Guests|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Can be moved out, but we do not recommend it.|
-|Safe to delegate management of this group to non-Service admins?|No|
-
-
-
-## KRBTGT account
-
-
-The KRBTGT account is a local default account that acts as a service account for the Key Distribution Center (KDC) service. This account cannot be deleted, and the account name cannot be changed. The KRBTGT account cannot be enabled in Active Directory.
-
-KRBTGT is also the security principal name used by the KDC for a Windows Server domain, as specified by RFC 4120. The KRBTGT account is the entity for the KRBTGT security principal, and it is created automatically when a new domain is created.
-
-Windows Server Kerberos authentication is achieved by the use of a special Kerberos ticket-granting ticket (TGT) enciphered with a symmetric key. This key is derived from the password of the server or service to which access is requested. The TGT password of the KRBTGT account is known only by the Kerberos service. In order to request a session ticket, the TGT must be presented to the KDC. The TGT is issued to the Kerberos client from the KDC.
-
-### KRBTGT account maintenance considerations
-
-A strong password is assigned to the KRBTGT and trust accounts automatically. Like any privileged service accounts, organizations should change these passwords on a regular schedule. The password for the KDC account is used to derive a secret key for encrypting and decrypting the TGT requests that are issued. The password for a domain trust account is used to derive an inter-realm key for encrypting referral tickets.
-
-Resetting the password requires you either to be a member of the Domain Admins group, or to have been delegated with the appropriate authority. In addition, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
-
-After you reset the KRBTGT password, ensure that event ID 9 in the (Kerberos) Key-Distribution-Center event source is written to the System event log.
-
-### Security considerations
-
-It is also a best practice to reset the KRBTGT account password to ensure that a newly restored domain controller does not replicate with a compromised domain controller. In this case, in a large forest recovery that is spread across multiple locations, you cannot guarantee that all domain controllers are shut down, and if they are shut down, they cannot be rebooted again before all of the appropriate recovery steps have been undertaken. After you reset the KRBTGT account, another domain controller cannot replicate this account password by using an old password.
-
-An organization suspecting domain compromise of the KRBTGT account should consider the use of professional incident response services. The impact to restore the ownership of the account is domain-wide and labor intensive an should be undertaken as part of a larger recovery effort.
-
-The KRBTGT password is the key from which all trust in Kerberos chains up to. Resetting the KRBTGT password is similar to renewing the root CA certificate with a new key and immediately not trusting the old key, resulting in almost all subsequent Kerberos operations will be affected.
-
-For all account types (users, computers, and services)
-
-- All the TGTs that are already issued and distributed will be invalid because the DCs will reject them. These tickets are encrypted with the KRBTGT so any DC can validate them. When the password changes, the tickets become invalid.
-
-- All currently authenticated sessions that logged on users have established (based on their service tickets) to a resource (such as a file share, SharePoint site, or Exchange server) are good until the service ticket is required to re-authenticate.
-
-- NTLM authenticated connections are not affected
-
-Because it is impossible to predict the specific errors that will occur for any given user in a production operating environment, you must assume all computers and users will be affected.
-
-> [!IMPORTANT]
-> Rebooting a computer is the only reliable way to recover functionality as this will cause both the computer account and user accounts to log back in again. Logging in again will request new TGTs that are valid with the new KRBTGT, correcting any KRBTGT related operational issues on that computer.
-
-For information about how to help mitigate the risks associated with a potentially compromised KRBTGT account, see [KRBTGT Account Password Reset Scripts now available for customers](https://blogs.microsoft.com/cybertrust/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/).
-
-### Read-only domain controllers and the KRBTGT account
-
-Windows Server 2008 introduced the read-only domain controller (RODC). The RODC is advertised as the Key Distribution Center (KDC) for the branch office. The RODC uses a different KRBTGT account and password than the KDC on a writable domain controller when it signs or encrypts ticket-granting ticket (TGT) requests. After an account is successfully authenticated, the RODC determines if a user's credentials or a computer's credentials can be replicated from the writable domain controller to the RODC by using the Password Replication Policy.
-
-After the credentials are cached on the RODC, the RODC can accept that user's sign-in requests until the credentials change. When a TGT is signed with the KRBTGT account of the RODC, the RODC recognizes that it has a cached copy of the credentials. If another domain controller signs the TGT, the RODC forwards requests to a writable domain controller.
-
-### KRBTGT account attributes
-
-For details about the KRBTGT account attributes, see the following table.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-` Global groups from any domain in the same forest Other Universal groups from any domain in the same forest|Can be converted to Domain Local scope if the group is not a member of any other Universal groups Can be converted to Global scope if the group does not contain any other Universal groups|On any domain in the same forest or trusting forests|Other Universal groups in the same forest Domain Local groups in the same forest or trusting forests Local groups on computers in the same forest or trusting forests|
-|Global|Accounts from the same domain Other Global groups from the same domain|Can be converted to Universal scope if the group is not a member of any other global group|On any domain in the same forest, or trusting domains or forests|Universal groups from any domain in the same forest Other Global groups from the same domain Domain Local groups from any domain in the same forest, or from any trusting domain|
-|Domain Local|Accounts from any domain or any trusted domain Global groups from any domain or any trusted domain Universal groups from any domain in the same forest Other Domain Local groups from the same domain Accounts, Global groups, and Universal groups from other forests and from external domains|Can be converted to Universal scope if the group does not contain any other Domain Local groups|Within the same domain|Other Domain Local groups from the same domain Local groups on computers in the same domain, excluding built-in groups that have well-known SIDs|
-
-### Special identity groups
-
-Special identities are generally referred to as groups. Special identity groups do not have specific memberships that can be modified, but they can represent different users at different times, depending on the circumstances. Some of these groups include Creator Owner, Batch, and Authenticated User.
-
-For information about all the special identity groups, see [Special Identities](special-identities.md).
-
-## Default security groups
-
-
-Default groups, such as the Domain Admins group, are security groups that are created automatically when you create an Active Directory domain. You can use these predefined groups to help control access to shared resources and to delegate specific domain-wide administrative roles.
-
-Many default groups are automatically assigned a set of user rights that authorize members of the group to perform specific actions in a domain, such as logging on to a local system or backing up files and folders. For example, a member of the Backup Operators group has the right to perform backup operations for all domain controllers in the domain.
-
-When you add a user to a group, the user receives all the user rights that are assigned to the group and all the permissions that are assigned to the group for any shared resources.
-
-Default groups are located in the **Builtin** container and in the **Users** container in Active Directory Users and Computers. The **Builtin** container includes groups that are defined with the Domain Local scope. The **Users** includes contains groups that are defined with Global scope and groups that are defined with Domain Local scope. You can move groups that are located in these containers to other groups or organizational units (OU) within the domain, but you cannot move them to other domains.
-
-Some of the administrative groups that are listed in this topic and all members of these groups are protected by a background process that periodically checks for and applies a specific security descriptor. This descriptor is a data structure that contains security information associated with a protected object. This process ensures that any successful unauthorized attempt to modify the security descriptor on one of the administrative accounts or groups will be overwritten with the protected settings.
-
-The security descriptor is present on the **AdminSDHolder** object. This means that if you want to modify the permissions on one of the service administrator groups or on any of its member accounts, you must modify the security descriptor on the **AdminSDHolder** object so that it will be applied consistently. Be careful when you make these modifications because you are also changing the default settings that will be applied to all of your protected administrative accounts.
-
-### Active Directory default security groups by operating system version
-
-The following tables provide descriptions of the default groups that are located in the **Builtin** and **Users** containers in each operating system.
-
-|Default Security Group|Windows Server 2016|Windows Server 2012 R2|Windows Server 2012|Windows Server 2008 R2|
-|--- |--- |--- |--- |--- |
-|[Access Control Assistance Operators](#bkmk-acasstops)|Yes|Yes|Yes||
-|[Account Operators](#bkmk-accountoperators)|Yes|Yes|Yes|Yes|
-|[Administrators](#bkmk-admins)|Yes|Yes|Yes|Yes|
-|[Allowed RODC Password Replication Group](#bkmk-allowedrodcpwdrepl)|Yes|Yes|Yes|Yes|
-|[Backup Operators](#bkmk-backupoperators)|Yes|Yes|Yes|Yes|
-|[Certificate Service DCOM Access](#bkmk-certificateservicedcomaccess)|Yes|Yes|Yes|Yes|
-|[Cert Publishers](#bkmk-certpublishers)|Yes|Yes|Yes|Yes|
-|[Cloneable Domain Controllers](#bkmk-cloneabledomaincontrollers)|Yes|Yes|Yes||
-|[Cryptographic Operators](#bkmk-cryptographicoperators)|Yes|Yes|Yes|Yes|
-|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|Yes|Yes|Yes|Yes|
-|[Device Owners](#bkmk-device-owners)|Yes|Yes|Yes|Yes|
-|[Distributed COM Users](#bkmk-distributedcomusers)|Yes|Yes|Yes|Yes|
-|[DnsUpdateProxy](#bkmk-dnsupdateproxy)|Yes|Yes|Yes|Yes|
-|[DnsAdmins](#bkmk-dnsadmins)|Yes|Yes|Yes|Yes|
-|[Domain Admins](#bkmk-domainadmins)|Yes|Yes|Yes|Yes|
-|[Domain Computers](#bkmk-domaincomputers)|Yes|Yes|Yes|Yes|
-|[Domain Controllers](#bkmk-domaincontrollers)|Yes|Yes|Yes|Yes|
-|[Domain Guests](#bkmk-domainguests)|Yes|Yes|Yes|Yes|
-|[Domain Users](#bkmk-domainusers)|Yes|Yes|Yes|Yes|
-|[Enterprise Admins](#bkmk-entadmins)|Yes|Yes|Yes|Yes|
-|[Enterprise Key Admins](#enterprise-key-admins)|Yes||||
-|[Enterprise Read-only Domain Controllers](#bkmk-entrodc)|Yes|Yes|Yes|Yes|
-|[Event Log Readers](#bkmk-eventlogreaders)|Yes|Yes|Yes|Yes|
-|[Group Policy Creator Owners](#bkmk-gpcreatorsowners)|Yes|Yes|Yes|Yes|
-|[Guests](#bkmk-guests)|Yes|Yes|Yes|Yes|
-|[Hyper-V Administrators](#bkmk-hypervadministrators)|Yes|Yes|Yes||
-|[IIS_IUSRS](#bkmk-iis-iusrs)|Yes|Yes|Yes|Yes|
-|[Incoming Forest Trust Builders](#bkmk-inforesttrustbldrs)|Yes|Yes|Yes|Yes|
-|[Key Admins](#key-admins)|Yes||||
-|[Network Configuration Operators](#bkmk-networkcfgoperators)|Yes|Yes|Yes|Yes|
-|[Performance Log Users](#bkmk-perflogusers)|Yes|Yes|Yes|Yes|
-|[Performance Monitor Users](#bkmk-perfmonitorusers)|Yes|Yes|Yes|Yes|
-|[Pre–Windows 2000 Compatible Access](#bkmk-pre-ws2kcompataccess)|Yes|Yes|Yes|Yes|
-|[Print Operators](#bkmk-printoperators)|Yes|Yes|Yes|Yes|
-|[Protected Users](#bkmk-protectedusers)|Yes|Yes|||
-|[RAS and IAS Servers](#bkmk-rasandias)|Yes|Yes|Yes|Yes|
-|[RDS Endpoint Servers](#bkmk-rdsendpointservers)|Yes|Yes|Yes||
-|[RDS Management Servers](#bkmk-rdsmanagementservers)|Yes|Yes|Yes||
-|[RDS Remote Access Servers](#bkmk-rdsremoteaccessservers)|Yes|Yes|Yes||
-|[Read-only Domain Controllers](#bkmk-rodc)|Yes|Yes|Yes|Yes|
-|[Remote Desktop Users](#bkmk-remotedesktopusers)|Yes|Yes|Yes|Yes|
-|[Remote Management Users](#bkmk-remotemanagementusers)|Yes|Yes|Yes||
-|[Replicator](#bkmk-replicator)|Yes|Yes|Yes|Yes|
-|[Schema Admins](#bkmk-schemaadmins)|Yes|Yes|Yes|Yes|
-|[Server Operators](#bkmk-serveroperators)|Yes|Yes|Yes|Yes|
-|[Storage Replica Administrators](#storage-replica-administrators)|Yes||||
-|[System Managed Accounts Group](#system-managed-accounts-group)|Yes||||
-|[Terminal Server License Servers](#bkmk-terminalserverlic)|Yes|Yes|Yes|Yes|
-|[Users](#bkmk-users)|Yes|Yes|Yes|Yes|
-|[Windows Authorization Access Group](#bkmk-winauthaccess)|Yes|Yes|Yes|Yes|
-|[WinRMRemoteWMIUsers_](#bkmk-winrmremotewmiusers-)||Yes|Yes||
-
-### Access Control Assistance Operators
-
-Members of this group can remotely query authorization attributes and permissions for resources on the computer.
-
-The Access Control Assistance Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-579|
-|Type|Builtin Local|
-|Default container|CN=BuiltIn, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### Account Operators
-
-The Account Operators group grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups, and members can log in locally to domain controllers.
-
-Members of the Account Operators group cannot manage the Administrator user account, the user accounts of administrators, or the [Administrators](#bkmk-admins), [Server Operators](#bkmk-serveroperators), [Account Operators](#bkmk-accountoperators), [Backup Operators](#bkmk-backupoperators), or [Print Operators](#bkmk-printoperators) groups. Members of this group cannot modify user rights.
-
-The Account Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-> [!NOTE]
-> By default, this built-in group has no members, and it can create and manage users and groups in the domain, including its own membership and that of the Server Operators group. This group is considered a service administrator group because it can modify Server Operators, which in turn can modify domain controller settings. As a best practice, leave the membership of this group empty, and do not use it for any delegated administration. This group cannot be renamed, deleted, or moved.
-
-
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-548|
-|Type|Builtin Local|
-|Default container|CN=BuiltIn, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight|
-
-
-
-### Administrators
-
-Members of the Administrators group have complete and unrestricted access to the computer, or if the computer is promoted to a domain controller, members have unrestricted access to the domain.
-
-The Administrators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-> [!NOTE]
-> The Administrators group has built-in capabilities that give its members full control over the system. This group cannot be renamed, deleted, or moved. This built-in group controls access to all the domain controllers in its domain, and it can change the membership of all administrative groups.
-
-Membership can be modified by members of the following groups: the default service Administrators, Domain Admins in the domain, or Enterprise Admins. This group has the special privilege to take ownership of any object in the directory or any resource on a domain controller. This account is considered a service administrator group because its members have full access to the domain controllers in the domain.
-
-
-
-This security group includes the following changes since Windows Server 2008:
-
-- Default user rights changes: **Allow log on through Terminal Services** existed in Windows Server 2008, and it was replaced by [Allow log on through Remote Desktop Services](/windows/device-security/security-policy-settings/allow-log-on-through-remote-desktop-services).
-
-- [Remove computer from docking station](/windows/device-security/security-policy-settings/remove-computer-from-docking-station) was removed in Windows Server 2012 R2.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-544|
-|Type|Builtin Local|
-|Default container|CN=BuiltIn, DC=<domain>, DC=|
-|Default members|Administrator, Domain Admins, Enterprise Admins|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|[Adjust memory quotas for a process](/windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process): SeIncreaseQuotaPrivilege [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight [Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight [Allow log on through Remote Desktop Services](/windows/device-security/security-policy-settings/allow-log-on-through-remote-desktop-services): SeRemoteInteractiveLogonRight [Back up files and directories](/windows/device-security/security-policy-settings/back-up-files-and-directories): SeBackupPrivilege [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege [Change the system time](/windows/device-security/security-policy-settings/change-the-system-time): SeSystemTimePrivilege [Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege [Create a pagefile](/windows/device-security/security-policy-settings/create-a-pagefile): SeCreatePagefilePrivilege [Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege [Create symbolic links](/windows/device-security/security-policy-settings/create-symbolic-links): SeCreateSymbolicLinkPrivilege [Debug programs](/windows/device-security/security-policy-settings/debug-programs): SeDebugPrivilege [Enable computer and user accounts to be trusted for delegation](/windows/device-security/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation): SeEnableDelegationPrivilege [Force shutdown from a remote system](/windows/device-security/security-policy-settings/force-shutdown-from-a-remote-system): SeRemoteShutdownPrivilege [Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege [Increase scheduling priority](/windows/device-security/security-policy-settings/increase-scheduling-priority): SeIncreaseBasePriorityPrivilege [Load and unload device drivers](/windows/device-security/security-policy-settings/load-and-unload-device-drivers): SeLoadDriverPrivilege [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job): SeBatchLogonRight [Manage auditing and security log](/windows/device-security/security-policy-settings/manage-auditing-and-security-log): SeSecurityPrivilege [Modify firmware environment values](/windows/device-security/security-policy-settings/modify-firmware-environment-values): SeSystemEnvironmentPrivilege [Perform volume maintenance tasks](/windows/device-security/security-policy-settings/perform-volume-maintenance-tasks): SeManageVolumePrivilege [Profile system performance](/windows/device-security/security-policy-settings/profile-system-performance): SeSystemProfilePrivilege [Profile single process](/windows/device-security/security-policy-settings/profile-single-process): SeProfileSingleProcessPrivilege [Remove computer from docking station](/windows/device-security/security-policy-settings/remove-computer-from-docking-station): SeUndockPrivilege [Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): SeRestorePrivilege [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege [Take ownership of files or other objects](/windows/device-security/security-policy-settings/take-ownership-of-files-or-other-objects): SeTakeOwnershipPrivilege|
-
-### Allowed RODC Password Replication Group
-
-The purpose of this security group is to manage a RODC password replication policy. This group has no members by default, and it results in the condition that new Read-only domain controllers do not cache user credentials. The [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl) group contains a variety of high-privilege accounts and security groups. The Denied RODC Password Replication group supersedes the Allowed RODC Password Replication group.
-
-The Allowed RODC Password Replication group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-571|
-|Type|Domain local|
-|Default container|CN=Users DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### Backup Operators
-
-Members of the Backup Operators group can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to and shut down the computer. This group cannot be renamed, deleted, or moved. By default, this built-in group has no members, and it can perform backup and restore operations on domain controllers. Its membership can be modified by the following groups: default service Administrators, Domain Admins in the domain, or Enterprise Admins. It cannot modify the membership of any administrative groups. While members of this group cannot change server settings or modify the configuration of the directory, they do have the permissions needed to replace files (including operating system files) on domain controllers. Because of this, members of this group are considered service administrators.
-
-The Backup Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-551|
-|Type|Builtin Local|
-|Default container|CN=BuiltIn, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight [Back up files and directories](/windows/device-security/security-policy-settings/back-up-files-and-directories): SeBackupPrivilege [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job): SeBatchLogonRight [Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): SeRestorePrivilege [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege|
-
-
-
-### Certificate Service DCOM Access
-
-Members of this group are allowed to connect to certification authorities in the enterprise.
-
-The Certificate Service DCOM Access group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-<domain>-574|
-|Type|Domain Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-
-### Cert Publishers
-
-Members of the Cert Publishers group are authorized to publish certificates for User objects in Active Directory.
-
-The Cert Publishers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-517|
-|Type|Domain Local|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|None|
-
-### Cloneable Domain Controllers
-
-Members of the Cloneable Domain Controllers group that are domain controllers may be cloned. In Windows Server 2012 R2 and Windows Server 2012, you can deploy domain controllers by copying an existing virtual domain controller. In a virtual environment, you no longer have to repeatedly deploy a server image that is prepared by using sysprep.exe, promote the server to a domain controller, and then complete additional configuration requirements for deploying each domain controller (including adding the virtual domain controller to this security group).
-
-For more information, see [Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100)](/windows-server/identity/ad-ds/introduction-to-active-directory-domain-services-ad-ds-virtualization-level-100).
-
-This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-522|
-|Type|Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### Cryptographic Operators
-
-Members of this group are authorized to perform cryptographic operations. This security group was added in Windows Vista Service Pack 1 (SP1) to configure Windows Firewall for IPsec in Common Criteria mode.
-
-The Cryptographic Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group was introduced in Windows Vista Service Pack 1, and it has not changed in subsequent versions.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-569|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-
-
-### Denied RODC Password Replication Group
-
-Members of the Denied RODC Password Replication group cannot have their passwords replicated to any Read-only domain controller.
-
-The purpose of this security group is to manage a RODC password replication policy. This group contains a variety of high-privilege accounts and security groups. The Denied RODC Password Replication Group supersedes the [Allowed RODC Password Replication Group](#bkmk-allowedrodcpwdrepl).
-
-This security group includes the following changes since Windows Server 2008:
-
-- Windows Server 2012 changed the default members to include [Cert Publishers](#bkmk-certpublishers).
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-572|
-|Type|Domain local|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|[Cert Publishers](#bkmk-certpublishers) [Domain Admins](#bkmk-domainadmins) [Domain Controllers](#bkmk-domaincontrollers) [Enterprise Admins](#bkmk-entadmins) Group Policy Creator Owners [Read-only Domain Controllers](#bkmk-rodc) [Schema Admins](#bkmk-schemaadmins)|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?||
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-
-### Device Owners
-This group is not currently used in Windows.
-
-Microsoft does not recommend changing the default configuration where this security group has zero members. Changing the default configuration could hinder future scenarios that rely on this group.
-
-The Device Owners group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-583|
-|Type|Builtin Local|
-|Default container|CN=BuiltIn, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Can be moved out but it is not recommended|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege [Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege|
-
-### Distributed COM Users
-
-Members of the Distributed COM Users group are allowed to launch, activate, and use Distributed COM objects on the computer. Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. Distributed Component Object Model (DCOM) allows applications to be distributed across locations that make the most sense to you and to the application. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
-
-The Distributed COM Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-562|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### DnsUpdateProxy
-
-Members of the DnsUpdateProxy group are DNS clients. They are permitted to perform dynamic updates on behalf of other clients (such as DHCP servers). A DNS server can develop stale resource records when a DHCP server is configured to dynamically register host (A) and pointer (PTR) resource records on behalf of DHCP clients by using dynamic update. Adding clients to this security group mitigates this scenario.
-
-However, to protect against unsecured records or to permit members of the DnsUpdateProxy group to register records in zones that allow only secured dynamic updates, you must create a dedicated user account and configure DHCP servers to perform DNS dynamic updates by using the credentials of this account (user name, password, and domain). Multiple DHCP servers can use the credentials of one dedicated user account. This group exists only if the DNS server role is or was once installed on a domain controller in the domain.
-
-For information, see [DNS Record Ownership and the DnsUpdateProxy Group](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd334715(v=ws.10)).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-<variable RI>|
-|Type|Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Yes|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### DnsAdmins
-
-Members of DNSAdmins group have access to network DNS information. The default permissions are as follows: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions. This group exists only if the DNS server role is or was once installed on a domain controller in the domain.
-
-For more information about security and DNS, see [DNSSEC in Windows Server 2012](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn593694(v=ws.11)).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-<variable RI>|
-|Type|Builtin Local|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Yes|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### Domain Admins
-
-Members of the Domain Admins security group are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. The Domain Admins group is the default owner of any object that is created in Active Directory for the domain by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group.
-
-The Domain Admins group controls access to all domain controllers in a domain, and it can modify the membership of all administrative accounts in the domain. Membership can be modified by members of the service administrator groups in its domain (Administrators and Domain Admins), and by members of the Enterprise Admins group. This is considered a service administrator account because its members have full access to the domain controllers in a domain.
-
-The Domain Admins group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-512|
-|Type|Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|Administrator|
-|Default member of|[Administrators](#bkmk-admins) [Denied RODC Password ReplicationGroup](#bkmk-deniedrodcpwdrepl)|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|Yes|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|See [Administrators](#bkmk-admins) See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|
-
-
-
-### Domain Computers
-
-This group can include all computers and servers that have joined the domain, excluding domain controllers. By default, any computer account that is created automatically becomes a member of this group.
-
-The Domain Computers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-515|
-|Type|Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|All computers joined to the domain, excluding domain controllers|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Yes (but not required)|
-|Safe to delegate management of this group to non-Service admins?|Yes|
-|Default User Rights|None|
-
-### Domain Controllers
-
-The Domain Controllers group can include all domain controllers in the domain. New domain controllers are automatically added to this group.
-
-The Domain Controllers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-516|
-|Type|Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|Computer accounts for all domain controllers of the domain|
-|Default member of|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|No|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|None|
-
-### Domain Guests
-
-The Domain Guests group includes the domain’s built-in Guest account. When members of this group sign in as local guests on a domain-joined computer, a domain profile is created on the local computer.
-
-The Domain Guests group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-514|
-|Type|Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|Guest|
-|Default member of|[Guests](#bkmk-guests)|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|Can be moved out but it is not recommended|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|See [Guests](#bkmk-guests)|
-
-### Domain Users
-
-The Domain Users group includes all user accounts in a domain. When you create a user account in a domain, it is automatically added to this group.
-
-By default, any user account that is created in the domain automatically becomes a member of this group. This group can be used to represent all users in the domain. For example, if you want all domain users to have access to a printer, you can assign permissions for the printer to this group (or add the Domain Users group to a local group on the print server that has permissions for the printer).
-
-The Domain Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-513|
-|Type|Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|Administrator
-krbtgt|
-|Default member of|[Users](#bkmk-users)|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Yes|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|See [Users](#bkmk-users)|
-
-### Enterprise Admins
-
-The Enterprise Admins group exists only in the root domain of an Active Directory forest of domains. It is a Universal group if the domain is in native mode; it is a Global group if the domain is in mixed mode. Members of this group are authorized to make forest-wide changes in Active Directory, such as adding child domains.
-
-By default, the only member of the group is the Administrator account for the forest root domain. This group is automatically added to the Administrators group in every domain in the forest, and it provides complete access for configuring all domain controllers. Members in this group can modify the membership of all administrative groups. Membership can be modified only by the default service administrator groups in the root domain. This is considered a service administrator account.
-
-The Enterprise Admins group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<root domain>-519|
-|Type|Universal (if Domain is in Native-Mode) else Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|Administrator|
-|Default member of|[Administrators](#bkmk-admins)
-[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|Yes|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|See [Administrators](#bkmk-admins) See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|
-
-### Enterprise Key Admins
-
-Members of this group can perform administrative actions on key objects within the forest.
-
-The Enterprise Key Admins group was introduced in Windows Server 2016.
-
-| Attribute | Value |
-|-----------|-------|
-| Well-Known SID/RID | S-1-5-21-<domain>-527 |
-| Type | Global |
-| Default container | CN=Users, DC=<domain>, DC= |
-| Default members | None |
-| Default member of | None |
-| Protected by ADMINSDHOLDER? | Yes |
-| Safe to move out of default container? | Yes |
-| Safe to delegate management of this group to non-Service admins? | No |
-| Default User Rights | None |
-
-
-### Enterprise Read-Only Domain Controllers
-
-Members of this group are Read-Only Domain Controllers in the enterprise. Except for account passwords, a Read-only domain controller holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the database that is stored on the Read-only domain controller. Changes must be made on a writable domain controller and then replicated to the Read-only domain controller.
-
-Read-only domain controllers address some of the issues that are commonly found in branch offices. These locations might not have a domain controller. Or, they might have a writable domain controller, but not the physical security, network bandwidth, or local expertise to support it.
-
-For more information, see [What Is an RODC?](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771030(v=ws.10)).
-
-The Enterprise Read-Only Domain Controllers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<root domain>-498|
-|Type|Universal|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?||
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### Event Log Readers
-
-Members of this group can read event logs from local computers. The group is created when the server is promoted to a domain controller.
-
-The Event Log Readers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-573|
-|Type|Domain Local|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### Group Policy Creator Owners
-
-This group is authorized to create, edit, or delete Group Policy Objects in the domain. By default, the only member of the group is Administrator.
-
-For information about other features you can use with this security group, see [Group Policy Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831791(v=ws.11)).
-
-The Group Policy Creator Owners group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-520|
-|Type|Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|Administrator|
-|Default member of|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|No|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|
-
-### Guests
-
-Members of the Guests group have the same access as members of the Users group by default, except that the Guest account has further restrictions. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to sign in with limited privileges to a computer’s built-in Guest account.
-
-When a member of the Guests group signs out, the entire profile is deleted. This includes everything that is stored in the **%userprofile%** directory, including the user's registry hive information, custom desktop icons, and other user-specific settings. This implies that a guest must use a temporary profile to sign in to the system. This security group interacts with the Group Policy setting **Do not logon users with temporary profiles** when it is enabled. This setting is located under the following path:
-
-Computer Configuration\\Administrative Templates\\System\\User Profiles
-
-> [!NOTE]
-> A Guest account is a default member of the Guests security group. People who do not have an actual account in the domain can use the Guest account. A user whose account is disabled (but not deleted) can also use the Guest account.
-
-The Guest account does not require a password. You can set rights and permissions for the Guest account as in any user account. By default, the Guest account is a member of the built-in Guests group and the Domain Guests global group, which allows a user to sign in to a domain. The Guest account is disabled by default, and we recommend that it stay disabled.
-
-The Guests group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-546|
-|Type|Builtin Local|
-|Default container|CN=BuiltIn, DC=<domain>, DC=|
-|Default members|[Domain Guests](#bkmk-domainguests)|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|None|
-
-
-### Hyper-V Administrators
-
-Members of the Hyper-V Administrators group have complete and unrestricted access to all the features in Hyper-V. Adding members to this group helps reduce the number of members required in the Administrators group, and further separates access.
-
-> [!NOTE]
-> Prior to Windows Server 2012, access to features in Hyper-V was controlled in part by membership in the Administrators group.
-
-
-
-This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-578|
-|Type|Builtin Local|
-|Default container|CN=BuiltIn, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### IIS\_IUSRS
-
-IIS\_IUSRS is a built-in group that is used by Internet Information Services beginning with IIS 7.0. A built-in account and group are guaranteed by the operating system to always have a unique SID. IIS 7.0 replaces the IUSR\_MachineName account and the IIS\_WPG group with the IIS\_IUSRS group to ensure that the actual names that are used by the new account and group will never be localized. For example, regardless of the language of the Windows operating system that you install, the IIS account name will always be IUSR, and the group name will be IIS\_IUSRS.
-
-For more information, see [Understanding Built-In User and Group Accounts in IIS 7](/iis/get-started/planning-for-security/understanding-built-in-user-and-group-accounts-in-iis).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-568|
-|Type|Builtin Local|
-|Default container|CN=BuiltIn, DC=<domain>, DC=|
-|Default members|IUSR|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?||
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### Incoming Forest Trust Builders
-
-Members of the Incoming Forest Trust Builders group can create incoming, one-way trusts to this forest. Active Directory provides security across multiple domains or forests through domain and forest trust relationships. Before authentication can occur across trusts, Windows must determine whether the domain being requested by a user, computer, or service has a trust relationship with the logon domain of the requesting account.
-
-To make this determination, the Windows security system computes a trust path between the domain controller for the server that receives the request and a domain controller in the domain of the requesting account. A secured channel extends to other Active Directory domains through interdomain trust relationships. This secured channel is used to obtain and verify security information, including security identifiers (SIDs) for users and groups.
-
-> [!NOTE]
-> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
-
-
-
-For more information, see [How Domain and Forest Trusts Work: Domain and Forest Trusts](/previous-versions/windows/it-pro/windows-server-2003/cc773178(v=ws.10)).
-
-The Incoming Forest Trust Builders group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-> [!NOTE]
-> This group cannot be renamed, deleted, or moved.
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-557|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|None|
-
-### Key Admins
-
-Members of this group can perform administrative actions on key objects within the domain.
-
-The Key Admins group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-| Attribute | Value |
-|-----------|-------|
-| Well-Known SID/RID | S-1-5-21-<domain>-526 |
-| Type | Global |
-| Default container | CN=Users, DC=<domain>, DC= |
-| Default members | None |
-| Default member of | None |
-| Protected by ADMINSDHOLDER? | Yes |
-| Safe to move out of default container? | Yes |
-| Safe to delegate management of this group to non-Service admins? | No |
-| Default User Rights | None |
-
-
-
-### Network Configuration Operators
-
-Members of the Network Configuration Operators group can have the following administrative privileges to manage configuration of networking features:
-
-- Modify the Transmission Control Protocol/Internet Protocol (TCP/IP) properties for a local area network (LAN) connection, which includes the IP address, the subnet mask, the default gateway, and the name servers.
-
-- Rename the LAN connections or remote access connections that are available to all the users.
-
-- Enable or disable a LAN connection.
-
-- Modify the properties of all of remote access connections of users.
-
-- Delete all the remote access connections of users.
-
-- Rename all the remote access connections of users.
-
-- Issue **ipconfig**, **ipconfig /release**, or **ipconfig /renew** commands.
-
-- Enter the PIN unblock key (PUK) for mobile broadband devices that support a SIM card.
-
-> [!NOTE]
-> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
-
-
-The Network Configuration Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-> [!NOTE]
-> This group cannot be renamed, deleted, or moved.
-
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-556|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|Yes|
-|Default User Rights|None|
-
-### Performance Log Users
-
-Members of the Performance Log Users group can manage performance counters, logs, and alerts locally on the server and from remote clients without being a member of the Administrators group. Specifically, members of this security group:
-
-- Can use all the features that are available to the Performance Monitor Users group.
-
-- Can create and modify Data Collector Sets after the group is assigned the [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job) user right.
-
- > [!WARNING]
- > If you are a member of the Performance Log Users group, you must configure Data Collector Sets that you create to run under your credentials.
-
- > [!NOTE]
- > In Windows Server 2016 or later, Data Collector Sets cannot be created by a member of the Performance Log Users group.
- > If a member of the Performance Log Users group tries to create Data Collector Sets, they cannot complete creation because access will be denied.
-
-- Cannot use the Windows Kernel Trace event provider in Data Collector Sets.
-
-For members of the Performance Log Users group to initiate data logging or modify Data Collector Sets, the group must first be assigned the [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job) user right. To assign this user right, use the Local Security Policy snap-in in Microsoft Management Console.
-
-> [!NOTE]
-> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
-
-
-The Performance Log Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-> [!NOTE]
-> This account cannot be renamed, deleted, or moved.
-
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-559|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|Yes|
-|Default User Rights|[Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job): SeBatchLogonRight|
-
-
-
-### Performance Monitor Users
-
-Members of this group can monitor performance counters on domain controllers in the domain, locally and from remote clients, without being a member of the Administrators or Performance Log Users groups. The Windows Performance Monitor is a Microsoft Management Console (MMC) snap-in that provides tools for analyzing system performance. From a single console, you can monitor application and hardware performance, customize what data you want to collect in logs, define thresholds for alerts and automatic actions, generate reports, and view past performance data in a variety of ways.
-
-Specifically, members of this security group:
-
-- Can use all the features that are available to the Users group.
-
-- Can view real-time performance data in Performance Monitor.
-
- Can change the Performance Monitor display properties while viewing data.
-
-- Cannot create or modify Data Collector Sets.
-
- > [!WARNING]
- > You cannot configure a Data Collector Set to run as a member of the Performance Monitor Users group.
-
-
-
-> [!NOTE]
-> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). This group cannot be renamed, deleted, or moved.
-
-
-
-The Performance Monitor Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-558|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|Yes|
-|Default User Rights|None|
-
-
-### Pre–Windows 2000 Compatible Access
-
-Members of the Pre–Windows 2000 Compatible Access group have Read access for all users and groups in the domain. This group is provided for backward compatibility for computers running Windows NT 4.0 and earlier. By default, the special identity group, Everyone, is a member of this group. Add users to this group only if they are running Windows NT 4.0 or earlier.
-
-> [!WARNING]
-> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
-
-
-The Pre–Windows 2000 Compatible Access group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-554|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|If you choose the Pre–Windows 2000 Compatible Permissions mode, Everyone and Anonymous are members, and if you choose the Windows 2000-only permissions mode, Authenticated Users are members.|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|[Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege|
-
-
-
-### Print Operators
-
-Members of this group can manage, create, share, and delete printers that are connected to domain controllers in the domain. They can also manage Active Directory printer objects in the domain. Members of this group can locally sign in to and shut down domain controllers in the domain.
-
-This group has no default members. Because members of this group can load and unload device drivers on all domain controllers in the domain, add users with caution. This group cannot be renamed, deleted, or moved.
-
-The Print Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008. However, in Windows Server 2008 R2, functionality was added to manage print administration. For more information, see [Assign Delegated Print Administrator and Printer Permission Settings in Windows Server 2012](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj190062(v=ws.11)).
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-550|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight [Load and unload device drivers](/windows/device-security/security-policy-settings/load-and-unload-device-drivers): SeLoadDriverPrivilege [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege|
-
-### Protected Users
-
-Members of the Protected Users group are afforded additional protection against the compromise of credentials during authentication processes.
-
-This security group is designed as part of a strategy to effectively protect and manage credentials within the enterprise. Members of this group automatically have non-configurable protection applied to their accounts. Membership in the Protected Users group is meant to be restrictive and proactively secure by default. The only method to modify the protection for an account is to remove the account from the security group.
-
-This domain-related, global group triggers non-configurable protection on devices and host computers, starting with the Windows Server 2012 R2 and Windows 8.1 operating systems. It also triggers non-configurable protection on domain controllers in domains with a primary domain controller running Windows Server 2012 R2 or Windows Server 2016. This greatly reduces the memory footprint of credentials when users sign in to computers on the network from a non-compromised computer.
-
-Depending on the account’s domain functional level, members of the Protected Users group are further protected due to behavior changes in the authentication methods that are supported in Windows.
-
-- Members of the Protected Users group cannot authenticate by using the following Security Support Providers (SSPs): NTLM, Digest Authentication, or CredSSP. Passwords are not cached on a device running Windows 8.1 or Windows 10, so the device fails to authenticate to a domain when the account is a member of the Protected User group.
-
-- The Kerberos protocol will not use the weaker DES or RC4 encryption types in the preauthentication process. This means that the domain must be configured to support at least the AES cipher suite.
-
-- The user’s account cannot be delegated with Kerberos constrained or unconstrained delegation. This means that former connections to other systems may fail if the user is a member of the Protected Users group.
-
-- The default Kerberos ticket-granting tickets (TGTs) lifetime setting of four hours is configurable by using Authentication Policies and Silos, which can be accessed through the Active Directory Administrative Center. This means that when four hours has passed, the user must authenticate again.
-
-The Protected Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This group was introduced in Windows Server 2012 R2. For more information about how this group works, see [Protected Users Security Group](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn466518(v=ws.11)).
-
-The following table specifies the properties of the Protected Users group.
-
-|Attribute|Value|
-|--- |--- |
-|Well-known SID/RID|S-1-5-21-<domain>-525|
-|Type|Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Yes|
-|Safe to delegate management of this group to non-service admins?|No|
-|Default user rights|None|
-
-### RAS and IAS Servers
-
-Computers that are members of the RAS and IAS Servers group, when properly configured, are allowed to use remote access services. By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically, such as IAS servers and Network Policy Servers. Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information.
-
-The RAS and IAS Servers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-553|
-|Type|Builtin Local|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Yes|
-|Safe to delegate management of this group to non-Service admins?|Yes|
-|Default User Rights|None|
-
-### RDS Endpoint Servers
-
-Servers that are members in the RDS Endpoint Servers group can run virtual machines and host sessions where user RemoteApp programs and personal virtual desktops run. This group needs to be populated on servers running RD Connection Broker. Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group.
-
-For information about Remote Desktop Services, see [Host desktops and apps in Remote Desktop Services](/windows-server/remote/remote-desktop-services/welcome-to-rds).
-
-This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-576|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-
-### RDS Management Servers
-
-Servers that are members in the RDS Management Servers group can be used to perform routine administrative actions on servers running Remote Desktop Services. This group needs to be populated on all servers in a Remote Desktop Services deployment. The servers running the RDS Central Management service must be included in this group.
-
-This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-577|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### RDS Remote Access Servers
-
-Servers in the RDS Remote Access Servers group provide users with access to RemoteApp programs and personal virtual desktops. In Internet facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers that are used in the deployment need to be in this group.
-
-For more information, see [Host desktops and apps in Remote Desktop Services](/windows-server/remote/remote-desktop-services/welcome-to-rds).
-
-This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-575|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### Read-Only Domain Controllers
-
-This group is comprised of the Read-only domain controllers in the domain. A Read-only domain controller makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role.
-
-Because administration of a Read-only domain controller can be delegated to a domain user or security group, an Read-only domain controller is well suited for a site that should not have a user who is a member of the Domain Admins group. A Read-only domain controller encompasses the following functionality:
-
-- Read-only AD DS database
-
-- Unidirectional replication
-
-- Credential caching
-
-- Administrator role separation
-
-- Read-only Domain Name System (DNS)
-
-For information about deploying a Read-only domain controller, see [Understanding Planning and Deployment for Read-Only Domain Controllers](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754719(v=ws.10)).
-
-This security group was introduced in Windows Server 2008, and it has not changed in subsequent versions.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-521|
-|Type|Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|Yes|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|
-
-### Remote Desktop Users
-
-The Remote Desktop Users group on an RD Session Host server is used to grant users and groups permissions to remotely connect to an RD Session Host server. This group cannot be renamed, deleted, or moved. It appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
-
-The Remote Desktop Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-555|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|Yes|
-|Default User Rights|None|
-
-
-
-
-### Remote Management Users
-
-Members of the Remote Management Users group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.
-
-The Remote Management Users group is generally used to allow users to manage servers through the Server Manager console, whereas the [WinRMRemoteWMIUsers\_](#bkmk-winrmremotewmiusers-) group is allows remotely running Windows PowerShell commands.
-
-For more information, see [What's New in MI?](/previous-versions/windows/desktop/wmi_v2/what-s-new-in-mi) and [About WMI](/windows/win32/wmisdk/about-wmi).
-
-This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-580|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### Replicator
-
-Computers that are members of the Replicator group support file replication in a domain. Windows Server operating systems use the File Replication service (FRS) to replicate system policies and logon scripts stored in the System Volume (SYSVOL). Each domain controller keeps a copy of SYSVOL for network clients to access. FRS can also replicate data for the Distributed File System (DFS), synchronizing the content of each member in a replica set as defined by DFS. FRS can copy and maintain shared files and folders on multiple servers simultaneously. When changes occur, content is synchronized immediately within sites and by a schedule between sites.
-
-> [!WARNING]
-> In Windows Server 2008 R2, FRS cannot be used for replicating DFS folders or custom (non-SYSVOL) data. A Windows Server 2008 R2 domain controller can still use FRS to replicate the contents of a SYSVOL shared resource in a domain that uses FRS for replicating the SYSVOL shared resource between domain controllers.
-
-However, Windows Server 2008 R2 servers cannot use FRS to replicate the contents of any replica set apart from the SYSVOL shared resource. The DFS Replication service is a replacement for FRS, and it can be used to replicate the contents of a SYSVOL shared resource, DFS folders, and other custom (non-SYSVOL) data. You should migrate all non-SYSVOL FRS replica sets to DFS Replication. For more information, see:
-
-- [File Replication Service (FRS) Is Deprecated in Windows Server 2008 R2 (Windows)](/windows/win32/win7appqual/file-replication-service--frs--is-deprecated-in-windows-server-2008-r2)
-- [DFS Namespaces and DFS Replication Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127250(v=ws.11))
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-552|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### Schema Admins
-
-Members of the Schema Admins group can modify the Active Directory schema. This group exists only in the root domain of an Active Directory forest of domains. It is a Universal group if the domain is in native mode; it is a Global group if the domain is in mixed mode.
-
-The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain. This group has full administrative access to the schema.
-
-The membership of this group can be modified by any of the service administrator groups in the root domain. This is considered a service administrator account because its members can modify the schema, which governs the structure and content of the entire directory.
-
-For more information, see [What Is the Active Directory Schema?: Active Directory](/previous-versions/windows/it-pro/windows-server-2003/cc784826(v=ws.10)).
-
-The Schema Admins group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<root domain>-518|
-|Type|Universal (if Domain is in Native-Mode) else Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|Administrator|
-|Default member of|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|Yes|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|
-
-### Server Operators
-
-Members in the Server Operators group can administer domain controllers. This group exists only on domain controllers. By default, the group has no members. Members of the Server Operators group can sign in to a server interactively, create and delete network shared resources, start and stop services, back up and restore files, format the hard disk drive of the computer, and shut down the computer. This group cannot be renamed, deleted, or moved.
-
-By default, this built-in group has no members, and it has access to server configuration options on domain controllers. Its membership is controlled by the service administrator groups Administrators and Domain Admins in the domain, and the Enterprise Admins group in the forest root domain. Members in this group cannot change any administrative group memberships. This is considered a service administrator account because its members have physical access to domain controllers, they can perform maintenance tasks (such as backup and restore), and they have the ability to change binaries that are installed on the domain controllers. Note the default user rights in the following table.
-
-The Server Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-549|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight [Back up files and directories](/windows/device-security/security-policy-settings/back-up-files-and-directories): SeBackupPrivilege [Change the system time](/windows/device-security/security-policy-settings/change-the-system-time): SeSystemTimePrivilege [Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege [Force shutdown from a remote system](/windows/device-security/security-policy-settings/force-shutdown-from-a-remote-system): SeRemoteShutdownPrivilege [Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): Restore files and directories SeRestorePrivilege [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege|
-
-### Storage Replica Administrators
-
-Members of this group have complete and unrestricted access to all features of Storage Replica.
-
-The Storage Replica Administrators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-| Attribute | Value |
-|-----------|-------|
-| Well-Known SID/RID | S-1-5-32-582 |
-| Type | Builtin Local |
-| Default container | CN=BuiltIn, DC=<domain>, DC= |
-| Default members | None |
-| Default member of | None |
-| Protected by ADMINSDHOLDER? | No |
-| Safe to move out of default container? | Yes |
-| Safe to delegate management of this group to non-Service admins? | No |
-| Default User Rights | None |
-
-
-
-### System Managed Accounts Group
-
-Members of this group are managed by the system.
-
-The System Managed Accounts group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-
-| Attribute | Value |
-|-----------|-------|
-| Well-Known SID/RID | S-1-5-32-581 |
-| Type | Builtin Local |
-| Default container | CN=BuiltIn, DC=<domain>, DC= |
-| Default members | Users |
-| Default member of | None |
-| Protected by ADMINSDHOLDER? | No |
-| Safe to move out of default container? | Yes |
-| Safe to delegate management of this group to non-Service admins? | No |
-| Default User Rights | None |
-
-
-
-### Terminal Server License Servers
-
-Members of the Terminal Server License Servers group can update user accounts in Active Directory with information about license issuance. This is used to track and report TS Per User CAL usage. A TS Per User CAL gives one user the right to access a Terminal Server from an unlimited number of client computers or devices. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
-
-For more information about this security group, see [Terminal Services License Server Security Group Configuration](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc775331(v=ws.10)).
-
-The Terminal Server License Servers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-> [!NOTE]
-> This group cannot be renamed, deleted, or moved.
-
-
-
-This security group only applies to Windows Server 2003 and Windows Server 2008 because Terminal Services was replaced by Remote Desktop Services in Windows Server 2008 R2.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-561|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Safe to move out of default container?|Cannot be moved|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to delegate management of this group to non-Service admins?|Yes|
-|Default User Rights|None|
-
-### Users
-
-Members of the Users group are prevented from making accidental or intentional system-wide changes, and they can run most applications. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer.
-
-Users can perform tasks such as running applications, using local and network printers, shutting down the computer, and locking the computer. Users can install applications that only they are allowed to use if the installation program of the application supports per-user installation. This group cannot be renamed, deleted, or moved.
-
-The Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group includes the following changes since Windows Server 2008:
-
-- In Windows Server 2008 R2, INTERACTIVE was added to the default members list.
-
-- In Windows Server 2012, the default **Member Of** list changed from Domain Users to none.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-545|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|Authenticated Users [Domain Users](#bkmk-domainusers) INTERACTIVE|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|None|
-
-### Windows Authorization Access Group
-
-Members of this group have access to the computed token GroupsGlobalAndUniversal attribute on User objects. Some applications have features that read the token-groups-global-and-universal (TGGAU) attribute on user account objects or on computer account objects in Active Directory Domain Services. Some Win32 functions make it easier to read the TGGAU attribute. Applications that read this attribute or that call an API (referred to as a function) that reads this attribute do not succeed if the calling security context does not have access to the attribute. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
-
-The Windows Authorization Access group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-> [!NOTE]
-> This group cannot be renamed, deleted, or moved.
-
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-560|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|Enterprise Domain Controllers|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|Yes|
-|Default user rights|None|
-
-### WinRMRemoteWMIUsers\_
-
-In Windows 8 and in Windows Server 2012, a **Share** tab was added to the Advanced Security Settings user interface. This tab displays the security properties of a remote file share. To view this information, you must have the following permissions and memberships, as appropriate for the version of Windows Server that the file server is running.
-
-The WinRMRemoteWMIUsers\_ group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-- If the file share is hosted on a server that is running a supported version of the operating system:
-
- - You must be a member of the WinRMRemoteWMIUsers\_\_ group or the BUILTIN\\Administrators group.
-
- - You must have Read permissions to the file share.
-
-- If the file share is hosted on a server that is running a version of Windows Server that is earlier than Windows Server 2012:
-
- - You must be a member of the BUILTIN\\Administrators group.
-
- - You must have Read permissions to the file share.
-
-In Windows Server 2012, the Access Denied Assistance functionality adds the Authenticated Users group to the local WinRMRemoteWMIUsers\_\_ group. Therefore, when the Access Denied Assistance functionality is enabled, all authenticated users who have Read permissions to the file share can view the file share permissions.
-
-> [!NOTE]
-> The WinRMRemoteWMIUsers\_ group allows running Windows PowerShell commands remotely whereas the [Remote Management Users](#bkmk-remotemanagementusers) group is generally used to allow users to manage servers by using the Server Manager console.
-
-
-
-This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-<variable RI>|
-|Type|Domain local|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Yes|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-
-## See also
-
-- [Security Principals](security-principals.md)
-
-- [Special Identities](special-identities.md)
-
-- [Access Control Overview](access-control.md)
diff --git a/windows/security/identity-protection/access-control/dynamic-access-control.md b/windows/security/identity-protection/access-control/dynamic-access-control.md
deleted file mode 100644
index b19feb4975..0000000000
--- a/windows/security/identity-protection/access-control/dynamic-access-control.md
+++ /dev/null
@@ -1,140 +0,0 @@
----
-title: Dynamic Access Control Overview (Windows 10)
-description: Learn about Dynamic Access Control and its associated elements, which were introduced in Windows Server 2012 and Windows 8.
-ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 04/19/2017
-ms.reviewer:
----
-
-# Dynamic Access Control Overview
-
-**Applies to**
-- Windows Server 2016
-
-This overview topic for the IT professional describes Dynamic Access Control and its associated elements, which were introduced in Windows Server 2012 and Windows 8.
-
-Domain-based Dynamic Access Control enables administrators to apply access-control permissions and restrictions based on well-defined rules that can include the sensitivity of the resources, the job or role of the user, and the configuration of the device that is used to access these resources.
-
-For example, a user might have different permissions when they access a resource from their office computer versus when they are using a portable computer over a virtual private network. Or access may be allowed only if a device meets the security requirements that are defined by the network administrators. When Dynamic Access Control is used, a user’s permissions change dynamically without additional administrator intervention if the user’s job or role changes (resulting in changes to the user’s account attributes in AD DS). For more detailed examples of Dynamic Access Control in use, see the scenarios described in [Dynamic Access Control: Scenario Overview](/windows-server/identity/solution-guides/dynamic-access-control--scenario-overview).
-
-Dynamic Access Control is not supported in Windows operating systems prior to Windows Server 2012 and Windows 8. When Dynamic Access Control is configured in environments with supported and non-supported versions of Windows, only the supported versions will implement the changes.
-
-Features and concepts associated with Dynamic Access Control include:
-
-- [Central access rules](#bkmk-rules)
-
-- [Central access policies](#bkmk-policies)
-
-- [Claims](#bkmk-claims)
-
-- [Expressions](#bkmk-expressions2)
-
-- [Proposed permissions](#bkmk-permissions2)
-
-### Central access rules
-
-A central access rule is an expression of authorization rules that can include one or more conditions involving user groups, user claims, device claims, and resource properties. Multiple central access rules can be combined into a central access policy.
-
-If one or more central access rules have been defined for a domain, file share administrators can match specific rules to specific resources and business requirements.
-
-### Central access policies
-
-Central access policies are authorization policies that include conditional expressions. For example, let’s say an organization has a business requirement to restrict access to personally identifiable information (PII) in files to only the file owner and members of the human resources (HR) department who are allowed to view PII information. This represents an organization-wide policy that applies to PII files wherever they are located on file servers across the organization. To implement this policy, an organization needs to be able to:
-
-- Identify and mark the files that contain the PII.
-
-- Identify the group of HR members who are allowed to view the PII information.
-
-- Add the central access policy to a central access rule, and apply the central access rule to all files that contain the PII, wherever they are located amongst the file servers across the organization.
-
-Central access policies act as security umbrellas that an organization applies across its servers. These policies are in addition to (but do not replace) the local access policies or discretionary access control lists (DACLs) that are applied to files and folders.
-
-### Claims
-
-A claim is a unique piece of information about a user, device, or resource that has been published by a domain controller. The user’s title, the department classification of a file, or the health state of a computer are valid examples of a claim. An entity can involve more than one claim, and any combination of claims can be used to authorize access to resources. The following types of claims are available in the supported versions of Windows:
-
-- **User claims** Active Directory attributes that are associated with a specific user.
-
-- **Device claims** Active Directory attributes that are associated with a specific computer object.
-
-- **Resource attributes** Global resource properties that are marked for use in authorization decisions and published in Active Directory.
-
-Claims make it possible for administrators to make precise organization- or enterprise-wide statements about users, devices, and resources that can be incorporated in expressions, rules, and policies.
-
-### Expressions
-
-Conditional expressions are an enhancement to access control management that allow or deny access to resources only when certain conditions are met, for example, group membership, location, or the security state of the device. Expressions are managed through the Advanced Security Settings dialog box of the ACL Editor or the Central Access Rule Editor in the Active Directory Administrative Center (ADAC).
-
-Expressions help administrators manage access to sensitive resources with flexible conditions in increasingly complex business environments.
-
-### Proposed permissions
-
-Proposed permissions enable an administrator to more accurately model the impact of potential changes to access control settings without actually changing them.
-
-Predicting the effective access to a resource helps you plan and configure permissions for those resources before implementing those changes.
-
-## Additional changes
-
-
-Additional enhancements in the supported versions of Windows that support Dynamic Access Control include:
-
-### Support in the Kerberos authentication protocol to reliably provide user claims, device claims, and device groups.
-
-By default, devices running any of the supported versions of Windows are able to process Dynamic Access Control-related Kerberos tickets, which include data needed for compound authentication. Domain controllers are able to issue and respond to Kerberos tickets with compound authentication-related information. When a domain is configured to recognize Dynamic Access Control, devices receive claims from domain controllers during initial authentication, and they receive compound authentication tickets when submitting service ticket requests. Compound authentication results in an access token that includes the identity of the user and the device on the resources that recognize Dynamic Access Control.
-
-### Support for using the Key Distribution Center (KDC) Group Policy setting to enable Dynamic Access Control for a domain.
-
-Every domain controller needs to have the same Administrative Template policy setting, which is located at **Computer Configuration\\Policies\\Administrative Templates\\System\\KDC\\Support Dynamic Access Control and Kerberos armoring**.
-
-### Support in Active Directory to store user and device claims, resource properties, and central access policy objects.
-
-### Support for using Group Policy to deploy central access policy objects.
-
-The following Group Policy setting enables you to deploy central access policy objects to file servers in your organization: **Computer Configuration\\Policies\\ Windows Settings\\Security Settings\\File System\\Central Access Policy**.
-
-### Support for claims-based file authorization and auditing for file systems by using Group Policy and Global Object Access Auditing
-
-You must enable staged central access policy auditing to audit the effective access of central access policy by using proposed permissions. You configure this setting for the computer under **Advanced Audit Policy Configuration** in the **Security Settings** of a Group Policy Object (GPO). After you configure the security setting in the GPO, you can deploy the GPO to computers in your network.
-
-### Support for transforming or filtering claim policy objects that traverse Active Directory forest trusts
-
-You can filter or transform incoming and outgoing claims that traverse a forest trust. There are three basic scenarios for filtering and transforming claims:
-
-- **Value-based filtering** Filters can be based on the value of a claim. This allows the trusted forest to prevent claims with certain values from being sent to the trusting forest. Domain controllers in trusting forests can use value-based filtering to guard against an elevation-of-privilege attack by filtering the incoming claims with specific values from the trusted forest.
-
-- **Claim type-based filtering** Filters are based on the type of claim, rather than the value of the claim. You identify the claim type by the name of the claim. You use claim type-based filtering in the trusted forest, and it prevents Windows from sending claims that disclose information to the trusting forest.
-
-- **Claim type-based transformation** Manipulates a claim before sending it to the intended target. You use claim type-based transformation in the trusted forest to generalize a known claim that contains specific information. You can use transformations to generalize the claim-type, the claim value, or both.
-
-## Software requirements
-
-
-Because claims and compound authentication for Dynamic Access Control require Kerberos authentication extensions, any domain that supports Dynamic Access Control must have enough domain controllers running the supported versions of Windows to support authentication from Dynamic Access Control-aware Kerberos clients. By default, devices must use domain controllers in other sites. If no such domain controllers are available, authentication will fail. Therefore, you must support one of the following conditions:
-
-- Every domain that supports Dynamic Access Control must have enough domain controllers running the supported versions of Windows Server to support authentication from all devices running the supported versions of Windows or Windows Server.
-
-- Devices running the supported versions of Windows or that do not protect resources by using claims or compound identity, should disable Kerberos protocol support for Dynamic Access Control.
-
-For domains that support user claims, every domain controller running the supported versions of Windows server must be configured with the appropriate setting to support claims and compound authentication, and to provide Kerberos armoring. Configure settings in the KDC Administrative Template policy as follows:
-
-- **Always provide claims** Use this setting if all domain controllers are running the supported versions of Windows Server. In addition, set the domain functional level to Windows Server 2012 or higher.
-
-- **Supported** When you use this setting, monitor domain controllers to ensure that the number of domain controllers running the supported versions of Windows Server is sufficient for the number of client computers that need to access resources protected by Dynamic Access Control.
-
-If the user domain and file server domain are in different forests, all domain controllers in the file server’s forest root must be set at the Windows Server 2012 or higher functional level.
-
-If clients do not recognize Dynamic Access Control, there must be a two-way trust relationship between the two forests.
-
-If claims are transformed when they leave a forest, all domain controllers in the user’s forest root must be set at the Windows Server 2012 or higher functional level.
-
-A file server running a server operating system that supports Dyamic Access Control must have a Group Policy setting that specifies whether it needs to get user claims for user tokens that do not carry claims. This setting is set by default to **Automatic**, which results in this Group Policy setting to be turned **On** if there is a central policy that contains user or device claims for that file server. If the file server contains discretionary ACLs that include user claims, you need to set this Group Policy to **On** so that the server knows to request claims on behalf of users that do not provide claims when they access the server.
-
-## See also
-
-- [Access control overview](access-control.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/access-control/microsoft-accounts.md b/windows/security/identity-protection/access-control/microsoft-accounts.md
deleted file mode 100644
index 7d9575a8f4..0000000000
--- a/windows/security/identity-protection/access-control/microsoft-accounts.md
+++ /dev/null
@@ -1,186 +0,0 @@
----
-title: Microsoft Accounts (Windows 10)
-description: Microsoft Accounts
-ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 10/13/2017
-ms.reviewer:
----
-
-# Microsoft Accounts
-
-**Applies to**
-- Windows 10
-
-This topic for the IT professional explains how a Microsoft account works to enhance security and privacy for users, and how you can manage this consumer account type in your organization.
-
-Microsoft sites, services, and properties, as well as computers running Windows 10, can use a Microsoft account as a means of identifying a user. Microsoft account was previously called Windows Live ID. It has user-defined secrets, and consists of a unique email address and a password.
-
-When a user signs in with a Microsoft account, the device is connected to cloud services. Many of the user's settings, preferences, and apps can be shared across devices.
-
-## How a Microsoft account works
-
-The Microsoft account allows users to sign in to websites that support this service by using a single set of credentials. Users' credentials are validated by a Microsoft account authentication server that is associated with a website. The Microsoft Store is an example of this association. When new users sign in to websites that are enabled to use Microsoft accounts, they are redirected to the nearest authentication server, which asks for a user name and password. Windows uses the Schannel Security Support Provider to open a Transport Level Security/Secure Sockets Layer (TLS/SSL) connection for this function. Users then have the option to use Credential Manager to store their credentials.
-
-When users sign in to websites that are enabled to use a Microsoft account, a time-limited cookie is installed on their computers, which includes a triple DES encrypted ID tag. This encrypted ID tag has been agreed upon between the authentication server and the website. This ID tag is sent to the website, and the website plants another time-limited encrypted HTTP cookie on the user’s computer. When these cookies are valid, users are not required to supply a user name and password. If a user actively signs out of their Microsoft account, these cookies are removed.
-
-**Important**
-Local Windows account functionality has not been removed, and it is still an option to use in managed environments.
-
-### How Microsoft accounts are created
-
-To prevent fraud, the Microsoft system verifies the IP address when a user creates an account. A user who tries to create multiple Microsoft accounts with the same IP address is stopped.
-
-Microsoft accounts are not designed to be created in batches, such as for a group of domain users within your enterprise.
-
-There are two methods for creating a Microsoft account:
-
-- **Use an existing email address**.
-
- Users are able to use their valid email addresses to sign up for Microsoft accounts. The service turns the requesting user's email address into a Microsoft account. Users can also choose their personal passwords.
-
-- **Sign up for a Microsoft email address**.
-
- Users can sign up for an email account with Microsoft's webmail services. This account can be used to sign in to websites that are enabled to use Microsoft accounts.
-
-### How the Microsoft account information is safeguarded
-
-Credential information is encrypted twice. The first encryption is based on the account’s password. Credentials are encrypted again when they are sent across the Internet. The data that is stored is not available to other Microsoft or non-Microsoft services.
-
-- **Strong password is required**.
-
- Blank passwords are not allowed.
-
- For more information, see [How to help keep your Microsoft account safe and secure](https://support.microsoft.com/account-billing/how-to-help-keep-your-microsoft-account-safe-and-secure-628538c2-7006-33bb-5ef4-c917657362b9).
-
-- **Secondary proof of identity is required**.
-
- Before user profile information and settings can be accessed on a second supported Windows computer for the first time, trust must established for that device by providing secondary proof of identity. This can be accomplished by providing Windows with a code that is sent to a mobile phone number or by following the instructions that are sent to an alternate email address that a user specifies in the account settings.
-
-- **All user profile data is encrypted on the client before it is transmitted to the cloud**.
-
- User data does not roam over a wireless wide area network (WWAN) by default, thereby protecting profile data. All data and settings that leave a device are transmitted through the TLS/SSL protocol.
-
-**Microsoft account security information is added**.
-
-Users can add security information to their Microsoft accounts through the **Accounts** interface on computers running the supported versions of Windows. This feature allows the user to update the security information that they provided when they created their accounts. This security information includes an alternate email address or phone number so if their password is compromised or forgotten, a verification code can be sent to verify their identity. Users can potentially use their Microsoft accounts to store corporate data on a personal OneDrive or email app, so it is safe practice for the account owner to keep this security information up-to-date.
-
-## The Microsoft account in the enterprise
-
-
-Although the Microsoft account was designed to serve consumers, you might find situations where your domain users can benefit by using their personal Microsoft account in your enterprise. The following list describes some advantages.
-
-- **Download Microsoft Store apps**:
-
- If your enterprise chooses to distribute software through the Microsoft Store, your users can use their Microsoft accounts to download and use them on up to five devices running any version of Windows 10, Windows 8.1, Windows 8, or Windows RT.
-
-- **Single sign-on**:
-
- Your users can use Microsoft account credentials to sign in to devices running Windows 10, Windows 8.1, Windows 8 or Windows RT. When they do this, Windows works with your Microsoft Store app to provide authenticated experiences for them. Users can associate a Microsoft account with their sign-in credentials for Microsoft Store apps or websites, so that these credentials roam across any devices running these supported versions.
-
-- **Personalized settings synchronization**:
-
- Users can associate their most commonly used operating-system settings with a Microsoft account. These settings are available whenever a user signs in with that account on any device that is running a supported version of Windows and is connected to the cloud. After a user signs in, the device automatically attempts to get the user's settings from the cloud and apply them to the device.
-
-- **App synchronization**:
-
- Microsoft Store apps can store user-specific settings so that these settings are available to any device. As with operating system settings, these user-specific app settings are available whenever the user signs in with the same Microsoft account on any device that is running a supported version of Windows and is connected to the cloud. After the user signs in, that device automatically downloads the settings from the cloud and applies them when the app is installed.
-
-- **Integrated social media services**:
-
- Contact information and status for your users’ friends and associates automatically stay up-to-date from sites such as Hotmail, Outlook, Facebook, Twitter, and LinkedIn. Users can also access and share photos, documents, and other files from sites such as OneDrive, Facebook, and Flickr.
-
-### Managing the Microsoft account in the domain
-
-Depending on your IT and business models, introducing Microsoft accounts into your enterprise might add complexity or it might provide solutions. You should address the following considerations before you allow the use of these account types in your enterprise:
-
-- [Restrict the use of the Microsoft account](#bkmk-restrictuse)
-
-- [Configure connected accounts](#bkmk-cfgconnectedaccounts)
-
-- [Provision Microsoft accounts in the enterprise](#bkmk-provisionaccounts)
-
-- [Audit account activity](#bkmk-audit)
-
-- [Perform password resets](#bkmk-passwordresets)
-
-- [Restrict app installation and usage](#bkmk-restrictappinstallationandusage)
-
-### Restrict the use of the Microsoft account
-
-The following Group Policy settings help control the use of Microsoft accounts in the enterprise:
-
-- [Block all consumer Microsoft account user authentication](#block-all-consumer-microsoft-account-user-authentication)
-- [Accounts: Block Microsoft accounts](#accounts-block-microsoft-accounts)
-
-#### Block all consumer Microsoft account user authentication
-
-This setting controls whether users can provide Microsoft accounts for authentication for applications or services.
-
-If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication.
-This applies both to existing users of a device and new users who may be added.
-
-However, any application or service that has already authenticated a user will not be affected by enabling this setting until the authentication cache expires.
-It is recommended to enable this setting before any user signs in to a device to prevent cached tokens from being present.
-
-If this setting is disabled or not configured, applications and services can use Microsoft accounts for authentication.
-By default, this setting is **Disabled**.
-
-This setting does not affect whether users can sign in to devices by using Microsoft accounts, or the ability for users to provide Microsoft accounts via the browser for authentication with web-based applications.
-
-The path to this setting is:
-
-Computer Configuration\Administrative Templates\Windows Components\Microsoft account
-
-#### Accounts: Block Microsoft accounts
-
-This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services.
-
-There are two options if this setting is enabled:
-
-- **Users can’t add Microsoft accounts** means that existing connected accounts can still sign in to the device (and appear on the Sign in screen). However, users cannot use the **Settings** app to add new connected accounts (or connect local accounts to Microsoft accounts).
-- **Users can’t add or log on with Microsoft accounts** means that users cannot add new connected accounts (or connect local accounts to Microsoft accounts) or use existing connected accounts through **Settings**.
-
-This setting does not affect adding a Microsoft account for application authentication. For example, if this setting is enabled, a user can still provide a Microsoft account for authentication with an application such as **Mail**, but the user cannot use the Microsoft account for single sign-on authentication for other applications or services (in other words, the user will be prompted to authenticate for other applications or services).
-
-By default, this setting is **Not defined**.
-
-The path to this setting is:
-
-Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
-
-### Configure connected accounts
-
-Users can connect a Microsoft account to their domain account and synchronize the settings and preferences between them. This enables users to see the same desktop background, app settings, browser history and favorites, and other Microsoft account settings on their other devices.
-
-Users can disconnect a Microsoft account from their domain account at any time as follows: In **PC settings**, tap or click **Users**, tap or click **Disconnect**, and then tap or click **Finish**.
-
-**Note**
-Connecting Microsoft accounts with domain accounts can limit access to some high-privileged tasks in Windows. For example, Task Scheduler will evaluate the connected Microsoft account for access and fail. In these situations, the account owner should disconnect the account.
-
-### Provision Microsoft accounts in the enterprise
-
-Microsoft accounts are private user accounts. There are no methods provided by Microsoft to provision Microsoft accounts for an enterprise. Enterprises should use domain accounts.
-
-### Audit account activity
-
-Because Microsoft accounts are Internet-based, Windows does not have a mechanism to audit their use until the account is associated with a domain account. But this association does not restrict the user from disconnecting the account or disjoining from the domain. It is not possible to audit the activity of accounts that are not associated with your domain.
-
-### Perform password resets
-
-Only the owner of the Microsoft account can change the password. Passwords can be changed in the [Microsoft account sign-in portal](https://login.live.com).
-
-### Restrict app installation and usage
-
-Within your organization, you can set application control policies to regulate app installation and usage for Microsoft accounts. For more information, see [AppLocker](/windows/device-security/applocker/applocker-overview) and [Packaged Apps and Packaged App Installer Rules in AppLocker](/windows/device-security/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker).
-
-## See also
-
-- [Managing Privacy: Using a Microsoft Account to Logon and Resulting Internet Communication](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj884082(v=ws.11))
-
-- [Access Control Overview](access-control.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md
deleted file mode 100644
index eebc241c56..0000000000
--- a/windows/security/identity-protection/access-control/security-identifiers.md
+++ /dev/null
@@ -1,331 +0,0 @@
----
-title: Security identifiers (Windows 10)
-description: Security identifiers
-ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.collection:
- - M365-identity-device-management
- - highpri
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 04/19/2017
----
-
-# Security identifiers
-
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016
-- Windows Server 2019
-
-This topic for the IT professional describes security identifiers and how they work in regards to accounts and groups in the Windows operating system.
-
-## What are security identifiers?
-
-A security identifier (SID) is used to uniquely identify a security principal or security group. Security principals can represent any entity that can be authenticated by the operating system, such as a user account, a computer account, or a thread or process that runs in the security context of a user or computer account.
-
-Each account or group, or process running in the security context of the account, has a unique SID that is issued by an authority, such as a Windows domain controller. It is stored in a security database. The system generates the SID that identifies a particular account or group at the time the account or group is created. When a SID has been used as the unique identifier for a user or group, it can never be used again to identify another user or group.
-
-Each time a user signs in, the system creates an access token for that user. The access token contains the user's SID, user rights, and the SIDs for any groups the user belongs to. This token provides the security context for whatever actions the user performs on that computer.
-
-In addition to the uniquely created, domain-specific SIDs that are assigned to specific users and groups, there are well-known SIDs that identify generic groups and generic users. For example, the Everyone and World SIDs identify a group that includes all users. Well-known SIDs have values that remain constant across all operating systems.
-
-SIDs are a fundamental building block of the Windows security model. They work with specific components of the authorization and access control technologies in the security infrastructure of the Windows Server operating systems. This helps protect access to network resources and provides a more secure computing environment.
-
-The content in this topic applies to computers that are running the supported versions of the Windows operating system as designated in the **Applies To** list at the beginning of this topic.
-
-## How security identifiers work
-
-Users refer to accounts by using the account name, but the operating system internally refers to accounts and processes that run in the security context of the account by using their security identifiers (SIDs). For domain accounts, the SID of a security principal is created by concatenating the SID of the domain with a relative identifier (RID) for the account. SIDs are unique within their scope (domain or local), and they are never reused.
-
-The operating system generates a SID that identifies a particular account or group at the time the account or group is created. The SID for a local account or group is generated by the Local Security Authority (LSA) on the computer, and it is stored with other account information in a secure area of the registry. The SID for a domain account or group is generated by the domain security authority, and it is stored as an attribute of the User or Group object in Active Directory Domain Services.
-
-For every local account and group, the SID is unique for the computer where it was created. No two accounts or groups on the computer ever share the same SID. Likewise, for every domain account and group, the SID is unique within an enterprise. This means that the SID for an account or group that is created in one domain will never match the SID for an account or group created in any other domain in the enterprise.
-
-SIDs always remain unique. Security authorities never issue the same SID twice, and they never reuse SIDs for deleted accounts. For example, if a user with a user account in a Windows domain leaves her job, an administrator deletes her Active Directory account, including the SID that identifies the account. If she later returns to a different job at the same company, an administrator creates a new account, and the Windows Server operating system generates a new SID. The new SID does not match the old one; so none of the user's access from her old account is transferred to the new account. Her two accounts represent two completely different security principals.
-
-## Security identifier architecture
-
-A security identifier is a data structure in binary format that contains a variable number of values. The first values in the structure contain information about the SID structure. The remaining values are arranged in a hierarchy (similar to a telephone number), and they identify the SID-issuing authority (for example, “NT Authority”), the SID-issuing domain, and a particular security principal or group. The following image illustrates the structure of a SID.
-
-
-
-The individual values of a SID are described in the following table.
-
-| Comment | Description |
-| - | - |
-| Revision | Indicates the version of the SID structure that is used in a particular SID. |
-| Identifier authority | Identifies the highest level of authority that can issue SIDs for a particular type of security principal. For example, the identifier authority value in the SID for the Everyone group is 1 (World Authority). The identifier authority value in the SID for a specific Windows Server account or group is 5 (NT Authority). |
-| Subauthorities | >Holds the most important information in a SID, which is contained in a series of one or more subauthority values. All values up to, but not including, the last value in the series collectively identify a domain in an enterprise. This part of the series is called the domain identifier. The last value in the series, which is called the relative identifier (RID), identifies a particular account or group relative to a domain. |
-
-The components of a SID are easier to visualize when SIDs are converted from a binary to a string format by using standard notation:
-```
-S-R-X-Y1-Y2-Yn-1-Yn
-```
-
-In this notation, the components of a SID are represented as shown in the following table.
-
-| Comment | Description |
-| - | - |
-| S | Indicates that the string is a SID |
-| R | Indicates the revision level |
-| X | Indicates the identifier authority value |
-| Y | Represents a series of subauthority values, where *n* is the number of values |
-
-The SID's most important information is contained in the series of subauthority values. The first part of the series (-Y1-Y2-Y*n*-1) is the domain identifier. This element of the SID becomes significant in an enterprise with several domains, because the domain identifier differentiates SIDs that are issued by one domain from SIDs that are issued by all other domains in the enterprise. No two domains in an enterprise share the same domain identifier.
-
-The last item in the series of subauthority values (-Y*n*) is the relative identifier. It distinguishes one account or group from all other accounts and groups in the domain. No two accounts or groups in any domain share the same relative identifier.
-
-For example, the SID for the built-in Administrators group is represented in standardized SID notation as the following string:
-
-```
-S-1-5-32-544
-```
-
-This SID has four components:
-
-- A revision level (1)
-
-- An identifier authority value (5, NT Authority)
-
-- A domain identifier (32, Builtin)
-
-- A relative identifier (544, Administrators)
-
-SIDs for built-in accounts and groups always have the same domain identifier value: 32. This value identifies the domain **Builtin**, which exists on every computer that is running a version of the Windows Server operating system. It is never necessary to distinguish one computer's built-in accounts and groups from another computer's built-in accounts and groups because they are local in scope. They are local to a single computer, or in the case of domain controllers for a network domain, they are local to several computers that are acting as one.
-
-Built-in accounts and groups need to be distinguished from one another within the scope of the **Builtin** domain. Therefore, the SID for each account and group has a unique relative identifier. A relative identifier value of 544 is unique to the built-in Administrators group. No other account or group in the **Builtin** domain has a SID with a final value of 544.
-
-In another example, consider the SID for the global group, Domain Admins. Every domain in an enterprise has a Domain Admins group, and the SID for each group is different. The following example represents the SID for the Domain Admins group in the Contoso, Ltd. domain (Contoso\\Domain Admins):
-
-```
-S-1-5-21-1004336348-1177238915-682003330-512
-```
-
-The SID for Contoso\\Domain Admins has:
-
-- A revision level (1)
-
-- An identifier authority (5, NT Authority)
-
-- A domain identifier (21-1004336348-1177238915-682003330, Contoso)
-
-- A relative identifier (512, Domain Admins)
-
-The SID for Contoso\\Domain Admins is distinguished from the SIDs for other Domain Admins groups in the same enterprise by its domain identifier: 21-1004336348-1177238915-682003330. No other domain in the enterprise uses this value as its domain identifier. The SID for Contoso\\Domain Admins is distinguished from the SIDs for other accounts and groups that are created in the Contoso domain by its relative identifier, 512. No other account or group in the domain has a SID with a final value of 512.
-
-## Relative identifier allocation
-
-When accounts and groups are stored in an account database that is managed by a local Security Accounts Manager (SAM), it is fairly easy for the system to generate a unique relative identifier for each account and in a group that it creates on a stand-alone computer. The SAM on a stand-alone computer can track the relative identifier values that it has used before and make sure that it never uses them again.
-
-In a network domain, however, generating unique relative identifiers is a more complex process. Windows Server network domains can have several domain controllers. Each domain controller stores Active Directory account information. This means that, in a network domain, there are as many copies of the account database as there are domain controllers. In addition to this, every copy of the account database is a master copy. New accounts and groups can be created on any domain controller. Changes that are made to Active Directory on one domain controller are replicated to all other domain controllers in the domain. The process of replicating changes in one master copy of the account database to all other master copies is called a multimaster operation.
-
-The process of generating unique relative identifiers is a single-master operation. One domain controller is assigned the role of relative identifier (RID) master, and it allocates a sequence of relative identifiers to each domain controller in the domain. When a new domain account or group is created in one domain controller's replica of Active Directory, it is assigned a SID. The relative identifier for the new SID is taken from the domain controller's allocation of relative identifiers. When its supply of relative identifiers begins to run low, the domain controller requests another block from the RID master.
-
-Each domain controller uses each value in a block of relative identifiers only once. The RID master allocates each block of relative identifier values only once. This process assures that every account and group created in the domain has a unique relative identifier.
-
-## Security identifiers and globally unique identifiers
-
-When a new domain user or group account is created, Active Directory stores the account's SID in the **ObjectSID** property of a User or Group object. It also assigns the new object a globally unique identifier (GUID), which is a 128-bit value that is unique not only in the enterprise, but also across the world. GUIDs are assigned to every object that is created by Active Directory, not only User and Group objects. Each object's GUID is stored in its **ObjectGUID** property.
-
-Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's properties that is published in the global catalog. Searching the global catalog for a User object GUID produces results if the user has an account somewhere in the enterprise. In fact, searching for any object by **ObjectGUID** might be the most reliable way of finding the object you want to locate. The values of other object properties can change, but the **ObjectGUID** property never changes. When an object is assigned a GUID, it keeps that value for life.
-
-If a user moves from one domain to another, the user gets a new SID. The SID for a group object does not change because groups stay in the domain where they were created. However, if people move, their accounts can move with them. If an employee moves from North America to Europe, but stays in the same company, an administrator for the enterprise can move the employee's User object from, for example, Contoso\\NoAm to Contoso\\Europe. If the administrator does this, the User object for the account needs a new SID. The domain identifier portion of a SID that is issued in NoAm is unique to NoAm; so the SID for the user's account in Europe has a different domain identifier. The relative identifier portion of a SID is unique relative to the domain; so if the domain changes, the relative identifier also changes.
-
-When a User object moves from one domain to another, a new SID must be generated for the user account and stored in the **ObjectSID** property. Before the new value is written to the property, the previous value is copied to another property of a User object, **SIDHistory**. This property can hold multiple values. Each time a User object moves to another domain, a new SID is generated and stored in the **ObjectSID** property, and another value is added to the list of old SIDs in **SIDHistory**. When a user signs in and is successfully authenticated, the domain authentication service queries Active Directory for all the SIDs that are associated with the user, including the user's current SID, the user's old SIDs, and the SIDs for the user's groups. All these SIDs are returned to the authentication client, and they are included in the user's access token. When the user tries to gain access to a resource, any one of the SIDs in the access token (including one of the SIDs in **SIDHistory**), can allow or deny the user access.
-
-If you allow or deny users' access to a resource based on their jobs, you should allow or deny access to a group, not to an individual. That way, when users change jobs or move to other departments, you can easily adjust their access by removing them from certain groups and adding them to others.
-
-However, if you allow or deny an individual user access to resources, you probably want that user's access to remain the same no matter how many times the user's account domain changes. The **SIDHistory** property makes this possible. When a user changes domains, there is no need to change the access control list (ACL) on any resource. If an ACL has the user's old SID, but not the new one, the old SID is still in the user's access token. It is listed among the SIDs for the user's groups, and the user is granted or denied access based on the old SID.
-
-## Well-known SIDs
-
-The values of certain SIDs are constant across all systems. They are created when the operating system or domain is installed. They are called well-known SIDs because they identify generic users or generic groups.
-
-There are universal well-known SIDs that are meaningful on all secure systems that use this security model, including operating systems other than Windows. In addition, there are well-known SIDs that are meaningful only on Windows operating systems.
-
-The following table lists the universal well-known SIDs.
-
-| Value | Universal Well-Known SID | Identifies |
-| - | - | - |
-| S-1-0-0 | Null SID | A group with no members. This is often used when a SID value is not known.|
-| S-1-1-0 | World | A group that includes all users. |
-| S-1-2-0 | Local | Users who log on to terminals that are locally (physically) connected to the system. |
-| S-1-2-1 | Console Logon | A group that includes users who are logged on to the physical console. |
-| S-1-3-0 | Creator Owner ID | A security identifier to be replaced by the security identifier of the user who created a new object. This SID is used in inheritable ACEs. |
-| S-1-3-1 | Creator Group ID | A security identifier to be replaced by the primary-group SID of the user who created a new object. Use this SID in inheritable ACEs. |
-| S-1-3-2 | Creator Owner Server | |
-| S-1-3-3 | Creator Group Server | |
-| S-1-3-4 | Owner Rights | A group that represents the current owner of the object. When an ACE that carries this SID is applied to an object, the system ignores the implicit READ_CONTROL and WRITE_DAC permissions for the object owner. |
-| S-1-4 | Non-unique Authority | A SID that represents an identifier authority. |
-| S-1-5 | NT Authority | A SID that represents an identifier authority. |
-| S-1-5-80-0 | All Services | A group that includes all service processes configured on the system. Membership is controlled by the operating system.|
-
-The following table lists the predefined identifier authority constants. The first four values are used with universal well-known SIDs, and the rest of the values are used with well-known SIDs in Windows operating systems designated in the **Applies To** list.
-
-| Identifier Authority | Value | SID String Prefix |
-| - | - | - |
-| SECURITY_NULL_SID_AUTHORITY | 0 | S-1-0 |
-| SECURITY_WORLD_SID_AUTHORITY | 1 | S-1-1 |
-| SECURITY_LOCAL_SID_AUTHORITY | 2 | S-1-2 |
-| SECURITY_CREATOR_SID_AUTHORITY | 3 | S-1-3 |
-| SECURITY_NT_AUTHORITY | 5 | S-1-5 |
-| SECURITY_AUTHENTICATION_AUTHORITY | 18 | S-1-18 |
-
-The following RID values are used with universal well-known SIDs. The Identifier authority column shows the prefix of the identifier authority with which you can combine the RID to create a universal well-known SID.
-
-| Relative Identifier Authority | Value | Identifier Authority |
-| - | - | - |
-| SECURITY_NULL_RID | 0 | S-1-0 |
-| SECURITY_WORLD_RID | 0 | S-1-1 |
-| SECURITY_LOCAL_RID | 0 | S-1-2 |
-| SECURITY_CREATOR_OWNER_RID | 0 | S-1-3 |
-| SECURITY_CREATOR_GROUP_RID | 1 | S-1-3 |
-
-The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SIDs that are not universal and are meaningful only in installations of the Windows operating systems that are designated in the **Applies To** list at the beginning of this topic. The following table lists the well-known SIDs.
-
-| SID | Display Name | Description |
-| - | - | - |
-| S-1-5-1 | Dialup | A group that includes all users who are logged on to the system by means of a dial-up connection.|
-| S-1-5-113 | Local account| You can use this SID when restricting network logon to local accounts instead of "administrator" or equivalent. This SID can be effective in blocking network logon for local users and groups by account type regardless of what they are actually named.|
-| S-1-5-114| Local account and member of Administrators group | You can use this SID when restricting network logon to local accounts instead of "administrator" or equivalent. This SID can be effective in blocking network logon for local users and groups by account type regardless of what they are actually named. |
-| S-1-5-2 | Network | A group that includes all users who are logged on by means of a network connection. Access tokens for interactive users do not contain the Network SID.|
-| S-1-5-3 | Batch | A group that includes all users who have logged on by means of a batch queue facility, such as task scheduler jobs.|
-| S-1-5-4 | Interactive| A group that includes all users who log on interactively. A user can start an interactive logon session by logging on directly at the keyboard, by opening a Remote Desktop Services connection from a remote computer, or by using a remote shell such as Telnet. In each case, the user's access token contains the Interactive SID. If the user signs in by using a Remote Desktop Services connection, the user's access token also contains the Remote Interactive Logon SID.|
-| S-1-5-5- *X*-*Y* | Logon Session| The *X* and *Y* values for these SIDs uniquely identify a particular logon session.|
-| S-1-5-6 | Service| A group that includes all security principals that have signed in as a service.|
-| S-1-5-7 | Anonymous Logon| A user who has connected to the computer without supplying a user name and password.
This option is required when using Challenge Handshake Authentication Protocol (CHAP) in Internet Authentication Services (IAS), and when using digest authentication in Internet Information Services (IIS).|
-|Account is disabled|Prevents the user from signing in with the selected account. As an administrator, you can use disabled accounts as templates for common user accounts.|
-|Smart card is required for interactive logon|Requires that a user has a smart card to sign on to the network interactively. The user must also have a smart card reader attached to their computer and a valid personal identification number (PIN) for the smart card.
When this attribute is applied on the account, the effect is as follows:
The Anonymous Logon identity is different from the identity that is used by Internet Information Services (IIS) for anonymous web access. IIS uses an actual account—by default, IUSR_ *ComputerName*, for anonymous access to resources on a website. Strictly speaking, such access is not anonymous because the security principal is known even though unidentified people are using the account. IUSR_ *ComputerName* (or whatever you name the account) has a password, and IIS logs on the account when the service starts. As a result, the IIS "anonymous" user is a member of Authenticated Users but Anonymous Logon is not.|
-| S-1-5-8| Proxy| Does not currently apply: this SID is not used.|
-| S-1-5-9 | Enterprise Domain Controllers| A group that includes all domain controllers in a forest of domains.|
-| S-1-5-10 | Self| A placeholder in an ACE for a user, group, or computer object in Active Directory. When you grant permissions to Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Self with the SID for the security principal that is represented by the object.|
-| S-1-5-11 | Authenticated Users| A group that includes all users and computers with identities that have been authenticated. Authenticated Users does not include Guest even if the Guest account has a password.
This group includes authenticated security principals from any trusted domain, not only the current domain.|
-| S-1-5-12 | Restricted Code| An identity that is used by a process that is running in a restricted security context. In Windows and Windows Server operating systems, a software restriction policy can assign one of three security levels to code: unrestricted, restricted, or disallowed. When code runs at the restricted security level, the Restricted SID is added to the user's access token.|
-| S-1-5-13 | Terminal Server User| A group that includes all users who sign in to a server with Remote Desktop Services enabled.|
-| S-1-5-14 | Remote Interactive Logon| A group that includes all users who log on to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.|
-| S-1-5-15| This Organization| A group that includes all users from the same organization. Only included with Active Directory accounts and only added by a domain controller.|
-| S-1-5-17 | IUSR| An account that is used by the default Internet Information Services (IIS) user.|
-| S-1-5-18 | System (or LocalSystem)| An identity that is used locally by the operating system and by services that are configured to sign in as LocalSystem.
System is a hidden member of Administrators. That is, any process running as System has the SID for the built-in Administrators group in its access token.
When a process that is running locally as System accesses network resources, it does so by using the computer's domain identity. Its access token on the remote computer includes the SID for the local computer's domain account plus SIDs for security groups that the computer is a member of, such as Domain Computers and Authenticated Users.|
-| S-1-5-19 | NT Authority (LocalService)| An identity that is used by services that are local to the computer, have no need for extensive local access, and do not need authenticated network access. Services that run as LocalService access local resources as ordinary users, and they access network resources as anonymous users. As a result, a service that runs as LocalService has significantly less authority than a service that runs as LocalSystem locally and on the network.|
-| S-1-5-20 | Network Service| An identity that is used by services that have no need for extensive local access but do need authenticated network access. Services running as NetworkService access local resources as ordinary users and access network resources by using the computer's identity. As a result, a service that runs as NetworkService has the same network access as a service that runs as LocalSystem, but it has significantly reduced local access.|
-| S-1-5-*domain*-500 | Administrator| A user account for the system administrator. Every computer has a local Administrator account and every domain has a domain Administrator account.
The Administrator account is the first account created during operating system installation. The account cannot be deleted, disabled, or locked out, but it can be renamed.
By default, the Administrator account is a member of the Administrators group, and it cannot be removed from that group.|
-| S-1-5-*domain*-501 | Guest| A user account for people who do not have individual accounts. Every computer has a local Guest account, and every domain has a domain Guest account.
By default, Guest is a member of the Everyone and the Guests groups. The domain Guest account is also a member of the Domain Guests and Domain Users groups.
Unlike Anonymous Logon, Guest is a real account, and it can be used to log on interactively. The Guest account does not require a password, but it can have one.|
-| S-1-5-*domain*-502| krbtgt| A user account that is used by the Key Distribution Center (KDC) service. The account exists only on domain controllers.|
-| S-1-5-*domain*-512| Domain Admins| A global group with members that are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined the domain, including domain controllers.
Domain Admins is the default owner of any object that is created in the domain's Active Directory by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group.|
-| S-1-5-*domain*-513| Domain Users| A global group that includes all users in a domain. When you create a new User object in Active Directory, the user is automatically added to this group.|
-| S-1-5-*domain*-514| Domain Guests| A global group, which by default, has only one member: the domain's built-in Guest account.|
-| S-1-5-*domain*-515 | Domain Computers| A global group that includes all computers that have joined the domain, excluding domain controllers.|
-| S-1-5-*domain*-516| Domain Controllers| A global group that includes all domain controllers in the domain. New domain controllers are added to this group automatically.|
-| S-1-5-*domain*-517 | Cert Publishers| A global group that includes all computers that host an enterprise certification authority.
Cert Publishers are authorized to publish certificates for User objects in Active Directory.|
-| S-1-5-*root domain*-518| Schema Admins| A group that exists only in the forest root domain. It is a universal group if the domain is in native mode, and it is a global group if the domain is in mixed mode. The Schema Admins group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain.|
-| S-1-5-*root domain*-519| Enterprise Admins| A group that exists only in the forest root domain. It is a universal group if the domain is in native mode, and it is a global group if the domain is in mixed mode.
The Enterprise Admins group is authorized to make changes to the forest infrastructure, such as adding child domains, configuring sites, authorizing DHCP servers, and installing enterprise certification authorities.
By default, the only member of Enterprise Admins is the Administrator account for the forest root domain. The group is a default member of every Domain Admins group in the forest. |
-| S-1-5-*domain*-520| Group Policy Creator Owners| A global group that is authorized to create new Group Policy Objects in Active Directory. By default, the only member of the group is Administrator.
Objects that are created by members of Group Policy Creator Owners are owned by the individual user who creates them. In this way, the Group Policy Creator Owners group is unlike other administrative groups (such as Administrators and Domain Admins). Objects that are created by members of these groups are owned by the group rather than by the individual.|
-| S-1-5-*domain*-553| RAS and IAS Servers| A local domain group. By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically.
Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information.|
-| S-1-5-32-544 | Administrators| A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.|
-| S-1-5-32-545 | Users| A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group.|
-| S-1-5-32-546 | Guests| A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account.|
-| S-1-5-32-547 | Power Users| A built-in group. By default, the group has no members. Power users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power users also can install programs; create, manage, and delete local printers; and create and delete file shares. |
-| S-1-5-32-548| Account Operators| A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.|
-| S-1-5-32-549| Server Operators| Description: A built-in group that exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer.|
-| S-1-5-32-550 | Print Operators| A built-in group that exists only on domain controllers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues.|
-| S-1-5-32-551 | Backup Operators| A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down.|
-| S-1-5-32-552 | Replicators | A built-in group that is used by the File Replication service on domain controllers. By default, the group has no members. Do not add users to this group.|
-|S-1-5-32-554|Builtin\Pre-Windows 2000 Compatible Access|An alias added by Windows 2000. A backward compatibility group that allows read access on all users and groups in the domain.|
-|S-1-5-32-555|Builtin\Remote Desktop Users|An alias. Members in this group are granted the right to log on remotely.|
-|S-1-5-32-556|Builtin\Network Configuration Operators|An alias. Members in this group can have some administrative privileges to manage configuration of networking features.|
-|S-1-5-32-557|Builtin\Incoming Forest Trust Builders|An alias. Members of this group can create incoming, one-way trusts to this forest.|
-|S-1-5-32-558|Builtin\Performance Monitor Users|An alias. Members of this group have remote access to monitor this computer.|
-|S-1-5-32-559|Builtin\Performance Log Users|An alias. Members of this group have remote access to schedule logging of performance counters on this computer.|
-|S-1-5-32-560|Builtin\Windows Authorization Access Group|An alias. Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects.|
-|S-1-5-32-561|Builtin\Terminal Server License Servers|An alias. A group for Terminal Server License Servers. When Windows Server 2003 Service Pack 1 is installed, a new local group is created.|
-|S-1-5-32-562|Builtin\Distributed COM Users|An alias. A group for COM to provide computer-wide access controls that govern access to all call, activation, or launch requests on the computer.|
-|S-1-5-32-568|Builtin\IIS_IUSRS|An alias. A built-in group account for IIS users.|
-|S-1-5-32-569|Builtin\Cryptographic Operators|A built-in local group. Members are authorized to perform cryptographic operations.|
-|S-1-5-32-573|Builtin\Event Log Readers|A built-in local group. Members of this group can read event logs from local computer.|
-|S-1-5-32-574|Builtin\Certificate Service DCOM Access|A built-in local group. Members of this group are allowed to connect to Certification Authorities in the enterprise.|
-|S-1-5-32-575|Builtin\RDS Remote Access Servers|A built-in local group. Servers in this group enable users of RemoteApp programs and personal virtual desktops access to these resources. In Internet-facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers used in the deployment need to be in this group.|
-|S-1-5-32-576|Builtin\RDS Endpoint Servers|A built-in local group. Servers in this group run virtual machines and host sessions where users RemoteApp programs and personal virtual desktops run. This group needs to be populated on servers running RD Connection Broker. RD Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group.|
-|S-1-5-32-577|Builtin\RDS Management Servers|A builtin local group. Servers in this group can perform routine administrative actions on servers running Remote Desktop Services. This group needs to be populated on all servers in a Remote Desktop Services deployment. The servers running the RDS Central Management service must be included in this group.|
-|S-1-5-32-578|Builtin\Hyper-V Administrators|A built-in local group. Members of this group have complete and unrestricted access to all features of Hyper-V.|
-|S-1-5-32-579|Builtin\Access Control Assistance Operators|A built-in local group. Members of this group can remotely query authorization attributes and permissions for resources on this computer.|
-|S-1-5-32-580|Builtin\Remote Management Users|A built-in local group. Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.|
-| S-1-5-64-10| NTLM Authentication| A SID that is used when the NTLM authentication package authenticated the client|
-| S-1-5-64-14 | SChannel Authentication| A SID that is used when the SChannel authentication package authenticated the client.|
-| S-1-5-64-21 | Digest Authentication| A SID that is used when the Digest authentication package authenticated the client.|
-| S-1-5-80 | NT Service | A SID that is used as an NT Service account prefix.|
-| S-1-5-80-0 | All Services| A group that includes all service processes that are configured on the system. Membership is controlled by the operating system. SID S-1-5-80-0 equals NT SERVICES\ALL SERVICES. This SID was introduced in Windows Server 2008 R2.|
-| S-1-5-83-0| NT VIRTUAL MACHINE\Virtual Machines| A built-in group. The group is created when the Hyper-V role is installed. Membership in the group is maintained by the Hyper-V Management Service (VMMS). This group requires the **Create Symbolic Links** right (SeCreateSymbolicLinkPrivilege), and also the **Log on as a Service** right (SeServiceLogonRight). |
-
-The following RIDs are relative to each domain.
-
-| RID |Decimal value| Identifies |
-| - | - | - |
-| DOMAIN_USER_RID_ADMIN | 500 | The administrative user account in a domain. |
-| DOMAIN_USER_RID_GUEST| 501 | The guest-user account in a domain. Users who do not have an account can automatically sign in to this account.|
-| DOMAIN_GROUP_RID_USERS | 513 | A group that contains all user accounts in a domain. All users are automatically added to this group.|
-| DOMAIN_GROUP_RID_GUESTS | 514 | The group Guest account in a domain.|
-| DOMAIN_GROUP_RID_COMPUTERS | 515 | The Domain Computer group. All computers in the domain are members of this group.|
-| DOMAIN_GROUP_RID_CONTROLLERS | 516 | The Domain Controller group. All domain controllers in the domain are members of this group.|
-| DOMAIN_GROUP_RID_CERT_ADMINS | 517 | The certificate publishers' group. Computers running Active Directory Certificate Services are members of this group.|
-| DOMAIN_GROUP_RID_SCHEMA_ADMINS | 518 | The schema administrators' group. Members of this group can modify the Active Directory schema.|
-| DOMAIN_GROUP_RID_ENTERPRISE_ADMINS | 519 | The enterprise administrators' group. Members of this group have full access to all domains in the Active Directory forest. Enterprise administrators are responsible for forest-level operations such as adding or removing new domains.|
-| DOMAIN_GROUP_RID_POLICY_ADMINS| 520 | The policy administrators' group.|
-
-The following table provides examples of domain-relative RIDs that are used to form well-known SIDs for local groups.
-
-| RID | Decimal value | Identifies |
-| - | - | - |
-| DOMAIN_ALIAS_RID_ADMINS | 544 | Administrators of the domain.|
-| DOMAIN_ALIAS_RID_USERS | 545 | All users in the domain.|
-| DOMAIN_ALIAS_RID_GUESTS | 546 | Guests of the domain.|
-| DOMAIN_ALIAS_RID_POWER_USERS | 547 | A user or a set of users who expect to treat a system as if it were their personal computer rather than as a workstation for multiple users.|
-| DOMAIN_ALIAS_RID_BACKUP_OPS | 551 | A local group that is used to control the assignment of file backup-and-restore user rights.|
-| DOMAIN_ALIAS_RID_REPLICATOR | 552 | A local group that is responsible for copying security databases from the primary domain controller to the backup domain controllers. These accounts are used only by the system.|
-| DOMAIN_ALIAS_RID_RAS_SERVERS | 553 | A local group that represents remote access and servers running Internet Authentication Service (IAS). This group permits access to various attributes of User objects.|
-
-## Changes in security identifier's functionality
-
-The following table describes changes in SID implementation in the Windows operating systems that are designated in the list.
-
-| Change | Operating system version | Description and resources |
-| - | - | - |
-| Most of the operating system files are owned by the TrustedInstaller security identifier (SID)| Windows Server 2008, Windows Vista| The purpose of this change is to prevent a process that is running as an administrator or under the LocalSystem account from automatically replacing the operating system files. |
-| Restricted SID checks are implemented| Windows Server 2008, Windows Vista| When restricting SIDs are present, Windows performs two access checks. The first is the normal access check, and the second is the same access check against the restricting SIDs in the token. Both access checks must pass to allow the process to access the object. |
-
-## Capability SIDs
-
-Capability Security Identifiers (SIDs) are used to uniquely and immutably identify capabilities. Capabilities represent an unforgeable token of authority that grants access to resources (Examples: documents, camera, locations etc...) to Universal Windows Applications. An App that “has” a capability is granted access to the resource the capability is associated with, and one that “does not have” a capability is denied access to the resource.
-
-All Capability SIDs that the operating system is aware of are stored in the Windows Registry in the path `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities'. Any Capability SID added to Windows by first or third-party applications will be added to this location.
-
-## Examples of registry keys taken from Windows 10, version 1909, 64-bit Enterprise edition
-
-You may see the following registry keys under AllCachedCapabilities:
-
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock_Internal
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Enterprise
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_General
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Restricted
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Windows
-
-All Capability SIDs are prefixed by S-1-15-3
-
-## Examples of registry keys taken from Windows 11, version 21H2, 64-bit Enterprise edition
-
-You may see the following registry keys under AllCachedCapabilities:
-
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock_Internal
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Enterprise
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_General
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Restricted
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Windows
-
-All Capability SIDs are prefixed by S-1-15-3
-
-## See also
-
-- [Access Control Overview](access-control.md)
diff --git a/windows/security/identity-protection/access-control/security-principals.md b/windows/security/identity-protection/access-control/security-principals.md
deleted file mode 100644
index 3120899040..0000000000
--- a/windows/security/identity-protection/access-control/security-principals.md
+++ /dev/null
@@ -1,148 +0,0 @@
----
-title: Security Principals (Windows 10)
-description: Security Principals
-ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 04/19/2017
-ms.reviewer:
----
-
-# Security Principals
-
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
-This reference topic for the IT professional describes security principals in regards to Windows accounts and security groups, in addition to security technologies that are related to security principals.
-
-## What are security principals?
-
-
-Security principals are any entity that can be authenticated by the operating system, such as a user account, a computer account, or a thread or process that runs in the security context of a user or computer account, or the security groups for these accounts. Security principals have long been a foundation for controlling access to securable resources on Windows computers. Each security principal is represented in the operating system by a unique security identifier (SID).
-
-The following content applies to the versions of Windows that are designated in the **Applies To** list at the beginning of this topic.
-
-## How security principals work
-
-
-Security principals that are created in an Active Directory domain are Active Directory objects, which can be used to manage access to domain resources. Each security principal is assigned a unique identifier, which it retains for its entire lifetime. Local user accounts and security groups are created on a local computer, and they can be used to manage access to resources on that computer. Local user accounts and security groups are managed by the Security Accounts Manager (SAM) on the local computer.
-
-### Authorization and access control components
-
-The following diagram illustrates the Windows authorization and access control process. In this diagram, the subject (a process that is initiated by a user) attempts to access an object, such as a shared folder. The information in the user’s access token is compared to the access control entries (ACEs) in the object’s security descriptor, and the access decision is made. The SIDs of security principals are used in the user’s access token and in the ACEs in the object’s security descriptor.
-
-**Authorization and access control process**
-
-
-
-Security principals are closely related to the following components and technologies:
-
-- [Security identifiers](#bkmk-sids)
-
-- [Access tokens](#bkmk-accesstokens)
-
-- [Security descriptors and access control lists](#bkmk-sdandacls)
-
-- [Permissions](#bkmk-permissions)
-
-### Security identifiers
-
-Security identifiers (SIDs) provide a fundamental building block of the Windows security model. They work with specific components of the authorization and access control technologies in the security infrastructure of the Windows Server operating systems. This helps protect access to network resources and provides a more secure computing environment.
-
-A SID is a value of variable length that is used to uniquely identify a security principal that represents any entity that can be authenticated by the system. These entities include a user account, a computer account, or a thread or process that runs in the security context of a user or computer account. Each security principal is automatically assigned a SID when it is created. The SID is stored in a security database. When a SID is used as the unique identifier for a user or group, it can never be used to identify another user or group.
-
-Each time a user signs in, the system creates an access token for that user. The access token contains the user’s SID, user rights, and the SIDs for groups that the user belongs to. This token provides the security context for whatever actions the user performs on that computer.
-
-In addition to the uniquely created, domain-specific SIDs that are assigned to specific users and groups, there are well-known SIDs that identify generic groups and generic users. For example, the Everyone and the World SIDs identify groups that includes all users. Well-known SIDs have values that remain constant across all operating systems.
-
-### Access tokens
-
-An access token is a protected object that contains information about the identity and user rights that are associated with a user account.
-
-When a user signs in interactively or tries to make a network connection to a computer running Windows, the sign-in process authenticates the user’s credentials. If authentication is successful, the process returns a SID for the user and a list of SIDs for the user’s security groups. The Local Security Authority (LSA) on the computer uses this information to create an access token (in this case, the primary access token). This includes the SIDs that are returned by the sign-in process and a list of user rights that are assigned by the local security policy to the user and to the user’s security groups.
-
-After the LSA creates the primary access token, a copy of the access token is attached to every thread and process that executes on the user’s behalf. Whenever a thread or process interacts with a securable object or tries to perform a system task that requires user rights, the operating system checks the access token that is associated with the thread to determine the level of authorization.
-
-There are two kinds of access tokens, primary and impersonation. Every process has a primary token that describes the security context of the user account that is associated with the process. A primary access token is typically assigned to a process to represent the default security information for that process. Impersonation tokens, on the other hand, are usually used for client and server scenarios. Impersonation tokens enable a thread to run in a security context that differs from the security context of the process that owns the thread.
-
-### Security descriptors and access control lists
-
-A security descriptor is a data structure that is associated with each securable object. All objects in Active Directory and all securable objects on a local computer or on the network have security descriptors to help control access to the objects. Security descriptors include information about who owns an object, who can access it and in what way, and what types of access are audited. Security descriptors contain the access control list (ACL) of an object, which includes all of the security permissions that apply to that object. An object’s security descriptor can contain two types of ACLs:
-
-- A discretionary access control list (DACL), which identifies the users and groups who are allowed or denied access
-
-- A system access control list (SACL), which controls how access is audited
-
-You can use this access control model to individually secure objects and attributes such as files and folders, Active Directory objects, registry keys, printers, devices, ports, services, processes, and threads. Because of this individual control, you can adjust the security of objects to meet the needs of your organization, delegate authority over objects or attributes, and create custom objects or attributes that require unique security protections to be defined.
-
-### Permissions
-
-Permissions enable the owner of each securable object, such as a file, Active Directory object, or registry key, to control who can perform an operation or a set of operations on the object or object property. Permissions are expressed in the security architecture as access control entries (ACEs). Because access to an object is at the discretion of the object’s owner, the type of access control that is used in Windows is called discretionary access control.
-
-Permissions are different from user rights in that permissions are attached to objects, and user rights apply to user accounts. Administrators can assign user rights to groups or users. These rights authorize users to perform specific actions, such as signing in to a system interactively or backing up files and directories.
-
-On computers, user rights enable administrators to control who has the authority to perform operations that affect an entire computer, rather than a particular object. Administrators assign user rights to individual users or groups as part of the security settings for the computer. Although user rights can be managed centrally through Group Policy, they are applied locally. Users can (and usually do) have different user rights on different computers.
-
-For information about which user rights are available and how they can be implemented, see [User Rights Assignment](/windows/device-security/security-policy-settings/user-rights-assignment).
-
-### Security context in authentication
-
-A user account enables a user to sign in to computers, networks, and domains with an identity that can be authenticated by the computer, network, or domain.
-
-In Windows, any user, service, group, or computer that can initiate action is a security principal. Security principals have accounts, which can be local to a computer or domain-based. For example, domain-joined Windows client computers can participate in a network domain by communicating with a domain controller, even when no user is signed in.
-
-To initiate communications, the computer must have an active account in the domain. Before accepting communications from the computer, the Local Security Authority on the domain controller authenticates the computer’s identity and then defines the computer’s security context just as it would for a user’s security principal.
-
-This security context defines the identity and capabilities of a user or service on a particular computer, or of a user, service, group or computer on a network. For example, it defines the resources (such as a file share or printer) that can be accessed and the actions (such as Read, Write, or Modify) that can be performed by a user, service, or computer on that resource.
-
-The security context of a user or computer can vary from one computer to another, such as when a user authenticates to a server or a workstation other than the user’s primary workstation. It can also vary from one session to another, such as when an administrator modifies the user’s rights and permissions. In addition, the security context is usually different when a user or computer is operating on a stand-alone basis, in a mixed network domain, or as part of an Active Directory domain.
-
-## Accounts and security groups
-
-
-Accounts and security groups that are created in an Active Directory domain are stored in the Active Directory database and managed by using Active Directory tools. These security principals are directory objects, and they can be used to manage access to domain resources.
-
-Local user accounts and security groups are created on a local computer, and they can be used to manage access to resources on that computer. Local user accounts and security groups are stored in and managed by the Security Accounts Manager (SAM) on the local computer.
-
-### User accounts
-
-A user account uniquely identifies a person who is using a computer system. The account signals the system to enforce the appropriate authorization to allow or deny that user access to resources. User accounts can be created in Active Directory and on local computers, and administrators use them to:
-
-- Represent, identify, and authenticate the identity of a user. A user account enables a user to sign in to computers, networks, and domains with a unique identifier that can be authenticated by the computer, network, or domain.
-
-- Authorize (grant or deny) access to resources. After a user has been authenticated, the user is authorized access to resources based on the permissions that are assigned to that user for the resource.
-
-- Audit the actions that are carried out on a user account.
-
-Windows and the Windows Server operating systems have built-in user accounts, or you can create user accounts to meet the requirements of your organization.
-
-### Security groups
-
-A security group is a collection of user accounts, computer accounts, and other groups of accounts that can be managed as a single unit from a security perspective. In Windows operating systems, there are several built-in security groups that are preconfigured with the appropriate rights and permissions for performing specific tasks. Additionally, you can (and, typically, will) create a security group for each unique combination of security requirements that applies to multiple users in your organization.
-
-Groups can be Active Directory-based or local to a particular computer:
-
-- Active Directory security groups are used to manage rights and permissions to domain resources.
-
-- Local groups exist in the SAM database on local computers (on all Windows-based computers) except domain controllers. You use local groups to manage rights and permissions only to resources on the local computer.
-
-By using security groups to manage access control, you can:
-
-- Simplify administration. You can assign a common set of rights, a common set of permissions, or both to many accounts at one time, rather than assigning them to each account individually. Also, when users transfer jobs or leave the organization, permissions are not tied to their user accounts, making permission reassignment or removal easier.
-
-- Implement a role-based access-control model. You can use this model to grant permissions by using groups with different scopes for appropriate purposes. Scopes that are available in Windows include local, global, domain local, and universal.
-
-- Minimize the size of access control lists (ACLs) and speed security checking. A security group has its own SID; therefore, the group SID can be used to specify permissions for a resource. In an environment with more than a few thousand users, if the SIDs of individual user accounts are used to specify access to a resource, the ACL of that resource can become unmanageably large, and the time that is needed for the system to check permissions to the resource can become unacceptable.
-
-For descriptions and settings information about the domain security groups that are defined in Active Directory, see [Active Directory Security Groups](active-directory-security-groups.md).
-
-For descriptions and settings information about the Special Identities group, see [Special Identities](special-identities.md).
-
-## See also
-
-- [Access Control Overview](access-control.md)
diff --git a/windows/security/identity-protection/access-control/service-accounts.md b/windows/security/identity-protection/access-control/service-accounts.md
deleted file mode 100644
index cd6db0f4f7..0000000000
--- a/windows/security/identity-protection/access-control/service-accounts.md
+++ /dev/null
@@ -1,112 +0,0 @@
----
-title: Service Accounts (Windows 10)
-description: Service Accounts
-ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.collection:
- - M365-identity-device-management
- - highpri
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 11/19/2021
----
-
-# Service Accounts
-
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
-This topic for the IT professional explains group and standalone managed service accounts, and the computer-specific virtual computer account, and it points to resources about these service accounts.
-
-## Overview
-
-A service account is a user account that is created explicitly to provide a security context for services running on Windows Server operating systems. The security context determines the service's ability to access local and network resources. The Windows operating systems rely on services to run various features. These services can be configured through the applications, the Services snap-in, or Task Manager, or by using Windows PowerShell.
-
-This topic contains information about the following types of service accounts:
-
-- [Standalone managed service accounts](#bkmk-standalonemanagedserviceaccounts)
-
-- [Group-managed service accounts](#bkmk-groupmanagedserviceaccounts)
-
-- [Virtual accounts](#bkmk-virtualserviceaccounts)
-
-### Standalone managed service accounts
-
-A managed service account is designed to isolate domain accounts in crucial applications, such as Internet Information Services (IIS), and eliminate the need for an administrator to manually administer the service principal name (SPN) and credentials for the accounts.
-
-To use managed service accounts, the server on which the application or service is installed must be running at least Windows Server 2008 R2. One managed service account can be used for services on a single computer. Managed service accounts cannot be shared between multiple computers, and they cannot be used in server clusters where a service is replicated on multiple cluster nodes. For this scenario, you must use a group-managed service account. For more information, see [Group-Managed Service Accounts Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831782(v=ws.11)).
-
-In addition to the enhanced security that is provided by having individual accounts for critical services, there are four important administrative benefits associated with managed service accounts:
-
-- You can create a class of domain accounts that can be used to manage and maintain services on local computers.
-
-- Unlike domain accounts in which administrators must manually reset passwords, the network passwords for these accounts are automatically reset.
-
-- You do not have to complete complex SPN management tasks to use managed service accounts.
-- You don't have to complete complex SPN management tasks to use managed service accounts.
-- Administrative tasks for managed service accounts can be delegated to non-administrators.
-
-### Software requirements
-
-Managed service accounts apply to the Windows operating systems that are designated in the **Applies To** list at the beginning of this topic.
-
-### Group-managed service accounts
-
-Group-managed service accounts are an extension of the standalone-managed service accounts, which were introduced in Windows Server 2008 R2. These accounts are managed domain accounts that provide automatic password management and simplified service principal name (SPN) management, including delegation of management to other administrators.
-
-The group-managed service account provides the same functionality as a standalone managed service account within the domain, but it extends that functionality over multiple servers. When connecting to a service that is hosted on a server farm, such as Network Load Balancing, the authentication protocols that support mutual authentication require all instances of the services to use the same principal. When group-managed service accounts are used as service principals, the Windows Server operating system manages the password for the account instead of relying on the administrator to manage the password.
-
-The Microsoft Key Distribution Service (kdssvc.dll) provides the mechanism to securely obtain the latest key or a specific key with a key identifier for an Active Directory account. This service was introduced in Windows Server 2012, and it does not run on previous versions of the Windows Server operating system. The Key Distribution Service shares a secret, which is used to create keys for the account. These keys are periodically changed. For a group-managed service account, the domain controller computes the password on the key that is provided by the Key Distribution Services, in addition to other attributes of the group-managed service account.
-
-### Practical applications
-
-Group-managed service accounts provide a single identity solution for services running on a server farm, or on systems that use Network Load Balancing. By providing a group-managed service account solution, services can be configured for the group-managed service account principal, and the password management is handled by the operating system.
-
-By using a group-managed service account, service administrators do not need to manage password synchronization between service instances. The group-managed service account supports hosts that are kept offline for an extended time period and the management of member hosts for all instances of a service. This provision means that you can deploy a server farm that supports a single identity to which existing client computers can authenticate without knowing the instance of the service to which they are connecting.
-
-Failover clusters do not support group-managed service accounts. However, services that run on top of the Cluster service can use a group-managed service account or a standalone managed service account if they are a Windows service, an App pool, a scheduled task, or if they natively support group-managed service account or standalone managed service accounts.
-
-### Software requirements
-
-Group-managed service accounts can only be configured and administered on computers running at least Windows Server 2012, but they can be deployed as a single service identity solution in domains that still have domain controllers running operating systems earlier than Windows Server 2012. There are no domain or forest functional level requirements.
-
-A 64-bit architecture is required to run the Windows PowerShell commands that are used to administer group-managed service accounts.
-
-A managed service account is dependent on encryption types supported by Kerberos. When a client computer authenticates to a server by using Kerberos protocol, the domain controller creates a Kerberos service ticket that is protected with encryption that the domain controller and the server support. The domain controller uses the account’s **msDS-SupportedEncryptionTypes** attribute to determine what encryption the server supports, and if there is no attribute, it assumes that the client computer does not support stronger encryption types. The Advanced Encryption Standard (AES) must always be configured for managed service accounts. If computers that host the managed service account are configured to not support RC4, authentication will always fail.
-
-**Note**
-Introduced in Windows Server 2008 R2, the Data Encryption Standard (DES) is disabled by default. For more information about supported encryption types, see [Changes in Kerberos Authentication](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd560670(v=ws.10)).
-
-Group-managed service accounts are not applicable in Windows operating systems prior to Windows Server 2012.
-
-### Virtual accounts
-
-Virtual accounts were introduced in Windows Server 2008 R2 and Windows 7, and are managed local accounts that provide the following features to simplify service administration:
-
-- The virtual account is automatically managed.
-
-- The virtual account can access the network in a domain environment.
-
-- No password management is required. For example, if the default value is used for the service accounts during SQL Server setup on Windows Server 2008 R2, a virtual account that uses the instance name as the service name is established in the format NT SERVICE\\<SERVICENAME>.
-
-Services that run as virtual accounts access network resources by using the credentials of the computer account in the format <domain\_name>\\<computer\_name>$.
-
-For information about how to configure and use virtual service accounts, see [Service Accounts Step-by-Step Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd548356(v=ws.10)).
-
-### Software requirements
-
-Virtual accounts apply to the Windows operating systems that are designated in the **Applies To** list at the beginning of this topic.
-
-## See also
-
-
-The following table provides links to other resources that are related to standalone managed service accounts, group-managed service accounts, and virtual accounts.
-
-| Content type | References |
-|---------------|-------------|
-| **Product evaluation** | [What's New for Managed Service Accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831451(v=ws.11))
[Getting Started with Group Managed Service Accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj128431(v=ws.11)) |
-| **Deployment** | [Windows Server 2012: Group Managed Service Accounts - Ask Premier Field Engineering (PFE) Platforms - Site Home - TechNet Blogs](https://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx) |
-| **Related technologies** | [Security Principals](security-principals.md)
[What's new in Active Directory Domain Services](/windows-server/identity/whats-new-active-directory-domain-services) |
diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md
deleted file mode 100644
index 995d23b020..0000000000
--- a/windows/security/identity-protection/access-control/special-identities.md
+++ /dev/null
@@ -1,448 +0,0 @@
----
-title: Special Identities (Windows 10)
-description: Special Identities
-ms.prod: m365-security
-ms.technology: windows-sec
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 12/21/2021
-ms.reviewer:
----
-
-# Special Identities
-
-**Applies to**
-
-- Windows Server 2016 or later
-
-This reference topic for the IT professional describes the special identity groups (which are sometimes referred to as security groups) that are used in Windows access control.
-
-Special identity groups are similar to Active Directory security groups as listed in the users and built-in containers. Special identity groups can provide an efficient way to assign access to resources in your network. By using special identity groups, you can:
-
-- Assign user rights to security groups in Active Directory.
-- Assign permissions to security groups for the purpose of accessing resources.
-
-Servers that are running the supported Windows Server operating systems designated in the **Applies To** list at the beginning of this topic include several special identity groups. These special identity groups do not have specific memberships that can be modified, but they can represent different users at different times, depending on the circumstances.
-
-Although the special identity groups can be assigned rights and permissions to resources, the memberships cannot be modified or viewed. Group scopes do not apply to special identity groups. Users are automatically assigned to these special identity groups whenever they sign in or access a particular resource.
-
-For information about security groups and group scope, see [Active Directory Security Groups](active-directory-security-groups.md).
-
-The special identity groups are described in the following tables:
-
-- [Anonymous Logon](#anonymous-logon)
-- [Attested Key Property](#attested-key-property)
-- [Authenticated Users](#authenticated-users)
-- [Authentication Authority Asserted Identity](#authentication-authority-asserted-identity)
-- [Batch](#batch)
-- [Console Logon](#console-logon)
-- [Creator Group](#creator-group)
-- [Creator Owner](#creator-owner)
-- [Dialup](#dialup)
-- [Digest Authentication](#digest-authentication)
-- [Enterprise Domain Controllers](#enterprise-domain-controllers)
-- [Everyone](#everyone)
-- [Fresh Public Key Identity](#fresh-public-key-identity)
-- [Interactive](#interactive)
-- [IUSR](#iusr)
-- [Key Trust](#key-trust)
-- [Local Service](#local-service)
-- [LocalSystem](#localsystem)
-- [MFA Key Property](#mfa-key-property)
-- [Network](#network)
-- [Network Service](#network-service)
-- [NTLM Authentication](#ntlm-authentication)
-- [Other Organization](#other-organization)
-- [Owner Rights](#owner-rights)
-- [Principal Self](#principal-self)
-- [Proxy](#proxy)
-- [Remote Interactive Logon](#remote-interactive-logon)
-- [Restricted](#restricted)
-- [SChannel Authentication](#schannel-authentication)
-- [Service](#service)
-- [Service Asserted Identity](#service-asserted-identity)
-- [Terminal Server User](#terminal-server-user)
-- [This Organization](#this-organization)
-- [Window Manager\\Window Manager Group](#window-managerwindow-manager-group)
-
-## Anonymous Logon
-
-Any user who accesses the system through an anonymous logon has the Anonymous Logon identity. This identity allows anonymous access to resources, such as a web page that is published on corporate servers. The Anonymous Logon group is not a member of the Everyone group by default.
-
-| Attribute | Value |
-| :--: | :--: |
-| Well-Known SID/RID | S-1-5-7 |
-|Object Class| Foreign Security Principal|
-|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\
[Add workstations to domain](/windows/device-security/security-policy-settings/add-workstations-to-domain): SeMachineAccountPrivilege
[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege|
-
-## Authentication Authority Asserted Identity
-
-A SID that means the client's identity is asserted by an authentication authority based on proof of possession of client credentials.
-
-| Attribute | Value |
-| :--: | :--: |
-| Well-Known SID/RID | S-1-18-1 |
-|Object Class| Foreign Security Principal|
-|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\
[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight|
-
-## Everyone
-
-All interactive, network, dial-up, and authenticated users are members of the Everyone group. This special identity group gives wide access to system resources. Whenever a user logs on to the network, the user is automatically added to the Everyone group.
-
-On computers running Windows 2000 and earlier, the Everyone group included the Anonymous Logon group as a default member, but as of Windows Server 2003, the Everyone group contains only Authenticated Users and Guest; and it no longer includes Anonymous Logon by default (although this can be changed, using Registry Editor, by going to the **Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa** key and setting the value of **everyoneincludesanonymous** DWORD to 1).
-
-Membership is controlled by the operating system.
-
-| Attribute | Value |
-| :--: | :--: |
-| Well-Known SID/RID | S-1-1-0 |
-|Object Class| Foreign Security Principal|
-|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\
[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege
[Change the system time](/windows/device-security/security-policy-settings/change-the-system-time): SeSystemtimePrivilege
[Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege
[Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege
[Generate security audits](/windows/device-security/security-policy-settings/generate-security-audits): SeAuditPrivilege
[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege
[Replace a process level token](/windows/device-security/security-policy-settings/replace-a-process-level-token): SeAssignPrimaryTokenPrivilege
|
-
-## LocalSystem
-
-This is a service account that is used by the operating system. The LocalSystem account is a powerful account that has full access to the system and acts as the computer on the network. If a service logs on to the LocalSystem account on a domain controller, that service has access to the entire domain. Some services are configured by default to log on to the LocalSystem account. Do not change the default service setting. The name of the account is LocalSystem. This account does not have a password.
-
-| Attribute | Value |
-| :--: | :--: |
-| Well-Known SID/RID | S-1-5-18 |
-|Object Class| Foreign Security Principal|
-|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\
[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege
[Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege
[Generate security audits](/windows/device-security/security-policy-settings/generate-security-audits): SeAuditPrivilege
[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege
[Replace a process level token](/windows/device-security/security-policy-settings/replace-a-process-level-token): SeAssignPrimaryTokenPrivilege
|
-
-## NTLM Authentication
-
-| Attribute | Value |
-| :--: | :--: |
-| Well-Known SID/RID | S-1-5-64-10 |
-|Object Class| Foreign Security Principal|
-|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\
[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege
|
-
-## Service Asserted Identity
-
-A SID that means the client's identity is asserted by a service.
-
-| Attribute | Value |
-| :--: | :--: |
-| Well-Known SID/RID | S-1-18-2 |
-|Object Class| Foreign Security Principal|
-|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\
[Increase a process working set](/windows/device-security/security-policy-settings/increase-a-process-working-set): SeIncreaseWorkingSetPrivilege
|
-
-## See also
-
-- [Active Directory Security Groups](active-directory-security-groups.md)
-
-- [Security Principals](security-principals.md)
-
-- [Access Control Overview](access-control.md)
From b209dcefe4f639da68fd0d944c237c747b0b6d3e Mon Sep 17 00:00:00 2001
From: Liz Long <104389055+lizgt2000@users.noreply.github.com>
Date: Thu, 4 Aug 2022 18:00:31 -0400
Subject: [PATCH 2/2] 4246040 change redirect to false
---
.openpublishing.redirection.json | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 3acf52720e..c702618554 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -19593,42 +19593,42 @@
{
"source_path": "windows/security/identity-protection/access-control/security-identifiers.md",
"redirect_url": "/windows-server/identity/ad-ds/manage/understand-security-identifiers",
- "redirect_document_id": true
+ "redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/access-control/security-principals.md",
"redirect_url": "/windows-server/identity/ad-ds/manage/understand-security-principals",
- "redirect_document_id": true
+ "redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/access-control/active-directory-accounts.md",
"redirect_url": "/windows-server/identity/ad-ds/manage/understand-default-user-accounts",
- "redirect_document_id": true
+ "redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/access-control/microsoft-accounts.md",
"redirect_url": "/windows-server/identity/ad-ds/manage/understand-microsoft-accounts",
- "redirect_document_id": true
+ "redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/access-control/service-accounts.md",
"redirect_url": "/windows-server/identity/ad-ds/manage/understand-service-accounts",
- "redirect_document_id": true
+ "redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/access-control/active-directory-security-groups.md",
"redirect_url": "/windows-server/identity/ad-ds/manage/understand-security-groups",
- "redirect_document_id": true
+ "redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/access-control/special-identities.md",
"redirect_url": "/windows-server/identity/ad-ds/manage/understand-special-identities-groups",
- "redirect_document_id": true
+ "redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/access-control/dynamic-access-control.md",
"redirect_url": "/windows-server/identity/solution-guides/dynamic-access-control-overview",
- "redirect_document_id": true
+ "redirect_document_id": false
}
]
}