![[Contents]](a5f4558b.gif)
![[Back]](8016546c.gif)
![[<< Prev]](8f6f5240.gif)
![[Next >>]](e7ced9d2.gif)
Assessing User Resource Access Failures
![[tip.gif]](tip.gif)
Windows NT’s security system controls access to network resources through user and machine accounts. Your logon to a particular domain is validated by a domain controller and provides you with certain privileges and rights that are registered in the Security Accounts Manager (SAM) database.
When you log on to Windows NT, the system provides a Security Access Token (SAT) based on your user name and password. This SAT is a key that enables you to access objects that Windows NT manages by maintaining a Security Descriptor (SD) file. That SD file contains the access control list (ACL) for each resource.
Two types of accounts are created and managed in Windows NT: machine accounts and user accounts. Both of these accounts are stored in the Security Account Manager (SAM) database stored on the primary domain controller (PDC) and replicated to any backup domain controllers (BDC) on the system. Accounts are assigned an internally held System Identification number (SID).
You create and manage accounts in the User Manager for Domains. Log on as an administrator so that you can fully access accounts for machines and different users. Other levels of users also have privileges, but what they can do is more limited. An account is specified by the machine and user name, as in <computername>\<username>.
A group is an account that contains other accounts. Every com-puter contains a Users group to which all user accounts belong. There is also a Guest group that allows limited privileges to users who log in without a password (if you allow it).
The logon provides the definition of your group membership and other properties assigned to you. Groups are a set of users as well as other groups that are given the same access rights to resources. Access privileges are cumulative. Local groups can be created to provide control over resource access. Windows NT also comes with some pre-built global groups that are available system wide. You can also define additional global groups. Users, groups, and domains offer a flexible system for managing resource access through security settings that you make either in the file system or on your desktop for various system objects.
Further Information