network administrators should use a
regular user account for logging on to perform nonadministrative tasks.
• The Administrator account can be renamed or disabled but can't be deleted.
The following guidelines apply to the built-in Guest account:
• After Windows installation, the Guest account is disabled by default and must be enabled
by an administrator before it can be used to log on.
 
Search WWH ::




Custom Search