Default User Accounts and GroupsWhen you install Windows Server 2003, the operating system installs default users and groups. These accounts are designed to provide the basic setup necessary to grow your network. Three types of default accounts are provided:
Note Although you can modify the default users and groups, you can't delete default users and groups created by the operating system. The reason you can't delete these accounts is that you wouldn't be able to recreate them. The SIDs of the old and new accounts wouldn't match, and the permissions and privileges of these accounts would be lost. Built-In User AccountsBuilt-in user accounts have special purposes in Windows Server 2003. All Windows Server 2003 systems have three built-in user accounts:
When you install add-ons or other applications on a server, other default accounts might be installed. You can usually delete these accounts. When you install IIS, you might find several new accounts, including IUSR_ hostname and IWAM_ hostname , where hostname is the computer name . The IUSR_ hostname account is the built-in account for anonymous access to IIS. IIS uses the IWAM_ hostname account to start out-of-process applications. These accounts are defined in Active Directory when they're configured on a domain. However, they're defined as local users when they're configured on a stand-alone server or workstation. Another built-in account that you might see is TSInternetUser. This account is used by Terminal Services. Predefined User AccountsSeveral predefined user accounts are installed with Windows Server 2003: Administrator, ASPNET, Guest, and Support. With member servers, predefined accounts are local to the individual system they're installed on. Predefined accounts have counterparts in Active Directory. These accounts have domain-wide access and are completely separate from the local accounts on individual systems. The Administrator AccountAdministrator is a predefined account that provides complete access to files, directories, services, and other facilities. You can't delete or disable this account. In Active Directory, the Administrator account has domain-wide access and privileges. Otherwise, the Administrator account generally has access only to the local system. Although files and directories can be protected from the Administrator account temporarily, the Administrator account can take control of these resources at any time by changing the access permissions. See Chapter 13 , "Managing Files and Folders." Security Alert To prevent unauthorized access to the system or domain, be sure to give the account an especially secure password. Also, because this is a known Windows account, you might want to rename the account as an extra security precaution. If you rename the original Administrator account, you might also want to create a dummy Administrator account. This dummy account should have no permissions, rights, or privileges, and you should disable it. In most instances you won't need to change the basic settings for this account. However, you might need to change its advanced settings, such as membership in particular groups. By default, the Administrator account for a domain is a member of these groups: Administrators, Domain Admins, Domain Users, Enterprise Admins, Group Policy Creator Owners, and Schema Admins. You'll find more information on these groups in the next section.
The ASPNET AccountThe ASPNET account is used by the built-in .NET framework and is designed so that the account can run ASP.NET worker processes. The account is a member of the Domain Users Group and as such, the account has all the same privileges as ordinary users in the domain. The Guest AccountGuest is designed for users who need one-time or occasional access. Although guests have limited system privileges, you should be very careful about using this account. Whenever you use this account, you open the system to potential security problems. The risk is so great that the account is initially disabled when you install Windows Server 2003. The Guest account is a member of Domain Guests and Guests by default. It is important to note that the Guest account ”like all other named accounts ”is also a member of the implicit group Everyone. The Everyone group typically has access to files and folders by default. The Everyone group also has a default set of user rights. Security Alert If you decide to enable the Guest account, be sure to restrict its use and to change the password regularly. As with the Administrator account, you might want to rename the account as an added security precaution. The Support AccountThe Support account is used by the built-in Help And Support service. The account is a member of the HelpServicesGroup and Domain Users. The account has the right to log on as a batch job. This user rights assignment allows the Support account to execute batch updates. Security Alert The Support account is denied the right to log on locally (other than as a batch job) and is also denied the right to log on to the computer over the network. These restrictions are important to ensure that system security isn't compromised. Built-In and Predefined GroupsBuilt-in groups are installed with all Windows Server 2003 systems. Use built-in and predefined groups to grant a user the group's privileges and permissions. You do this by making the user a member of the group. For example, you give a user administrative access to the system by making a user a member of the local Administrators group. You give a user administrative access to the domain by making a user a member of the domain local Administrators group in Active Directory. Implicit Groups and Special IdentitiesIn Windows NT implicit groups were assigned implicitly during logon and were based on how a user accessed a network resource. For example, if a user accessed a resource through interactive logon, the user was automatically a member of the implicit group called Interactive. In Windows 2000 and Windows Server 2003, the object-based approach to the directory structure changes the original rules for implicit groups. Although you still can't view the membership of special identities, you can grant membership in implicit groups to users, groups, and computers. To reflect the new role, implicit groups are also referred to as special identities . A special identity is a group whose membership can be set implicitly, such as during logon, or explicitly through security access permissions. As with other default groups, the availability of a specific implicit group depends on the current configuration. Use Table 8-2 to determine the availability of the various implicit groups. Implicit groups are discussed later in this chapter. Table 8-2. Availability of Implicit Groups Based on the Type of Network Resource
|