?
Solved

Windows Server 2008 R2 Active Directory

Posted on 2012-09-04
5
Medium Priority
?
335 Views
Last Modified: 2012-10-01
I keep getting asked :  Name 2 security principals?

I thought security principals in AD could be  objects:  Users, computers.

Can someone explain how to answer that question.

thanks
0
Comment
Question by:techgenious
  • 2
  • 2
5 Comments
 
LVL 3

Expert Comment

by:Charlie2012
ID: 38365738
I think this is what you are looking for:

http://support.microsoft.com/kb/243330
0
 

Author Comment

by:techgenious
ID: 38365932
This is not what I am looking for, all I want to know what is give me 2 examples of a security principal.
0
 
LVL 5

Expert Comment

by:albelo
ID: 38365985
Security principals include the following:

Any entity that can be authenticated by the system, such as a user account, a computer account, or a thread or process that runs in the security context of a user or computer account.

Security groups of these accounts.

http://technet.microsoft.com/en-us/library/cc780957(v=ws.10).aspx
0
 
LVL 5

Accepted Solution

by:
albelo earned 900 total points
ID: 38376781
The answer would be Active Directory Accounts(User and Computer) and Security Groups.  This is of course if they question is indeed regarding Active Directory.  These are also known as Security Principals:

Everyone             (S-1-1-0)      Included in the access token for all users, including the Guest account; included in the access token for anonymous users if the Network Access: Let Everyone permissions apply to anonymous users policy setting is enabled

Creator Owner            (S-1-3-0)      Placeholder used for permission inheritance between parent and child objects; for child objects, Creator Owner permissions are replaced by permissions for the object's actual owner

Creator Group             (S-1-3-1)      Placeholder used for permission inheritance between parent and child objects; for child objects, Creator Group permissions are replaced by permissions for the primary group of the object's actual owner

Dialup                  (S-1-5-1)            Included in the access token for all users logged on through a dial-up or VPN connection

Network             (S-1-5-2)      Included in the access token for all users logged on through a network connection

Batch                   (S-1-5-3)            Included in the access token for all users logged on through a batch scheduler connection

Interactive             (S-1-5-4)      Included in the access token for all users logged on interactively

Service                  (S-1-5-6)      Included in the access token for all principals logged on as a service

Anonymous            (S-1-5-7)      Included in the access token for all users logged on anonymously

Self                   (S-1-5-10)      Placeholder for the object itself; can be useful for permission inheritance between parent and child objects

Authenticated Users      (S-1-5-11)      Included in the access token for all users authenticated to the OS; included in the access token for the Guest account in XP and Win2K; doesn't include the Guest account in Windows 2003 and XP SP2

Terminal Server User      (S-1-5-13)      Included in the access token for all users logged on using Terminal Services 4.0 application compatibility mode

System                  (S-1-5-18)      Represents the local system

Restricted Code            (S-1-5-12)      Added to the user's access token when using RunAs with the Run this program with restricted access option in Windows 2003 or the Protect my computer and data from unauthorized program activity option in XP

Remote Interactive Logon(S-1-5-14)      Added to the user's access token when the user is logged on using Terminal Services or RDP; lets you assign permissions to users logged on via Terminal Services or RDP

This Organization      (S-1-5-15)      Used for forest trust and external trust selective authentication; selective authentication lets administrators distinguish users from the trusted forest/domain and users from the trusting forest/domain when dealing with access control settings; added to the access tokens in the trusting forest/domain of users who are defined in the trusting forest/domain (see Other Organization)

Local Service             (S-1-5-19)      Least privilege service account for services that need access only to local data, not to other computers on the network

Network Service       (S-1-5-20)      Least privilege service account for services that need access to other computers on the network

NTLM Authentication      (S-1-5-64-10)      Lets you set special permissions for down-level clients authenticating by the less-secure NTLM protocol; added to the user's access token when the user logs on to a DC using NTLM; can be used in a deny access control entry (ACE) to restrict access to resources

SChannel Authentication      (S-1-5-64-14)      Lets you set special permissions for clients authenticating via a secure channel (e.g., HTTP Secure—HTTPS—authentication to a Microsoft IIS server, LDAP authentication to a Windows DC)

Digest Authentication      (S-1-5-64-21)      Authentication packet that enables HTTP digest authentication on an IIS server; lets you specify who can log on using digest authentication

Other Organization       (S-1-5-1000)      Used for forest trust and external trust selective authentication; lets youdistinguish users from the trusted forest/domain and users from the trusting forest/domain when dealing with access control settings; added to the access tokens in the trusting forest/domain of users who are defined in the trusted forest/domain (see This Organization)

Enterprise Domain Controllers (S-1-5-9)      Included in the access token for all DCs in a Windows AD forest
0
 

Author Closing Comment

by:techgenious
ID: 38452165
Good answer what for i am looking for
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question