In order to identify every user and group unambiguously, NT generates a Security Identifier (SID) for every user and group defined within the domain. The operating system uses these Security Identifiers, not user or group names, to determine the access privileges of users and groups. When an administrator creates a new user or group, the operating system generates a long number. This number is will be unique within the domain because the server bases it on the name of the computer, the current system time on that computer, and the current thread's user-mode execution time. The uniqueness is important for proper security auditing because a Security Identifier identifies a user or group created at a specific time and place and given specific access privileges by a specific administrator. If an administrator deleted the user or group from the domain, and then re-created it with the same name and password, the new user or group object would receive a new Security Identifier. And it wouldn't have any of the access privileges of old user or group name. The administrator would have to explicitly grant new access privileges to this user or group. Once a user has successfully logged in to an NT domain or an NT workstation, the Local Security Authority generates a Security Access Token for the login session. This Security Access Token contains the user's Security Identifier, plus the Security Identifier of every group to which the user belongs, and is the vehicle for determining the user's right to access system objects.
|
|
|
|
|
|
|
|