特殊标识Special Identities
04/19/2017
本文内容
适用范围Applies to
Windows Server 2016Windows Server 2016
IT 专业人员的本参考主题介绍了特殊的标识组 (这些组有时称为 Windows access 控件中使用的安全组) 。This reference topic for the IT professional describes the special identity groups (which are sometimes referred to as security groups) that are used in Windows access control.
特殊标识组与 "用户" 和 "内置容器" 中列出的 Active Directory 安全组类似。Special identity groups are similar to Active Directory security groups as listed in the users and built-in containers. 特殊标识组可提供一种有效的方法来分配对您的网络中的资源的访问权限。Special identity groups can provide an efficient way to assign access to resources in your network. 通过使用特殊标识组,您可以:By using special identity groups, you can:
将用户权利分配给 ActiveDirectory 中的安全组。Assign user rights to security groups in ActiveDirectory.
出于访问资源的目的,为安全组分配权限。Assign permissions to security groups for the purpose of accessing resources.
在本主题开始处运行 " 适用 于" 列表中指定的受支持的 Windows Server 操作系统的服务器包括多个特殊标识组。Servers that are running the supported Windows Server operating systems designated in the Applies To list at the beginning of this topic include several special identity groups. 这些特殊标识组没有可修改的特定成员身份,但它们可以根据环境在不同的时间表示不同用户。These special identity groups do not have specific memberships that can be modified, but they can represent different users at different times, depending on the circumstances.
尽管可以向特殊标识组分配对资源的权利和权限,但不能修改或查看成员身份。Although the special identity groups can be assigned rights and permissions to resources, the memberships cannot be modified or viewed. 组作用域不应用于特殊标识组。Group scopes do not apply to special identity groups. 用户在登录或访问特定资源时,会自动将其分配给这些特殊标识组。Users are automatically assigned to these special identity groups whenever they sign in or access a particular resource.
For information about security groups and group scope, see Active Directory Security Groups.
下表介绍了特殊标识组:The special identity groups are described in the following tables:
匿名登录Anonymous Logon
通过匿名登录访问系统的任何用户都具有匿名登录标识。Any user who accesses the system through an anonymous logon has the Anonymous Logon identity. 此标识允许对资源(如在企业服务器上发布的网页)的匿名访问。This identity allows anonymous access to resources, such as a web page that is published on corporate servers. 默认情况下,匿名登录组不是 Everyone 组的成员。The Anonymous Logon group is not a member of the Everyone group by default.
属性Attribute
值Value
众所周知的 SID/RIDWell-Known SID/RID
S-1-5-7S-1-5-7
对象类Object Class
外部安全主体Foreign Security Principal
Active Directory 中的默认位置Default Location in Active Directory
cn = WellKnown 安全主体,cn = 配置,dc =cn=WellKnown Security Principals, cn=Configuration, dc=
默认用户权限Default User Rights
无None
经过身份验证的用户Authenticated Users
通过登录过程访问系统的任何用户都具有经过身份验证的用户标识。Any user who accesses the system through a sign-in process has the Authenticated Users identity. 此标识允许访问域中的共享资源,例如共享文件夹中的文件,这些文件应可供组织中的所有工作人员访问。This identity allows access to shared resources within the domain, such as files in a shared folder that should be accessible to all the workers in the organization. 成员身份由操作系统控制。Membership is controlled by the operating system.
属性Attribute
值Value
众所周知的 SID/RIDWell-Known SID/RID
S-1-5-11S-1-5-11
对象类Object Class
外部安全主体Foreign Security Principal
Active Directory 中的默认位置Default Location in Active Directory
cn = System,cn = WellKnown 安全主体,cn = 配置,dc =cn=System,cn=WellKnown Security Principals, cn=Configuration, dc=
默认用户权限Default User Rights
从网络访问此计算机: SeNetworkLogonRight将工作站添加到域: SeMachineAccountPrivilegeAdd workstations to domain: SeMachineAccountPrivilege
绕过遍历检查: SeChangeNotifyPrivilegeBypass traverse checking: SeChangeNotifyPrivilege
批处理Batch
作为批处理作业访问系统的任何用户或进程 (或通过批处理队列) 具有批标识。Any user or process that accesses the system as a batch job (or through the batch queue) has the Batch identity. 此标识允许批处理作业运行计划任务,例如夜间清理删除临时文件的作业。This identity allows batch jobs to run scheduled tasks, such as a nightly cleanup job that deletes temporary files. 成员身份由操作系统控制。Membership is controlled by the operating system.
属性Attribute
值Value
众所周知的 SID/RIDWell-Known SID/RID
S-1-5-3S-1-5-3
对象类Object Class
外部安全主体Foreign Security Principal
Active Directory 中的默认位置Default Location in Active Directory
cn = WellKnown 安全主体,cn = 配置,dc =cn=WellKnown Security Principals, cn=Configuration, dc=
默认用户权限Default User Rights
无none
创建者组Creator Group
创建文件或目录的人员是此特殊标识组的成员。The person who created the file or the directory is a member of this special identity group. Windows Server 操作系统使用此标识自动为文件或目录的创建者授予访问权限。Windows Server operating systems use this identity to automatically grant access permissions to the creator of a file or directory.
(SID) 的占位符安全标识符是在可继承的访问控制条目 (ACE) 中创建的。A placeholder security identifier (SID) is created in an inheritable access control entry (ACE). 当 ACE 被继承时,系统会将此 SID 替换为对象的当前所有者的主要组的 SID。When the ACE is inherited, the system replaces this SID with the SID for the primary group of the object’s current owner. 主要组仅由适用于 UNIX 的便携式操作系统接口 (POSIX) 子系统使用。The primary group is used only by the Portable Operating System Interface for UNIX (POSIX) subsystem.
属性Attribute
值Value
众所周知的 SID/RIDWell-Known SID/RID
S-1-3-1S-1-3-1
对象类Object Class
外部安全主体Foreign Security Principal
Active Directory 中的默认位置Default Location in Active Directory
cn = WellKnown 安全主体,cn = 配置,dc =cn=WellKnown Security Principals, cn=Configuration, dc=
默认用户权限Default User Rights
无none
创建者所有者Creator Owner
创建文件或目录的人员是此特殊标识组的成员。The person who created the file or the directory is a member of this special identity group. Windows Server 操作系统使用此标识自动为文件或目录的创建者授予访问权限。Windows Server operating systems use this identity to automatically grant access permissions to the creator of a file or directory. 将在可继承的 ACE 中创建占位符 SID。A placeholder SID is created in an inheritable ACE. 当 ACE 被继承时,系统会将此 SID 替换为对象的当前所有者的 SID。When the ACE is inherited, the system replaces this SID with the SID for the object’s current owner.
属性Attribute
值Value
众所周知的 SID/RIDWell-Known SID/RID
S-1-3-0S-1-3-0
对象类Object Class
外部安全主体Foreign Security Principal
Active Directory 中的默认位置Default Location in Active Directory
cn = WellKnown 安全主体,cn = 配置,dc =cn=WellKnown Security Principals, cn=Configuration, dc=
默认用户权限Default User Rights
无none
拨号Dialup
通过拨号连接访问系统的任何用户都具有拨号标识。Any user who accesses the system through a dial-up connection has the Dial-Up identity. 此标识与其他类型的经过身份验证的用户的拨号用户区分开。This identity distinguishes dial-up users from other types of authenticated users.
属性Attribute
值Value
众所周知的 SID/RIDWell-Known SID/RID
S-1-5-1S-1-5-1
对象类Object Class
外部安全主体Foreign Security Principal
Active Directory 中的默认位置Default Location in Active Directory
cn = WellKnown 安全主体,cn = 配置,dc =cn=WellKnown Security Principals, cn=Configuration, dc=
默认用户权限Default User Rights
无none
摘要式身份验证Digest Authentication
属性Attribute
值Value
众所周知的 SID/RIDWell-Known SID/RID
S-1-5-64-21S-1-5-64-21
对象类Object Class
外部安全主体Foreign Security Principal
Active Directory 中的默认位置Default Location in Active Directory
cn = WellKnown 安全主体,cn = 配置,dc =cn=WellKnown Security Principals, cn=Configuration, dc=
默认用户权限Default User Rights
无none
企业域控制器Enterprise Domain Controllers
此组包括 Active Directory 林中的所有域控制器。This group includes all domain controllers in an Active Directory forest. 具有企业级角色和职责的域控制器具有企业域控制器标识。Domain controllers with enterprise-wide roles and responsibilities have the Enterprise Domain Controllers identity. 此标识允许用户使用可传递信任在企业中执行某些任务。This identity allows them to perform certain tasks in the enterprise by using transitive trusts. 成员身份由操作系统控制。Membership is controlled by the operating system.
属性Attribute
值Value
众所周知的 SID/RIDWell-Known SID/RID
S-1-5-9S-1-5-9
对象类Object Class
外部安全主体Foreign Security Principal
Active Directory 中的默认位置Default Location in Active Directory
cn = WellKnown 安全主体,cn = 配置,dc =cn=WellKnown Security Principals, cn=Configuration, dc=
默认用户权限Default User Rights
从网络访问此计算机: SeNetworkLogonRight允许本地登录: SeInteractiveLogonRightAllow log on locally: SeInteractiveLogonRight
所有人Everyone
所有交互式、网络、拨号和经过身份验证的用户都是 "所有人" 组的成员。All interactive, network, dial-up, and authenticated users are members of the Everyone group. 此特殊标识组提供对系统资源的广泛访问。This special identity group gives wide access to system resources. 当用户登录到网络时,用户将自动添加到 "所有人" 组。Whenever a user logs on to the network, the user is automatically added to the Everyone group.
在运行 Windows2000 和更早版本的计算机上,Everyone 组将匿名登录组包含为默认成员,但从 WindowsServer2003 中,"所有人" 组只包含经过身份验证的用户和来宾;默认情况下,它不再包括匿名登录 (尽管可以通过使用注册表编辑器 HKEY_LOCAL_MACHINE \system\currentcontrolset\control\lsa 键并将 everyoneincludesanonymous DWORD 值设置为 1) 来更改此设置。On computers running Windows2000 and earlier, the Everyone group included the Anonymous Logon group as a default member, but as of WindowsServer2003, the Everyone group contains only Authenticated Users and Guest; and it no longer includes Anonymous Logon by default (although this can be changed, using Registry Editor, by going to the Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa key and setting the value of everyoneincludesanonymous DWORD to 1).
成员身份由操作系统控制。Membership is controlled by the operating system.
属性Attribute
值Value
众所周知的 SID/RIDWell-Known SID/RID
S-1-1-0S-1-1-0
对象类Object Class
外部安全主体Foreign Security Principal
Active Directory 中的默认位置Default Location in Active Directory
cn = WellKnown 安全主体,cn = 配置,dc =cn=WellKnown Security Principals, cn=Configuration, dc=
默认用户权限Default User Rights
从网络访问此计算机: SeNetworkLogonRight作为操作系统的一部分: SeTcbPrivilege绕过遍历检查: SeChangeNotifyPrivilegeBypass traverse checking: SeChangeNotifyPrivilege
交互式Interactive
任何登录到本地系统的用户都具有交互式标识。Any user who is logged on to the local system has the Interactive identity. 此标识仅允许本地用户访问资源。This identity allows only local users to access a resource. 只要用户访问当前登录的计算机上的给定资源,用户将自动添加到交互式组。Whenever a user accesses a given resource on the computer to which they are currently logged on, the user is automatically added to the Interactive group. 成员身份由操作系统控制。Membership is controlled by the operating system.
属性Attribute
值Value
众所周知的 SID/RIDWell-Known SID/RID
S-1-5-4S-1-5-4
对象类Object Class
外部安全主体Foreign Security Principal
Active Directory 中的默认位置Default Location in Active Directory
cn = WellKnown 安全主体,cn = 配置,dc =cn=WellKnown Security Principals, cn=Configuration, dc=
默认用户权限Default User Rights
无None
本地服务Local Service
本地服务帐户类似于已验证身份的用户帐户。The Local Service account is similar to an Authenticated User account. 本地服务帐户对资源和对象具有与 "用户" 组成员相同的访问级别。The Local Service account has the same level of access to resources and objects as members of the Users group. 如果个别服务或进程受到危害,此受限访问有助于保护系统。This limited access helps safeguard your system if individual services or processes are compromised. 作为本地服务帐户运行的服务通过匿名凭据以 null 会话的形式访问网络资源。Services that run as the Local Service account access network resources as a null session with anonymous credentials. 帐户名称是 NT AUTHORITY\LocalService。The name of the account is NT AUTHORITY\LocalService. 此帐户没有密码。This account does not have a password.
属性Attribute
值Value
众所周知的 SID/RIDWell-Known SID/RID
S-1-5-19S-1-5-19
对象类Object Class
外部安全主体Foreign Security Principal
Active Directory 中的默认位置Default Location in Active Directory
cn = WellKnown 安全主体,cn = 配置,dc =cn=WellKnown Security Principals, cn=Configuration, dc=
默认用户权限Default User Rights
调整进程的内存配额: SeIncreaseQuotaPrivilege绕过遍历检查: SeChangeNotifyPrivilegeBypass traverse checking: SeChangeNotifyPrivilege
更改系统时间: SeSystemtimePrivilegeChange the system time: SeSystemtimePrivilege
更改时区: SeTimeZonePrivilegeChange the time zone: SeTimeZonePrivilege
创建全局对象: SeCreateGlobalPrivilegeCreate global objects: SeCreateGlobalPrivilege
生成安全审核: SeAuditPrivilege在身份验证后模拟客户端: SeImpersonatePrivilege替换进程级别令牌: SeAssignPrimaryTokenPrivilegeReplace a process level token: SeAssignPrimaryTokenPrivilege
系统LocalSystem
这是操作系统使用的服务帐户。This is a service account that is used by the operating system. LocalSystem 帐户是具有对系统的完全访问权限并充当网络上的计算机的强大帐户。The LocalSystem account is a powerful account that has full access to the system and acts as the computer on the network. 如果服务登录到域控制器上的 LocalSystem 帐户,则该服务有权访问整个域。If a service logs on to the LocalSystem account on a domain controller, that service has access to the entire domain. 某些服务默认配置为登录到 LocalSystem 帐户。Some services are configured by default to log on to the LocalSystem account. 不要更改默认服务设置。Do not change the default service setting. 该帐户的名称是 LocalSystem。The name of the account is LocalSystem. 此帐户没有密码。This account does not have a password.
属性Attribute
值Value
众所周知的 SID/RIDWell-Known SID/RID
S-1-5-18S-1-5-18
对象类Object Class
外部安全主体Foreign Security Principal
Active Directory 中的默认位置Default Location in Active Directory
cn = WellKnown 安全主体,cn = 配置,dc =cn=WellKnown Security Principals, cn=Configuration, dc=
默认用户权限Default User Rights
无None
NetworkNetwork
此组隐式包括通过网络连接登录的所有用户。This group implicitly includes all users who are logged on through a network connection. 通过网络访问系统的任何用户都具有网络标识。Any user who accesses the system through a network has the Network identity. 此标识仅允许远程用户访问资源。This identity allows only remote users to access a resource. 当用户通过网络访问给定的资源时,用户将自动添加到网络组。Whenever a user accesses a given resource over the network, the user is automatically added to the Network group. 成员身份由操作系统控制。Membership is controlled by the operating system.
属性Attribute
值Value
众所周知的 SID/RIDWell-Known SID/RID
S-1-5-2S-1-5-2
对象类Object Class
外部安全主体Foreign Security Principal
Active Directory 中的默认位置Default Location in Active Directory
cn = WellKnown 安全主体,cn = 配置,dc =cn=WellKnown Security Principals, cn=Configuration, dc=
默认用户权限Default User Rights
无None
网络服务Network Service
网络服务帐户类似于已验证身份的用户帐户。The Network Service account is similar to an Authenticated User account. 网络服务帐户对资源和对象具有与 "用户" 组成员相同的访问级别。The Network Service account has the same level of access to resources and objects as members of the Users group. 如果个别服务或进程受到危害,此受限访问有助于保护系统。This limited access helps safeguard your system if individual services or processes are compromised. 作为网络服务帐户运行的服务通过使用计算机帐户的凭据来访问网络资源。Services that run as the Network Service account access network resources by using the credentials of the computer account. 帐户名称为 NTAUTHORITY\NetworkService。The name of the account is NTAUTHORITY\NetworkService. 此帐户没有密码。This account does not have a password.
属性Attribute
值Value
众所周知的 SID/RIDWell-Known SID/RID
S-1-5-20S-1-5-20
对象类Object Class
外部安全主体Foreign Security Principal
Active Directory 中的默认位置Default Location in Active Directory
cn = WellKnown 安全主体,cn = 配置,dc =cn=WellKnown Security Principals, cn=Configuration, dc=
默认用户权限Default User Rights
调整进程的内存配额: SeIncreaseQuotaPrivilege绕过遍历检查: SeChangeNotifyPrivilegeBypass traverse checking: SeChangeNotifyPrivilege
创建全局对象: SeCreateGlobalPrivilegeCreate global objects: SeCreateGlobalPrivilege
生成安全审核: SeAuditPrivilege在身份验证后模拟客户端: SeImpersonatePrivilege替换进程级别令牌: SeAssignPrimaryTokenPrivilegeReplace a process level token: SeAssignPrimaryTokenPrivilege
NTLM 身份验证NTLM Authentication
属性Attribute
值Value
众所周知的 SID/RIDWell-Known SID/RID
S-1-5-64-10S-1-5-64-10
对象类Object Class
外部安全主体Foreign Security Principal
Active Directory 中的默认位置Default Location in Active Directory
cn = WellKnown 安全主体,cn = 配置,dc =cn=WellKnown Security Principals, cn=Configuration, dc=
默认用户权限Default User Rights
无None
其他组织Other Organization
该组隐式包括通过拨号连接登录到系统的所有用户。This group implicitly includes all users who are logged on to the system through a dial-up connection. 成员身份由操作系统控制。Membership is controlled by the operating system.
属性Attribute
值Value
众所周知的 SID/RIDWell-Known SID/RID
S-1-5-1000S-1-5-1000
对象类Object Class
外部安全主体Foreign Security Principal
Active Directory 中的默认位置Default Location in Active Directory
cn = WellKnown 安全主体,cn = 配置,dc =cn=WellKnown Security Principals, cn=Configuration, dc=
默认用户权限Default User Rights
无None
Principal SelfPrincipal Self
此标识是 ActiveDirectory 中的用户、组或计算机对象的 ACE 中的占位符。This identify is a placeholder in an ACE on a user, group, or computer object in ActiveDirectory. 向主体自身授予权限时,可将其授予由该对象表示的安全主体。When you grant permissions to Principal Self, you grant them to the security principal that is represented by the object. 在访问检查过程中,操作系统会将主体自身的 SID 替换为对象表示的安全主体的 SID。During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal that is represented by the object.
属性Attribute
值Value
众所周知的 SID/RIDWell-Known SID/RID
S-1-5-10S-1-5-10
对象类Object Class
外部安全主体Foreign Security Principal
Active Directory 中的默认位置Default Location in Active Directory
cn = WellKnown 安全主体,cn = 配置,dc =cn=WellKnown Security Principals, cn=Configuration, dc=
默认用户权限Default User Rights
无None
远程交互式登录Remote Interactive Logon
此标识表示当前使用远程桌面连接登录到计算机的所有用户。This identity represents all users who are currently logged on to a computer by using a Remote Desktop connection. 该组是交互式组的子集。This group is a subset of the Interactive group. 包含远程交互式登录 SID 的访问令牌也包含交互式 SID。Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
属性Attribute
值Value
众所周知的 SID/RIDWell-Known SID/RID
S-1-5-14S-1-5-14
对象类Object Class
外部安全主体Foreign Security Principal
Active Directory 中的默认位置Default Location in Active Directory
cn = WellKnown 安全主体,cn = 配置,dc =cn=WellKnown Security Principals, cn=Configuration, dc=
默认用户权限Default User Rights
无None
Restricted (受限的)Restricted
具有受限功能的用户和计算机具有受限标识。Users and computers with restricted capabilities have the Restricted identity. 此身份组由在受限安全上下文中运行的进程使用,例如使用运行方式服务运行应用程序。This identity group is used by a process that is running in a restricted security context, such as running an application with the RunAs service. 当代码在受限安全级别运行时,受限制的 SID 将添加到用户的访问令牌。When code runs at the Restricted security level, the Restricted SID is added to the user’s access token.
属性Attribute
值Value
众所周知的 SID/RIDWell-Known SID/RID
S-1-5-12S-1-5-12
对象类Object Class
外部安全主体Foreign Security Principal
Active Directory 中的默认位置Default Location in Active Directory
cn = WellKnown 安全主体,cn = 配置,dc =cn=WellKnown Security Principals, cn=Configuration, dc=
默认用户权限Default User Rights
无None
SChannel 身份验证SChannel Authentication
属性Attribute
值Value
众所周知的 SID/RIDWell-Known SID/RID
S-1-5-64-14S-1-5-64-14
对象类Object Class
外部安全主体Foreign Security Principal
Active Directory 中的默认位置Default Location in Active Directory
cn = WellKnown 安全主体,cn = 配置,dc =cn=WellKnown Security Principals, cn=Configuration, dc=
默认用户权限Default User Rights
无None
服务Service
任何访问系统的服务都具有服务标识。Any service that accesses the system has the Service identity. 此标识组包括作为服务登录的所有安全主体。This identity group includes all security principals that are signed in as a service. 此标识授予对正在由 Windows Server 服务运行的进程的访问权限。This identity grants access to processes that are being run by Windows Server services. 成员身份由操作系统控制。Membership is controlled by the operating system.
属性Attribute
值Value
众所周知的 SID/RIDWell-Known SID/RID
S-1-5-6S-1-5-6
对象类Object Class
外部安全主体Foreign Security Principal
Active Directory 中的默认位置Default Location in Active Directory
cn = WellKnown 安全主体,cn = 配置,dc =cn=WellKnown Security Principals, cn=Configuration, dc=
默认用户权限Default User Rights
创建全局对象: SeCreateGlobalPrivilegeCreate global objects: SeCreateGlobalPrivilege
在身份验证后模拟客户端: SeImpersonatePrivilege
终端服务器用户Terminal Server User
通过终端服务访问系统的任何用户都具有终端服务器用户标识。Any user accessing the system through Terminal Services has the Terminal Server User identity. 此标识允许用户使用终端服务器服务访问终端服务器应用程序和执行其他必要的任务。This identity allows users to access Terminal Server applications and to perform other necessary tasks with Terminal Server services. 成员身份由操作系统控制。Membership is controlled by the operating system.
属性Attribute
值Value
众所周知的 SID/RIDWell-Known SID/RID
S-1-5-13S-1-5-13
对象类Object Class
外部安全主体Foreign Security Principal
Active Directory 中的默认位置Default Location in Active Directory
cn = WellKnown 安全主体,cn = 配置,dc =cn=WellKnown Security Principals, cn=Configuration, dc=
默认用户权限Default User Rights
无None
此组织This Organization
属性Attribute
值Value
众所周知的 SID/RIDWell-Known SID/RID
S-1-5-15S-1-5-15
对象类Object Class
外部安全主体Foreign Security Principal
Active Directory 中的默认位置Default Location in Active Directory
cn = WellKnown 安全主体,cn = 配置,dc =cn=WellKnown Security Principals, cn=Configuration, dc=
默认用户权限Default User Rights
无None
Window Manager\Window 管理器组Window Manager\Window Manager Group
属性Attribute
值Value
众所周知的 SID/RIDWell-Known SID/RID
对象类Object Class
Active Directory 中的默认位置Default Location in Active Directory
cn = WellKnown 安全主体,cn = 配置,dc =cn=WellKnown Security Principals, cn=Configuration, dc=
默认用户权限Default User Rights
绕过遍历检查: SeChangeNotifyPrivilegeBypass traverse checking: SeChangeNotifyPrivilege
增加进程工作集: SeIncreaseWorkingSetPrivilegeIncrease a process working set: SeIncreaseWorkingSetPrivilege
另请参阅See also
220
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
