what are NT AUTHORITY accounts?

They seem to be system generated Windows accounts? What exactly are they? what is their purpose and how many kinds of accounts are under this broad category of NT AUTHORITY? is it considered a domain?

thanks
LVL 6
anushahannaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MinoDCCommented:
They are like System Account. No , isn't it considered a domain but locally to the server.
Typically the NT AUTHORITY account is used to start the Windows or application services.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Todd GerbertIT ConsultantCommented:
They are special system accounts, that belong to the operating system.  Since everything in Windows NT/2000/XP/Vista/7 runs within a security context, even Windows itself needs to have a user account in order to use the computer.  For example, if you have startup scripts that run before any user logs on they run as "NT AUTHORITY\System".  This is a fairly simplified view, but might get the point across. ;)
0
PeteJThomasCommented:
Well I've been led to believe that there are 2 different types of these accounts : LOCAL System etc, and NT AUTHORITY System.

NT AUTHORITY System would (in my understanding) be presented to your network as the computer the account is located on - So if a domain/network resource is told to grant permissions to the computer "COMP1", and a service on a computer needs access to that domain/network resource to operate, you would use the NT AUTHORITY System account to start the service - Thus when the service attempts to access the resource, it's presented (or is the same as) "COMP1" trying to access it, and is then allowed.

LOCAL System is known ONLY to that specific computer itself - And only has authority to resources on the computer itself (and it's this account that's normally used to start services etc on an individual PC).

Now I'm open to corrections, but that is my understanding of the concept...

Pete

0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

anushahannaAuthor Commented:
I would be glad for a confirmation on pete's comments, too.

how many sub-accounts exists under NT AUTHORITY? How often and in what scenarios do you have to know and use these accounts? (assuming the system keeps using them on an ongoing basis)

thanks
0
Todd GerbertIT ConsultantCommented:
I believe Pete is referring to the difference between System and Local Service. NT AUTH\System being the computer's account and has access to perform any task on that computer; NT AUTH\Local Service is a security access token with limited rights that is often used for system services that require access to remote resources.

Generally, if you're not a system administrator you really only need to know they're there and that you shouldn't mess with them (e.g. removing NT AUTHORITY\System's access from the Windows folder might cause you some problem).

As a system/network administrator it's a frequent occurence to have knowledge of these, most often assigning appropriate file access security settings (i.e. NTFS permissions) to files - so that, for example, you can give the Web Server Service (which runs as Local Service) access to the web files.

The number of principals, and their names varies slightly from version to version of Windows. On my Windows 7 system I have:
NT AUTHORITY\ANONYMOUS LOGON
NT AUTHORITY\Authenticated Users
NT AUTHORITY\BATCH
NT AUTHORITY\DIALUP
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\IUSR
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\REMOTE INTERACTIVE LOGON
NT AUTHORITY\SERVICE
NT AUTHORITY\SYSTEM
NT AUTHORITY\TERMINAL SERVER USER
0
anushahannaAuthor Commented:
tgerbert, where can I find the list of principals on Server 2003?
0
Todd GerbertIT ConsultantCommented:
http://technet.microsoft.com/en-us/library/cc779144(WS.10).aspx, at the bottom of the list under Special Identities.  Also have a look at documentation regarding Windows Server 2003 security and security best practices: http://technet.microsoft.com/en-us/library/cc785357(WS.10).aspx

PROCEED WITH CAUTION - it's possible to do substantial damage to a running system by modifying access control.
0
anushahannaAuthor Commented:
Thanks tgerbert
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.