Before bringing this chapter to a close, I'd like to bring some perspective to the creation of trustee accounts. We've discussed how to create and destroy user and group accounts, as well as how to assign privileges to these accounts. Additionally, we explored the critical topic of the security identifiers or SIDs. However, you might still be wondering why your server software would need to create trustee accounts, since, simply put, many server applications never create trustee accounts and never assign or revoke privileges from existing trustee accounts.
Here are a couple of reasons:
We'll be discussing the association between trustees and access rights of securable objects in the next chapter. Chapter 11 will talk about methods your server software can use to act on behalf of a client or any arbitrarily selected trustee account. You'll also learn ways to adjust the rights of an existing trustee by using a second trustee account.
As these topics unfold and you learn more creative ways to restrict and enhance access to objects using the various techniques available in the Windows environment, it is important to remember that, if necessary, your server software has the power to create trustee accounts. And as I discuss these topics in the next couple of chapters, I will point out cases where a trustee account created solely for use by your server software might be appropriate.