Merge pull request #6836 from vinaypamnani-msft/vp-sec-10717

Add missing links

windows/security/identity-protection/access-control/special-identities.md

@@ -16,14 +16,14 @@ ms.reviewer:
 # Special Identities
 
 **Applies to**
+
 - Windows Server 2016 or later
 
 This reference topic for the IT professional describes the special identity groups (which are sometimes referred to as security groups) that are used in Windows access control.
 
 Special identity groups are similar to Active Directory security groups as listed in the users and built-in containers. Special identity groups can provide an efficient way to assign access to resources in your network. By using special identity groups, you can:
 
--   Assign user rights to security groups in Active Directory.
+- Assign user rights to security groups in Active Directory.
-
 - Assign permissions to security groups for the purpose of accessing resources.
 
 Servers that are running the supported Windows Server operating systems designated in the **Applies To** list at the beginning of this topic include several special identity groups. These special identity groups do not have specific memberships that can be modified, but they can represent different users at different times, depending on the circumstances.
@@ -35,56 +35,42 @@ For information about security groups and group scope, see [Active Directory Sec
 The special identity groups are described in the following tables:
 
 - [Anonymous Logon](#anonymous-logon)
-
+- [Attested Key Property](#attested-key-property)
 - [Authenticated Users](#authenticated-users)
-
+- [Authentication Authority Asserted Identity](#authentication-authority-asserted-identity)
 - [Batch](#batch)
-
+- [Console Logon](#console-logon)
 - [Creator Group](#creator-group)
-
 - [Creator Owner](#creator-owner)
-
 - [Dialup](#dialup)
-
 - [Digest Authentication](#digest-authentication)
-
 - [Enterprise Domain Controllers](#enterprise-domain-controllers)
-
 - [Everyone](#everyone)
-
+- [Fresh Public Key Identity](#fresh-public-key-identity)
 - [Interactive](#interactive)
-
+- [IUSR](#iusr)
+- [Key Trust](#key-trust)
 - [Local Service](#local-service)
-
 - [LocalSystem](#localsystem)
-
+- [MFA Key Property](#mfa-key-property)
 - [Network](#network)
-
 - [Network Service](#network-service)
-
 - [NTLM Authentication](#ntlm-authentication)
-
 - [Other Organization](#other-organization)
-
+- [Owner Rights](#owner-rights)
 - [Principal Self](#principal-self)
-
+- [Proxy](#proxy)
 - [Remote Interactive Logon](#remote-interactive-logon)
-
 - [Restricted](#restricted)
-
 - [SChannel Authentication](#schannel-authentication)
-
 - [Service](#service)
-
+- [Service Asserted Identity](#service-asserted-identity)
 - [Terminal Server User](#terminal-server-user)
-
 - [This Organization](#this-organization)
-
 - [Window Manager\\Window Manager Group](#window-managerwindow-manager-group)
 
 ## Anonymous Logon
 
-
 Any user who accesses the system through an anonymous logon has the Anonymous Logon identity. This identity allows anonymous access to resources, such as a web page that is published on corporate servers. The Anonymous Logon group is not a member of the Everyone group by default.
 
 | Attribute | Value |
@@ -96,7 +82,6 @@ Any user who accesses the system through an anonymous logon has the Anonymous Lo
 
 ## Attested Key Property
 
-
 A SID that means the key trust object had the attestation property.
 
 | Attribute | Value |
@@ -108,7 +93,6 @@ A SID that means the key trust object had the attestation property.
 
 ## Authenticated Users
 
-
 Any user who accesses the system through a sign-in process has the Authenticated Users identity. This identity allows access to shared resources within the domain, such as files in a shared folder that should be accessible to all the workers in the organization. Membership is controlled by the operating system.
 
 | Attribute | Value |
@@ -120,7 +104,6 @@ Any user who accesses the system through a sign-in process has the Authenticated
 
 ## Authentication Authority Asserted Identity
 
-
 A SID that means the client's identity is asserted by an authentication authority based on proof of possession of client credentials.
 
 | Attribute | Value |
@@ -132,7 +115,6 @@ A SID that means the client's identity is asserted by an authentication authorit
 
 ## Batch
 
-
 Any user or process that accesses the system as a batch job (or through the batch queue) has the Batch identity. This identity allows batch jobs to run scheduled tasks, such as a nightly cleanup job that deletes temporary files. Membership is controlled by the operating system.
 
 | Attribute | Value |
@@ -144,7 +126,6 @@ Any user or process that accesses the system as a batch job (or through the batc
 
 ## Console Logon
 
-
 A group that includes users who are logged on to the physical console. This SID can be used to implement security policies that grant different rights based on whether a user has been granted physical access to the console.
 
 | Attribute | Value |
@@ -156,7 +137,6 @@ A group that includes users who are logged on to the physical console. This SID
 
 ## Creator Group
 
-
 The person who created the file or the directory is a member of this special identity group. Windows Server operating systems use this identity to automatically grant access permissions to the creator of a file or directory.
 
 A placeholder security identifier (SID) is created in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces this SID with the SID for the primary group of the object’s current owner. The primary group is used only by the Portable Operating System Interface for UNIX (POSIX) subsystem.
@@ -170,7 +150,6 @@ A placeholder security identifier (SID) is created in an inheritable access cont
 
 ## Creator Owner
 
-
 The person who created the file or the directory is a member of this special identity group. Windows Server operating systems use this identity to automatically grant access permissions to the creator of a file or directory. A placeholder SID is created in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the object’s current owner.
 
 | Attribute | Value |
@@ -182,7 +161,6 @@ The person who created the file or the directory is a member of this special ide
 
 ## Dialup
 
-
 Any user who accesses the system through a dial-up connection has the Dial-Up identity. This identity distinguishes dial-up users from other types of authenticated users.
 
 | Attribute | Value |
@@ -194,7 +172,6 @@ Any user who accesses the system through a dial-up connection has the Dial-Up id
 
 ## Digest Authentication
 
-
 | Attribute | Value |
 |  :--: | :--: |
 | Well-Known SID/RID | S-1-5-64-21 |
@@ -204,7 +181,6 @@ Any user who accesses the system through a dial-up connection has the Dial-Up id
 
 ## Enterprise Domain Controllers
 
-
 This group includes all domain controllers in an Active Directory forest. Domain controllers with enterprise-wide roles and responsibilities have the Enterprise Domain Controllers identity. This identity allows them to perform certain tasks in the enterprise by using transitive trusts. Membership is controlled by the operating system.
 
 | Attribute | Value |
@@ -216,10 +192,9 @@ This group includes all domain controllers in an Active Directory forest. Domain
 
 ## Everyone
 
-
 All interactive, network, dial-up, and authenticated users are members of the Everyone group. This special identity group gives wide access to system resources. Whenever a user logs on to the network, the user is automatically added to the Everyone group.
 
-On computers running Windows 2000 and earlier, the Everyone group included the Anonymous Logon group as a default member, but as of Windows Server 2003, the Everyone group contains only Authenticated Users and Guest; and it no longer includes Anonymous Logon by default (although this can be changed, using Registry Editor, by going to the **Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa** key and setting the value of **everyoneincludesanonymous** DWORD to 1).
+On computers running Windows 2000 and earlier, the Everyone group included the Anonymous Logon group as a default member, but as of Windows Server 2003, the Everyone group contains only Authenticated Users and Guest; and it no longer includes Anonymous Logon by default (although this can be changed, using Registry Editor, by going to the **Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa** key and setting the value of **everyoneincludesanonymous** DWORD to 1).
 
 Membership is controlled by the operating system.
 
@@ -232,7 +207,6 @@ Membership is controlled by the operating system.
 
 ## Fresh Public Key Identity
 
-
 A SID that means the client's identity is asserted by an authentication authority based on proof of current possession of client public key credentials.
 
 | Attribute | Value |
@@ -244,7 +218,6 @@ A SID that means the client's identity is asserted by an authentication authorit
 
 ## Interactive
 
-
 Any user who is logged on to the local system has the Interactive identity. This identity allows only local users to access a resource. Whenever a user accesses a given resource on the computer to which they are currently logged on, the user is automatically added to the Interactive group. Membership is controlled by the operating system.
 
 | Attribute | Value |
@@ -256,7 +229,6 @@ Any user who is logged on to the local system has the Interactive identity. This
 
 ## IUSR
 
-
 Internet Information Services (IIS) uses this account by default whenever anonymous authentication is enabled.
 
 | Attribute | Value |
@@ -268,7 +240,6 @@ Internet Information Services (IIS) uses this account by default whenever anonym
 
 ## Key Trust
 
-
 A SID that means the client's identity is based on proof of possession of public key credentials using the key trust object.
 
 | Attribute | Value |
@@ -280,7 +251,6 @@ A SID that means the client's identity is based on proof of possession of public
 
 ## Local Service
 
-
 The Local Service account is similar to an Authenticated User account. The Local Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session with anonymous credentials. The name of the account is NT AUTHORITY\\LocalService. This account does not have a password.
 
 | Attribute | Value |
@@ -292,10 +262,8 @@ The Local Service account is similar to an Authenticated User account. The Local
 
 ## LocalSystem
 
-
 This is a service account that is used by the operating system. The LocalSystem account is a powerful account that has full access to the system and acts as the computer on the network. If a service logs on to the LocalSystem account on a domain controller, that service has access to the entire domain. Some services are configured by default to log on to the LocalSystem account. Do not change the default service setting. The name of the account is LocalSystem. This account does not have a password.
 
-
 | Attribute | Value |
 |  :--: | :--: |
 | Well-Known SID/RID | S-1-5-18 |
@@ -305,7 +273,6 @@ This is a service account that is used by the operating system. The LocalSystem
 
 ## MFA Key Property
 
-
 A SID that means the key trust object had the multifactor authentication (MFA) property.
 
 | Attribute | Value |
@@ -328,7 +295,6 @@ This group implicitly includes all users who are logged on through a network con
 
 ## Network Service
 
-
 The Network Service account is similar to an Authenticated User account. The Network Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Network Service account access network resources by using the credentials of the computer account. The name of the account is NT AUTHORITY\\NetworkService. This account does not have a password.
 
 | Attribute | Value |
@@ -340,7 +306,6 @@ The Network Service account is similar to an Authenticated User account. The Net
 
 ## NTLM Authentication
 
-
 | Attribute | Value |
 |  :--: | :--: |
 | Well-Known SID/RID | S-1-5-64-10 |
@@ -350,7 +315,6 @@ The Network Service account is similar to an Authenticated User account. The Net
 
 ## Other Organization
 
-
 This group implicitly includes all users who are logged on to the system through a dial-up connection. Membership is controlled by the operating system.
 
 | Attribute | Value |
@@ -362,7 +326,6 @@ This group implicitly includes all users who are logged on to the system through
 
 ## Owner Rights
 
-
 A group that represents the current owner of the object. When an ACE that carries this SID is applied to an object, the system ignores the implicit READ_CONTROL and WRITE_DAC permissions for the object owner.
 
 | Attribute | Value |
@@ -374,7 +337,6 @@ A group that represents the current owner of the object. When an ACE that carrie
 
 ## Principal Self
 
-
 This identity is a placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal that is represented by the object.
 
 | Attribute | Value |
@@ -386,7 +348,6 @@ This identity is a placeholder in an ACE on a user, group, or computer object in
 
 ## Proxy
 
-
 Identifies a SECURITY_NT_AUTHORITY Proxy.
 
 | Attribute | Value |
@@ -398,7 +359,6 @@ Identifies a SECURITY_NT_AUTHORITY Proxy.
 
 ## Remote Interactive Logon
 
-
 This identity represents all users who are currently logged on to a computer by using a Remote Desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
 
 | Attribute | Value |
@@ -410,7 +370,6 @@ This identity represents all users who are currently logged on to a computer by
 
 ## Restricted
 
-
 Users and computers with restricted capabilities have the Restricted identity. This identity group is used by a process that is running in a restricted security context, such as running an application with the RunAs service. When code runs at the Restricted security level, the Restricted SID is added to the user’s access token.
 
 | Attribute | Value |
@@ -422,7 +381,6 @@ Users and computers with restricted capabilities have the Restricted identity. T
 
 ## SChannel Authentication
 
-
 | Attribute | Value |
 |  :--: | :--: |
 | Well-Known SID/RID | S-1-5-64-14 |
@@ -432,10 +390,8 @@ Users and computers with restricted capabilities have the Restricted identity. T
 
 ## Service
 
-
 Any service that accesses the system has the Service identity. This identity group includes all security principals that are signed in as a service. This identity grants access to processes that are being run by Windows Server services. Membership is controlled by the operating system.
 
-
 | Attribute | Value |
 |  :--: | :--: |
 | Well-Known SID/RID | S-1-5-6 |
@@ -445,7 +401,6 @@ Any service that accesses the system has the Service identity. This identity gro
 
 ## Service Asserted Identity
 
-
 A SID that means the client's identity is asserted by a service.
 
 | Attribute | Value |
@@ -457,7 +412,6 @@ A SID that means the client's identity is asserted by a service.
 
 ## Terminal Server User
 
-
 Any user accessing the system through Terminal Services has the Terminal Server User identity. This identity allows users to access Terminal Server applications and to perform other necessary tasks with Terminal Server services. Membership is controlled by the operating system.
 
 | Attribute | Value |
@@ -469,7 +423,6 @@ Any user accessing the system through Terminal Services has the Terminal Server
 
 ## This Organization
 
-
 | Attribute | Value |
 |  :--: | :--: |
 | Well-Known SID/RID | S-1-5-15 |