What Are User Accounts?
In Windows 2000 and later versions of Windows, access control to system depends on the system's ability to uniquely identify each user. A user account provides that unique identity.
Windows stores information about each user account in a protected database called the Security Accounts Manager (SAM). Although you're most likely to identify an account by its user name, Windows uses a variable-length value called a security identifier (SID) to track each account and its associated rights and permissions. When you create a user account, Windows assigns a unique SID to that account. In Windows 2000 and later versions of Windows, all SIDs begin with S-1. The remainder of the SID consists of groups of numbers that uniquely identify each account.
Windows represents accounts by their friendly names—FreeBooter or Administrator, for instance—and keeps track of the SID for each account in the background. However, if you look at the HKEY_USERS registry key, you can see the SIDs for all accounts on the current computer. The three short values are well-known SIDs that identify accounts common to all Windows installations; S-1-5-18 is the System account, for instance. The one much longer SID (without the Classes at end) represent user account on this computer.
The SID created along with a new user account remains uniquely associated with that account until the account is deleted. After deleting an account, you cannot re-create that account and recover its permissions and other settings; if you create a new account with the same user name and password, Windows assigns a new SID to that account.
How to Find a User's Security Identifier (SID) in Windows
The wmic command didn't exist before Windows XP, so you'll have to use above registry method in those older versions of Windows.
Follow these easy steps to display a table of usernames and their corresponding SIDs:
1. Open the Command Prompt by clicking Start Menu --> All Programs --> Accessories, right-click on Command Prompt, and open it as an administrator. In Windows Vista and later versions of Window operating systems type cmd.exe into Start Screen or Start Menu, right-click on Cmd.exe, and open it as an administrator.
2. Type following command into Command Prompt and press Enter key.
If you know the username and would like to grab only that one user's SID, enter this command but replace USER with the username (keep the quotes):
Want to see all the SIDs associated with your account? Execute following command to lists the name and SID of the currently logged-on user as well as the names and SIDs of all security groups to which that account belongs.
Fortunately, users are never required to know their SID. Users log on to a computer running Windows by providing their user name and (if one has been assigned) the password for the account.
Local and Domain Accounts
A stand-alone computer or a computer in a workgroup uses only local accounts. Each computer in the workgroup maintains its own SAM with local accounts for that computer only. Local accounts allow users to log on only to the computer on which the accounts are stored and allow access only to resources on that computer. Other users on your network can access resources on your computer only if they authenticate themselves using a local account.
By contrast, domain accounts are stored on a central computer called a domain controller. If your computer is joined to a domain—in the Log On To Windows dialog box, you specify either your computer name (to log on using a local account) or the name of a domain (to log on using a domain account).
Domain user accounts, each with its own unique SID, are stored in the domain's directory, which is managed by the domain controller. Every member of the domain can connect to this database and use its list of accounts for security purposes. Thus, an individual computer user can grant access to a shared resource using the name of a domain security group. When the network administrator adds a new user to the network and assigns that user to the group in question, the new user automatically has access to the shared resource without requiring the local computer user to take any action.
Even in a domain environment, the local computer's SAM plays a role. Accessing resources on the local computer requires a local user account or membership in a local group. For that reason, when you join your computer to a domain, Windows adds the Domain Admins group (a domain-based security group for administrators) to the local Administrators group and adds the Domain Users group to the local Users group.
Built-In User Accounts
Every installation of Windows has at least two built-in user accounts that are preconfigured with certain privileges and restrictions:
Administrator. This account has full rights over the entire computer. As a permanent member of the Administrators group, this account has unrestricted access to all files and registry keys on the computer. The Administrator account can create other user accounts.
Guest. The Guest account is intended for occasional or one-time users, and its default privileges are quite limited. A user who logs on using this account can run programs and save documents on the local computer only. Windows' guest account lets other people use your computer without being able to change PC settings, install apps or access your private files. In Windows XP, the Guest account can also provide access to shared network resources when the Simple File Sharing option is enabled.
Did you find this tutorial helpful? Don’t forget to share your views with us.
Windows stores information about each user account in a protected database called the Security Accounts Manager (SAM). Although you're most likely to identify an account by its user name, Windows uses a variable-length value called a security identifier (SID) to track each account and its associated rights and permissions. When you create a user account, Windows assigns a unique SID to that account. In Windows 2000 and later versions of Windows, all SIDs begin with S-1. The remainder of the SID consists of groups of numbers that uniquely identify each account.
Windows represents accounts by their friendly names—FreeBooter or Administrator, for instance—and keeps track of the SID for each account in the background. However, if you look at the HKEY_USERS registry key, you can see the SIDs for all accounts on the current computer. The three short values are well-known SIDs that identify accounts common to all Windows installations; S-1-5-18 is the System account, for instance. The one much longer SID (without the Classes at end) represent user account on this computer.
The SID created along with a new user account remains uniquely associated with that account until the account is deleted. After deleting an account, you cannot re-create that account and recover its permissions and other settings; if you create a new account with the same user name and password, Windows assigns a new SID to that account.
How to Find a User's Security Identifier (SID) in Windows
The wmic command didn't exist before Windows XP, so you'll have to use above registry method in those older versions of Windows.
Follow these easy steps to display a table of usernames and their corresponding SIDs:
1. Open the Command Prompt by clicking Start Menu --> All Programs --> Accessories, right-click on Command Prompt, and open it as an administrator. In Windows Vista and later versions of Window operating systems type cmd.exe into Start Screen or Start Menu, right-click on Cmd.exe, and open it as an administrator.
2. Type following command into Command Prompt and press Enter key.
Code:
wmic useraccount get name,sidIf you know the username and would like to grab only that one user's SID, enter this command but replace USER with the username (keep the quotes):
Code:
wmic useraccount where name="USER" get sidWant to see all the SIDs associated with your account? Execute following command to lists the name and SID of the currently logged-on user as well as the names and SIDs of all security groups to which that account belongs.
Code:
whoami /all | Find /i "S-1"Fortunately, users are never required to know their SID. Users log on to a computer running Windows by providing their user name and (if one has been assigned) the password for the account.
Local and Domain Accounts
A stand-alone computer or a computer in a workgroup uses only local accounts. Each computer in the workgroup maintains its own SAM with local accounts for that computer only. Local accounts allow users to log on only to the computer on which the accounts are stored and allow access only to resources on that computer. Other users on your network can access resources on your computer only if they authenticate themselves using a local account.
By contrast, domain accounts are stored on a central computer called a domain controller. If your computer is joined to a domain—in the Log On To Windows dialog box, you specify either your computer name (to log on using a local account) or the name of a domain (to log on using a domain account).
Domain user accounts, each with its own unique SID, are stored in the domain's directory, which is managed by the domain controller. Every member of the domain can connect to this database and use its list of accounts for security purposes. Thus, an individual computer user can grant access to a shared resource using the name of a domain security group. When the network administrator adds a new user to the network and assigns that user to the group in question, the new user automatically has access to the shared resource without requiring the local computer user to take any action.
Even in a domain environment, the local computer's SAM plays a role. Accessing resources on the local computer requires a local user account or membership in a local group. For that reason, when you join your computer to a domain, Windows adds the Domain Admins group (a domain-based security group for administrators) to the local Administrators group and adds the Domain Users group to the local Users group.
Built-In User Accounts
Every installation of Windows has at least two built-in user accounts that are preconfigured with certain privileges and restrictions:
Administrator. This account has full rights over the entire computer. As a permanent member of the Administrators group, this account has unrestricted access to all files and registry keys on the computer. The Administrator account can create other user accounts.
Guest. The Guest account is intended for occasional or one-time users, and its default privileges are quite limited. A user who logs on using this account can run programs and save documents on the local computer only. Windows' guest account lets other people use your computer without being able to change PC settings, install apps or access your private files. In Windows XP, the Guest account can also provide access to shared network resources when the Simple File Sharing option is enabled.
Note
Starting with Windows 10, the Guest account disappeared. In Windows 10, you can no longer easily turn on the Guest account—but you can still create a guest account using the Command Prompt.
How to Create a Guest Account in Windows 10
How to Create a Guest Account in Windows 10
Did you find this tutorial helpful? Don’t forget to share your views with us.