?
Solved

what are NT AUTHORITY accounts?

Posted on 2010-01-07
8
Medium Priority
?
4,655 Views
Last Modified: 2012-05-08
They seem to be system generated Windows accounts? What exactly are they? what is their purpose and how many kinds of accounts are under this broad category of NT AUTHORITY? is it considered a domain?

thanks
0
Comment
Question by:anushahanna
8 Comments
 
LVL 9

Accepted Solution

by:
MinoDC earned 400 total points
ID: 26201193
They are like System Account. No , isn't it considered a domain but locally to the server.
Typically the NT AUTHORITY account is used to start the Windows or application services.
0
 
LVL 33

Assisted Solution

by:Todd Gerbert
Todd Gerbert earned 1200 total points
ID: 26201217
They are special system accounts, that belong to the operating system.  Since everything in Windows NT/2000/XP/Vista/7 runs within a security context, even Windows itself needs to have a user account in order to use the computer.  For example, if you have startup scripts that run before any user logs on they run as "NT AUTHORITY\System".  This is a fairly simplified view, but might get the point across. ;)
0
 
LVL 19

Assisted Solution

by:PeteJThomas
PeteJThomas earned 400 total points
ID: 26201417
Well I've been led to believe that there are 2 different types of these accounts : LOCAL System etc, and NT AUTHORITY System.

NT AUTHORITY System would (in my understanding) be presented to your network as the computer the account is located on - So if a domain/network resource is told to grant permissions to the computer "COMP1", and a service on a computer needs access to that domain/network resource to operate, you would use the NT AUTHORITY System account to start the service - Thus when the service attempts to access the resource, it's presented (or is the same as) "COMP1" trying to access it, and is then allowed.

LOCAL System is known ONLY to that specific computer itself - And only has authority to resources on the computer itself (and it's this account that's normally used to start services etc on an individual PC).

Now I'm open to corrections, but that is my understanding of the concept...

Pete

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 6

Author Comment

by:anushahanna
ID: 26207056
I would be glad for a confirmation on pete's comments, too.

how many sub-accounts exists under NT AUTHORITY? How often and in what scenarios do you have to know and use these accounts? (assuming the system keeps using them on an ongoing basis)

thanks
0
 
LVL 33

Assisted Solution

by:Todd Gerbert
Todd Gerbert earned 1200 total points
ID: 26209283
I believe Pete is referring to the difference between System and Local Service. NT AUTH\System being the computer's account and has access to perform any task on that computer; NT AUTH\Local Service is a security access token with limited rights that is often used for system services that require access to remote resources.

Generally, if you're not a system administrator you really only need to know they're there and that you shouldn't mess with them (e.g. removing NT AUTHORITY\System's access from the Windows folder might cause you some problem).

As a system/network administrator it's a frequent occurence to have knowledge of these, most often assigning appropriate file access security settings (i.e. NTFS permissions) to files - so that, for example, you can give the Web Server Service (which runs as Local Service) access to the web files.

The number of principals, and their names varies slightly from version to version of Windows. On my Windows 7 system I have:
NT AUTHORITY\ANONYMOUS LOGON
NT AUTHORITY\Authenticated Users
NT AUTHORITY\BATCH
NT AUTHORITY\DIALUP
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\IUSR
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\REMOTE INTERACTIVE LOGON
NT AUTHORITY\SERVICE
NT AUTHORITY\SYSTEM
NT AUTHORITY\TERMINAL SERVER USER
0
 
LVL 6

Author Comment

by:anushahanna
ID: 26209814
tgerbert, where can I find the list of principals on Server 2003?
0
 
LVL 33

Assisted Solution

by:Todd Gerbert
Todd Gerbert earned 1200 total points
ID: 26211408
http://technet.microsoft.com/en-us/library/cc779144(WS.10).aspx, at the bottom of the list under Special Identities.  Also have a look at documentation regarding Windows Server 2003 security and security best practices: http://technet.microsoft.com/en-us/library/cc785357(WS.10).aspx

PROCEED WITH CAUTION - it's possible to do substantial damage to a running system by modifying access control.
0
 
LVL 6

Author Comment

by:anushahanna
ID: 26223759
Thanks tgerbert
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
Learn about cloud computing and its benefits for small business owners.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question