Accounts, Profiles & Permissions

Real-world analogy

What is it?

This module is how identity, membership, and permission combine in Windows and corporate environments. It’s the entry point to Active Directory (lesson 14+) and the single most tested topic in support/sysadmin interviews.

Real-world relevance

A new marketing hire can’t open the team’s shared drive. A junior adds them individually to the folder. A sysadmin adds them to the ‘Marketing-RW’ security group, which already has the correct share+NTFS permissions. Same ticket, different career trajectory.

Key points

• Local user vs domain user — Local users exist on ONE machine. Domain users are managed centrally by Active Directory — the same identity works across every joined machine. Enterprises standardize on domain/Entra users to keep control.
• Standard user vs administrator — Standard users run apps and do daily work. Admins change the system. A classic corporate mistake is giving everyone local admin to ‘avoid tickets.’ That converts small malware incidents into full compromises.
• Profiles — what they really are — A profile is a folder tree plus registry hive holding the user’s desktop, documents, Outlook data, app settings. Profiles can become corrupted → weird symptoms even though login ‘works.’ A test account is the fastest differentiator.
• UAC — User Account Control — The dialog that asks ‘Do you want to allow this app to make changes?’ It’s a consent layer, not annoying noise. Disabling UAC across the fleet to silence tickets is a real-world security mistake you must refuse politely.
• Groups — the real unit of permission — Don’t assign permissions to individual users. Put users into groups (Sales, Finance, IT-Support) and grant permissions to groups. When someone joins or leaves, you change group membership, not a hundred files.
• NTFS vs share permissions — NTFS applies on the file system itself; share applies when accessed over the network. Effective access is the intersection — most restrictive wins. Don’t set loose share permissions assuming NTFS will protect you; follow least privilege on both.
• Locked/disabled/expired accounts — Locked = too many bad passwords → unlock. Disabled = administratively turned off → enable if valid. Expired password → user resets. These are daily helpdesk tickets; don’t confuse the three.
• Never share credentials. Ever. — If a senior asks for your password, say no politely and offer to perform the task with them or raise an access request. This single rule has saved many careers during audits and incidents.

Code example

// Safe permission troubleshooting — the 4 layers

1. Identity layer
   - Is the user the correct account? (not a personal or test account)
   - whoami  /  whoami /groups

2. Membership layer
   - Which groups is the user in?
   - Is the group the one actually granted access?

3. Share layer
   - \\server\share  -> Share permissions tab

4. File system layer
   - NTFS -> right-click -> Properties -> Security -> Effective Access

Effective access = intersection of share AND NTFS for the identity.
Most restrictive wins.

Line-by-line walkthrough

1. 1. Four layers of permission troubleshooting
2. 2. Identity layer header
3. 3. Check the actual account being used
4. 4. Blank separator
5. 5. Membership layer header
6. 6. Inspect group membership
7. 7. Blank separator
8. 8. Share layer header
9. 9. Share permissions path
10. 10. Blank separator
11. 11. File system layer header
12. 12. NTFS effective access path
13. 13. Blank separator
14. 14. Rule: intersection of share and NTFS wins

Spot the bug

Issue: User says 'I can’t access the HR folder.'
Junior adds the user directly to the folder’s ACL with Full Control.
Two weeks later, an audit flags the folder for over-permissioning.

Explain like I'm 5

Fun fact

Hands-on challenge

More resources

• Windows user accounts (Microsoft Learn)
• NTFS permissions (Microsoft Learn)
• UAC explained (Professor Messer)