User Accounts and Groups

In Windows NT and Windows 2000, users can be members of groups. A group is a collection of user accounts. By making a user account a member of a group, you give that user all the rights and permissions granted to the group. Also, note that groups can be members of other groups.

Information about user accounts and groups is held in a user account database. The database is called the Security Accounts Manager (SAM) database in Windows NT 4, Windows 2000 Professional, and Windows 2000 Server running without Active Directory. The SAM is a file stored in the Registry, which is implemented as files in the %windir%\system32\config directory.

When Active Directory is installed, the user and group account information is stored in the Active Directory itself as User and Group objects. These objects can be accessed by using the Active Directory administration tools as well as the Active Directory Services Interface (ADSI). Information regarding ADSI and how to remotely administer security can be found in Chapter 13, "Security Administration with ADSI, WMI, and COM+."

A Note on Passwords

Users can log on to Windows 2000 by using their user account name and a password. Passwords are limited to 14 characters in Windows NT; this limit is increased to 127 characters in Windows 2000 when Active Directory is installed. It's therefore recommended that sensitive accounts, such as administrative accounts, take advantage of this security enhancement. See Appendix B, "Strong Passwords," for more information on how to enforce strong passwords and how to remember them.