What Is a Trustee?

Previous page
Table of content
Next page
[Previous] [Next]

When you log on to a machine running Windows, you typically type in your username and a password. This username identifies an account that represents you to the system. Accounts such as this are generally referred to as user accounts.

User accounts maintain a set of information about a user, such as name, password (or credentials), comments, and address. Two critical items stored with a user account are a list of the user's privileges on the system and a digital identity—referred to as a security identifier, or SID (pronounced "sid")—that the system uses to identify the account when securing objects and private data. A SID is a variable-length binary structure that identifies a trustee account. (Privileges and SIDs will be discussed in detail later in this chapter.) A third and similarly important piece of information associated with a user account is a list of groups of which the user is a member.

The developers of Windows implemented group accounts in an effort to manage complexity. A group account contains a set of members that can be user accounts or global group accounts. A group account maintains similar information to a user account, such as system privileges and a SID. By simply assigning the user accounts to a group account, the security for a set of users can be managed in one place without having to make adjustments for each user.

User accounts and group accounts are trustees of a system. A trustee is an entity to which access can be denied or allowed in Windows. Some trustees exist implicitly in the system (such as the built-in group Everyone), others are created dynamically by the system (such as the logon SID discussed in more detail in Chapters 10 and 11), and still other trustees exist because accounts have been created for them. Users, groups, and computers are all trustees of Windows that have associated trustee accounts. All trustees share common functionality throughout the system, especially when dealing with access control (which is covered in the next chapter).

NOTE
User accounts and group accounts are members of a broader category called trustees. Because we are dealing primarily with user and group accounts in this chapter, unless otherwise specified, the terms trustee and trustee account are used to represent user and group accounts.

When access or ownership to a file or some other system object is granted by the system, it is granted via a trustee account. When a privileged function is performed by the system, it is allowed because the privilege was granted to a trustee account. When a user is identified to the system, the user is identified by his or her trustee account and by the trustee accounts of the groups of which the user is a member. So as you can see, the trustee account is a key part of Windows security.

Before we jump into our discussion on programmatically administering user and group accounts, let's take a moment to look at the user interface for administering trustees of the system.


Previous page
Table of content
Next page
Programming Server-Side Applications for Microsoft Windows 2000
Programming Server-Side Applications for Microsoft Windows 2000 (Microsoft Programming)
ISBN: 0735607532
EAN: 2147483647
Year: 2000
Pages: 126
Authors: Jeffrey Richter, Jason Clark
BUY ON AMAZON
Inside Network Security Assessment: Guarding Your IT Infrastructure
Lotus Notes and Domino 6 Development (2nd Edition)
VBScript Programmers Reference
Network Security Architectures
Information Dashboard Design: The Effective Visual Communication of Data
Sap Bw: a Step By Step Guide for Bw 2.0
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy