Novell is now a part of Micro Focus

Understanding Windows Process Authentication

Novell Cool Solutions: Feature

Digg This - Slashdot This

Posted: 25 May 2005

Understanding Windows Process Authentication

The Windows Task Manager dialog is shown below.

Each and every 32-bit program running in Windows is identified by a separate process in Task Manager. Each of these processes will be associated with a "User Name" under task manager. Every process running with the same "user name" is granted the same rights to local and network resources. The rights available to one "User Name" is totally independent of the rights of the rights granted to another user name.

Normally, processes run under two main "User Name" scopes. These are "SYSTEM" and "User". "User" is simply the name used to logon to Windows. "SYSTEM" can be viewed as an OS layer. In general, "SYSTEM" has far more authority than even "Administrator".

"User" processes will have limited rights to the local PC as defined by various group memberships and direct right assignments. "User" processes will also have access to the network resources a user authenticates to during the logon process.

"System" processes will generally have unlimited access to the local computer, but will have absolutely no access to any network resource. This includes no access to ANY network resource the user has authenticated to during the logon process. In a ZENworks environment, any rights assigned to a ZENworks Workstation Object will be granted to the local "SYSTEM" account. These include network file systems as well as eDirectory permissions. These permissions will NOT be available to any process running as a 'User" process.

Any new process will inherit the rights of the process from which it was launched. Most processes launched interactively by the user inherit the "User Name" value of the logged on user and have their rights. Most processes launched by a "SYSTEM" process will inherit "SYSTEM" as the user name and the rights assigned to "SYSTEM". Only a single instance of "EXPLORER.EXE" can be running. Normally, if a "SYSTEM" process attempts to start a new "EXPLORER.EXE", the command will be executed by the existing instance running with user authority.

Each "User Name" scope can only authenticate to a resource a single time. It can be authenticated to the local computer once and to each network resource a single time. This single authentication will generally prohibit a user from authenticating a second time to an individual server in a Windows Domain or NDS Tree if the user is already authenticated to the Domain or Tree. Generally such attempts will result in an authentication failure, though some processes may force a logout and re-authenticate the user.

Under Windows NT/2000, any drive mapping created was available to each and every "User Name" scope on the system so long as the "User Name" had rights to access the resources to which the drive was mapped. If a drive mapping was changed by any process in any "User Name Scope" the drive mapping was changed for all processes regardless of the "User Name" under which the process was running. Starting with Windows XP, each "User Name" scope maintains a completely independent set of drive mappings. Mappings made under one "User Name" scope will not be available to any other "User Name Scope" regardless of permissions. Additionally, any changes to drive mappings made inside of one "User Name" scope will not effect any drive mappings in any other "User Name" scope.

See also:

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions.

© Copyright Micro Focus or one of its affiliates