The Best Damn Windows Server 2003 Book Period- P42:The latest incarnation of Microsoft’s server product,Windows Server 2003, brings many new features and improvements that make the network administrator’s job chapter will briefly summarize what’s new in 2003 and introduce you to the four members of the Windows Server 2003 family: the Web Edition, the Standard Edition, the Enterprise Edition, and the Datacenter Edition. | 376 Chapter 10 Working with User Group and Computer Accounts Understanding Active Directory Security Principal Accounts Active Directory is made up of a wide variety of different directory service objects. Among these objects are security principal accounts which consist of the following User accounts Computer accounts Groups Security principal accounts are used in authentication and access control and provide a means to manage what can be accessed on the network. Based on the security settings associated with a security principal account you can control whether a user group or computer has access to Active Directory printer and file system objects as well as domain controllers DCs member servers client computers applications and other elements of the network. They are a major factor in keeping your network protected and controlling what users and computers are authorized to access. Security Principals and Security Identifiers Security principals get their name because they are Active Directory objects that are assigned Security Identifiers SIDs when they are SID is used to control access to resources and by internal processes to identify security principals. Because each SID is unique unless security is breached there is no way for accounts to mistakenly gain access to restricted resources when the system is properly configured by an administrator. SIDs are able to remain unique because of the way they are issued. In each domain there is a DC that acts as a Relative ID RID Master. The RID Master is responsible for generating relative identifiers which are used in creating SID is a number that contains a domain security identifier and relative identifier. The domain ID is the same for all objects in the domain but the relative identifier is pool of these numbers is issued to each DC within the domain so they can be assigned to security principals that are created on the DC. When 80 percent of the numbers in the pool have been assigned