User management in Windows
The following table explains how Advanced Server Access manages users on Windows servers.
| Area | Notes |
|---|---|
| Usernames | Usernames can contain lowercase letters (a-z), numbers (0-9), dashes (-), and underscores (_), can't be a reserved name, and have a maximum length of 20 characters. In the event a username collision occurs, an attempt is made to differentiate between users by appending a number to the server username. |
| Server account permissions | Server account permissions are managed at the group level. When a user belongs to multiple groups on a project, the user has a combination of all the permissions granted to the groups. See Team roles.
If a user has admin permissions on a project, they'll be added to the local Administrators group on each Windows server that's enrolled in the project. |
| User creation | Users with access permission are added to the Remote Desktop Users group if they don't already belong to it. User accounts are created and configured with standard native calls such as NetUserAdd and NetUserSetInfo, and have the following UserAccountControl attribute flags set: UF_SCRIPT, UF_PASSWD_CANT_CHANGE, UF_NORMAL_ACCOUNT, and UF_DONT_EXPIRE_PASSWD. |
| User updates | Standard local user management system calls are used. For example, NetLocalGroupDelMembers and NetLocalGroupAddMembers. |
| User deletion |
Users are deleted with NetUserDel. When a user is removed from an Advanced Server Access project or an on-demand user account expires, the associated user profile and home directory are removed from servers enrolled in the project. This also removes any data stored within the home directory. |
| Read system state | Standard native calls are made to read the state of local user accounts on the system such as NetUserEnum, NetLocalGroupGetMembers, LookupAccountSidW, WTSEnumerateSessions, and WTSQuerySessionInformation. |