User accounts are created and stored as objects in Active Directory®. User accounts can be used by human users or programs such as Win32 services use to log on to a computer. When a user logs on, the system verifies the user's password by comparing it with information stored in the user's user object in Active Directory. If the password is authenticated (that is, the password presented matches the password stored in the user object), the system produces an access token. An access token is an object that describes the security context of a process or thread. The information in a token includes the security identity and group memberships of the user account associated with the process or thread. Every process executed on behalf of this user has a copy of this access token.
Each user or application that accesses resources in a Windows® 2000 domain must have an account in Active Directory. Windows 2000 uses this user account to verify that the user or application has permission to use a resource.
A user account can be used to do the following:
Groups can contain members, which are references to users and other groups. Groups can also be used to control access to shared resources. When assigning permissions for resources (file shares, printers, and so on), administrators should assign those permissions to a group rather than to the individual users. The permissions are assigned once to the group, instead of several times to each individual user. This helps simplify the maintenance and administration of a network.
Both users and contacts can be used to represent human users. However, a user is a security principal; a contact is not.
A user can be used to enable a human user to log on and access shared resources.
A contact is used only for distribution list and e-mail purposes. However, a contact can contain most of the information stored in a user object such as address, phone numbers, and so on — since both user and contact are derived from the person classSchema object. A contact has no security context; therefore, a contact cannot be used to control access to shared resources and cannot be used to log on to a computer.
The computer object class inherits from the user object class. A computer object represents a computer; however, the computer and the computer's local services often require access to the network and shared resources. When the computer accesses shared resources (not the user logged on to the computer), it needs an access token just as a human user logged on as a user does. When a computer accesses the network, it uses an access token containing the security identifier for the computer's computer account and the groups that account is a member of.
A service can run in the context of LocalSystem or a specific service account. On computers running Windows 2000, a service that runs in the context of the LocalSystem account uses the credentials of the computer.