User accounts include accounts that human users or programs such as Windows Services use to log on to the local computer.
Group accounts cannot be used to log on to a computer, but they are useful in ACEs to allow or deny a set of access rights to one or more user accounts.
A logon SID that identifies the current logon session is useful to allow or deny access rights only until the user logs off.
The access control functions use the TRUSTEE structure to identify a trustee. The TRUSTEE structure enables you to use a name string or a SID to identify a trustee. If you use a name, the functions that create an ACE from the TRUSTEE structure perform the task of allocating the SID buffers and looking up the SID that corresponds to the account name. There are two helper functions, BuildTrusteeWithSid and BuildTrusteeWithName, that initialize a TRUSTEE structure with a specified SID or name. BuildTrusteeWithObjectsAndSid and BuildTrusteeWithObjectsAndName allow you to initialize a TRUSTEE structure with object-specific ACE information. Three other helper functions, GetTrusteeForm, GetTrusteeName, and GetTrusteeType, retrieve the values of the various members of a TRUSTEE structure.
Protect your Active Directory environment by securing user accounts to least privilege and placing them in the Protected Users group. Learn how to limit authentication scope and remediate potentially insecure accounts.