← Go back to the Active Directory Security Glossary
Active Directory User
In Active Directory, the AD user identifies human beings using the directory service. This includes their name, job role, department, geographical location, access credentials, and permissions. All modern operating systems are based on user accounts.
In a standalone Windows system, a user account is like a business card; Active Directory is more akin to a telephone directory of the same, which also allows AD users to find one another.
To Active Directory, everything is an object with a global unique identifier (GUID). A printer is an object with a GUID, a server is an object with a GUID and even the ordinary user accounts used by humans to access an Active Directory network are objects with GUIDs.
Active Directory can store up to 2.15 billion of these objects, which is more user accounts than an administrator would want to contemplate.
A common feature across the Windows platform, the administrative account is the closest Active Directory comes to God. Put simply, the administrative account gives the person using it complete control over an Active Directory domain, including creating and deleting ordinary users within it while controlling their rights and access permissions.
But this power creates vulnerability – these accounts have long been the number one target for hackers looking to compromise Active Directory which means this account must be protected at all costs.
Administrative users, or admins, are highly trained human beings who feel a surge of power every time they log on to Active Directory. They call the shots, make judgment calls, and generally tend the needs of Active Directory, its users, files, and resources. They are among the bravest and most overworked people in all of tech.
The term privileged user is often assumed to refer to a user account with elevated privileges that can do things an ordinary user can’t do. In Active Directory, this should mean that you’re either a Godlike enterprise admin with full privileges (creating users, assigning rights and permissions) or you’re not.
In reality, all users are privileged users to a greater or lesser degree: it’s simply a question of how many privileges they have. Active Directory allows for several types of privileges, for example, local admin, service/application accounts, and ordinary accounts added to a Domain Admins Group. The downside of this approach is that it complicates security.
The deeper truth is that privileges in Active Directory are never black and white; everyone needs some privileges, some of the time. The trick is monitoring who has the riskiest ones and not inadvertently forgetting they were granted.
Read more: Privileged User Monitoring and Auditing
Local administrative account
Are local Windows admin accounts an occasionally useful admin facility or the slow highway to hell?
Prior to Windows 7, admin accounts were enabled by default and chaos reigned as many cyberattacks were designed around guessing the weak passwords protecting them. In a Windows Active Directory environment, every compromised system represents a big risk because it potentially allows lateral movement that might lead to a compromise of an entire domain.
For local admin accounts, that should have been game over. Unfortunately, they still have their uses such as when configuring a system, supporting older applications, or when troubleshooting.
One solution is to disable local admin accounts, creating instead an Active Directory Restricted Group Policy Object (GPO) that allows basic local admin functions while limiting wider privileges.
Local system account
A curious aspect of business computers, including those running Windows, is that they require the existence of two different user identities to do their job.
The first is the Windows local system account, in effect the user-level equivalent of the local administrative account. As its name implies, this is specific to the local Windows system and is necessary because PCs and applications emerged from a historical model where computers were standalone, disconnected devices, and connectivity was uncertain.
The second identity is the domain account in a directory service, for example, Active Directory.
In businesses, the domain account is by far the more important of the two, leaving the local system account as a vestigial remnant of computing’s past that is tolerated but unloved.