Главная » Linux

Windows system user accounts

Содержание
  1. Local Accounts
  2. About local user accounts
  3. Default local user accounts
  4. Administrator account
  5. Guest account
  6. HelpAssistant account (installed with a Remote Assistance session)
  7. Одна учетная запись для всех служб Microsoft
  8. Нет учетной записи Microsoft?
  9. Безопасность
  10. Конфиденциальность
  11. Семья
  12. Платежи и выставление счетов
  13. Подписки
  14. Устройства
  15. Справка
  16. Войдите в учетную запись и начните работу
  17. Outlook
  18. Skype
  19. Microsoft Edge
  20. Microsoft Bing
  21. Microsoft 365
  22. OneDrive
  23. Windows
  24. Microsoft Store
  25. Кортана
  26. LocalSystem Account

Local Accounts

Applies to

  • Windows 10
  • Windows Server 2019
  • Windows Server 2016

This reference topic for IT professionals describes the default local user accounts for servers, including how to manage these built-in accounts on a member or standalone server.

About local user accounts

Local user accounts are stored locally on the server. These accounts can be assigned rights and permissions on a particular server, but on that server only. Local user accounts are security principals that are used to secure and manage access to the resources on a standalone or member server for services or users.

This topic describes the following:

For information about security principals, see Security Principals.

Default local user accounts

The default local user accounts are built-in accounts that are created automatically when you install Windows.

After Windows is installed, the default local user accounts cannot be removed or deleted. In addition, default local user accounts do not provide access to network resources.

Default local user accounts are used to manage access to the local server’s resources based on the rights and permissions that are assigned to the account. The default local user accounts, and the local user accounts that you create, are located in the Users folder. The Users folder is located in the Local Users and Groups folder in the local Computer Management Microsoft Management Console (MMC). Computer Management is a collection of administrative tools that you can use to manage a single local or remote computer. For more information, see How to manage local accounts later in this topic.

Default local user accounts are described in the following sections.

Administrator account

The default local Administrator account is a user account for the system administrator. Every computer has an Administrator account (SID S-1-5-domain-500, display name Administrator). The Administrator account is the first account that is created during the Windows installation.

The Administrator account has full control of the files, directories, services, and other resources on the local computer. The Administrator account can create other local users, assign user rights, and assign permissions. The Administrator account can take control of local resources at any time simply by changing the user rights and permissions.

The default Administrator account cannot be deleted or locked out, but it can be renamed or disabled.

In Windows 10 and Windows Server 2016, Windows setup disables the built-in Administrator account and creates another local account that is a member of the Administrators group. Members of the Administrators groups can run apps with elevated permissions without using the Run as Administrator option. Fast User Switching is more secure than using Runas or different-user elevation.

Account group membership

By default, the Administrator account is installed as a member of the Administrators group on the server. It is a best practice to limit the number of users in the Administrators group because members of the Administrators group on a local server have Full Control permissions on that computer.

Читайте также:  Настроить затухание экрана windows 10

The Administrator account cannot be deleted or removed from the Administrators group, but it can be renamed.

Security considerations

Because the Administrator account is known to exist on many versions of the Windows operating system, it is a best practice to disable the Administrator account when possible to make it more difficult for malicious users to gain access to the server or client computer.

You can rename the Administrator account. However, a renamed Administrator account continues to use the same automatically assigned security identifier (SID), which can be discovered by malicious users. For more information about how to rename or disable a user account, see Disable or activate a local user account and Rename a local user account.

As a security best practice, use your local (non-Administrator) account to sign in and then use Run as administrator to accomplish tasks that require a higher level of rights than a standard user account. Do not use the Administrator account to sign in to your computer unless it is entirely necessary. For more information, see Run a program with administrative credentials.

In comparison, on the Windows client operating system, a user with a local user account that has Administrator rights is considered the system administrator of the client computer. The first local user account that is created during installation is placed in the local Administrators group. However, when multiple users run as local administrators, the IT staff has no control over these users or their client computers.

In this case, Group Policy can be used to enable secure settings that can control the use of the local Administrators group automatically on every server or client computer. For more information about Group Policy, see Group Policy Overview.

NoteВ В Blank passwords are not allowed in the versions designated in the Applies To list at the beginning of this topic.

ImportantВ В Even when the Administrator account has been disabled, it can still be used to gain access to a computer by using safe mode. In the Recovery Console or in safe mode, the Administrator account is automatically enabled. When normal operations are resumed, it is disabled.

Guest account

The Guest account is disabled by default on installation. The Guest account lets occasional or one-time users, who do not have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account has a blank password. Because the Guest account can provide anonymous access, it is a security risk. For this reason, it is a best practice to leave the Guest account disabled, unless its use is entirely necessary.

Account group membership

By default, the Guest account is the only member of the default Guests group (SID S-1-5-32-546), which lets a user sign in to a server. On occasion, an administrator who is a member of the Administrators group can set up a user with a Guest account on one or more computers.

Security considerations

When enabling the Guest account, only grant limited rights and permissions. For security reasons, the Guest account should not be used over the network and made accessible to other computers.

Читайте также:  Не печатает hp laserjet 1320 для windows

In addition, the guest user in the Guest account should not be able to view the event logs. After the Guest account is enabled, it is a best practice to monitor the Guest account frequently to ensure that other users cannot use services and other resources, such as resources that were unintentionally left available by a previous user.

HelpAssistant account (installed with a Remote Assistance session)

The HelpAssistant account is a default local account that is enabled when a Remote Assistance session is run. This account is automatically disabled when no Remote Assistance requests are pending.

HelpAssistant is the primary account that is used to establish a Remote Assistance session. The Remote Assistance session is used to connect to another computer running the Windows operating system, and it is initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance. After the user’s invitation for a Remote Assistance session is accepted, the default HelpAssistant account is automatically created to give the person who provides assistance limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service.

Security considerations

The SIDs that pertain to the default HelpAssistant account include:

SID: S-1-5- -13, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note that, in Windows Server 2008, Remote Desktop Services are called Terminal Services.

SID: S-1-5- -14, display name Remote Interactive Logon. This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.

For the Windows Server operating system, Remote Assistance is an optional component that is not installed by default. You must install Remote Assistance before it can be used.

For details about the HelpAssistant account attributes, see the following table.

HelpAssistant account attributes

S-1-5- -13 (Terminal Server User), S-1-5- -14 (Remote Interactive Logon)

Одна учетная запись для всех служб Microsoft

Одна учетная запись. Одна панель управления. Добро пожаловать на страницу учетной записи.

Нет учетной записи Microsoft?

Узнайте, как начать работу с продуктами Microsoft.

Безопасность

Изменяйте пароль, обновляйте секретные вопросы и поддерживайте актуальность важных сведений учетной записи.

Конфиденциальность

Просматривайте историю поиска, посещений веб-страниц, местоположений и многое другое.

Семья

Обезопасьте свою семью в Интернете и оставайтесь на связи, даже когда находитесь вдали друг от друга.

Платежи и выставление счетов

Обновляйте платежную информацию, просматривайте историю заказов, используйте подарочные карты и получайте помощь с оплатой.

Подписки

Быстро продлевайте подписки и управляйте службами Microsoft из единой панели.

Устройства

Найдите и заблокируйте утерянное или украденное устройство Windows 10, сотрите с него данные или запланируйте ремонт и получите помощь.

Справка

Получите помощь и советы экспертов по продуктам и службам Microsoft.

Войдите в учетную запись и начните работу

Пользуйтесь всеми любимыми продуктами и службами Microsoft с помощью единого входа. От Office и Windows до Xbox и Skype – одно имя пользователя и один пароль объединяют вас с самыми важными файлами, фотографиями, людьми и контентом.

Outlook

Почта и календарь в одном. Все, что нужно для эффективной работы и общения дома и в дороге.

Skype

Оставайтесь на связи с близкими на всех устройствах с помощью текстовых сообщений, голосовых и видеозвонков Skype.

Microsoft Edge

Быстрый браузер для эффективной работы в сети: с ним удобно искать информацию, узнавать новое и систематизировать закладки.

Microsoft Bing

Интеллектуальные функции поиска помогают быстро и удобно находить все необходимое — ответы, новости, развлечения и многое другое.

Играйте в любимые игры где угодно. Играйте, общайтесь с друзьями и заходите в сообщества на Xbox One, компьютерах с Windows 10 и мобильных устройствах.

Microsoft 365

Выполняйте важные задачи с Word, Excel, PowerPoint и не только. Каким будет ваш следующий успех с Office 365?

OneDrive

Бесплатно сохраняйте и просматривайте файлы и фотографии на своих устройствах. В учетной записи Microsoft доступно 5 ГБ хранилища, и вы сможете добавить больше при необходимости.

Windows

Найдите и заблокируйте утерянное или украденное устройство Windows 10, сотрите с него данные или запланируйте ремонт и получите помощь.

Microsoft Store

Воспользуйтесь лучшими предложениями Microsoft — от приложений для работы и творчества до игр и развлечений.

Кортана

Экономьте время и будьте организованными — Кортана помогает решать повседневные задачи, чтобы вы не отвлекались на мелочи.

Благодаря MSN полезная информация доступна в любое время.

LocalSystem Account

The LocalSystem account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has extensive privileges on the local computer, and acts as the computer on the network. Its token includes the NT AUTHORITY\SYSTEM and BUILTIN\Administrators SIDs; these accounts have access to most system objects. The name of the account in all locales is .\LocalSystem. The name, LocalSystem or ComputerName\LocalSystem can also be used. This account does not have a password. If you specify the LocalSystem account in a call to the CreateService or ChangeServiceConfig function, any password information you provide is ignored.

A service that runs in the context of the LocalSystem account inherits the security context of the SCM. The user SID is created from the SECURITY_LOCAL_SYSTEM_RID value. The account is not associated with any logged-on user account. This has several implications:

  • The registry key HKEY_CURRENT_USER is associated with the default user, not the current user. To access another user’s profile, impersonate the user, then access HKEY_CURRENT_USER.
  • The service can open the registry key HKEY_LOCAL_MACHINE\SECURITY.
  • The service presents the computer’s credentials to remote servers.
  • If the service opens a command window and runs a batch file, the user could hit CTRL+C to terminate the batch file and gain access to a command window with LocalSystem permissions.

The LocalSystem account has the following privileges:

  • SE_ASSIGNPRIMARYTOKEN_NAME (disabled)
  • SE_AUDIT_NAME (enabled)
  • SE_BACKUP_NAME (disabled)
  • SE_CHANGE_NOTIFY_NAME (enabled)
  • SE_CREATE_GLOBAL_NAME (enabled)
  • SE_CREATE_PAGEFILE_NAME (enabled)
  • SE_CREATE_PERMANENT_NAME (enabled)
  • SE_CREATE_TOKEN_NAME (disabled)
  • SE_DEBUG_NAME (enabled)
  • SE_IMPERSONATE_NAME (enabled)
  • SE_INC_BASE_PRIORITY_NAME (enabled)
  • SE_INCREASE_QUOTA_NAME (disabled)
  • SE_LOAD_DRIVER_NAME (disabled)
  • SE_LOCK_MEMORY_NAME (enabled)
  • SE_MANAGE_VOLUME_NAME (disabled)
  • SE_PROF_SINGLE_PROCESS_NAME (enabled)
  • SE_RESTORE_NAME (disabled)
  • SE_SECURITY_NAME (disabled)
  • SE_SHUTDOWN_NAME (disabled)
  • SE_SYSTEM_ENVIRONMENT_NAME (disabled)
  • SE_SYSTEMTIME_NAME (disabled)
  • SE_TAKE_OWNERSHIP_NAME (disabled)
  • SE_TCB_NAME (enabled)
  • SE_UNDOCK_NAME (disabled)

Most services do not need such a high privilege level. If your service does not need these privileges, and it is not an interactive service, consider using the LocalService account or the NetworkService account. For more information, see Service Security and Access Rights.

Читайте также:  Lamp server для windows
Оцените статью
© 2024 Советы по настройке компьютера
Attribute Value