User management in Windows

The following sections explain how Advanced Server Access manages users on Windows servers.

Usernames

Usernames can contain lowercase letters (a-z), numbers (0-9), dashes (-), and underscores (_), can't be a reserved name, and have a maximum length of 20 characters. In the event a username collision occurs, an attempt is made to differentiate between users by appending a number to the server username.

Server account permissions

Server account permissions are managed at the group level. When a user belongs to multiple groups on a project, the user has a combination of all the permissions granted to the groups. See Team roles.

If a user has admin permissions on a project, they'll be added to the local Administrators group on each Windows server that's enrolled in the project.

Create users

Users with access permission are added to the Remote Desktop Users group if they don't already belong to it. User accounts are created and configured with standard native calls such as NetUserAdd and NetUserSetInfo, and have the following UserAccountControl attribute flags set: UF_SCRIPT, UF_PASSWD_CANT_CHANGE, UF_NORMAL_ACCOUNT, and UF_DONT_EXPIRE_PASSWD.

Update users

Standard local user management system calls are used. For example, NetLocalGroupDelMembers and NetLocalGroupAddMembers.

Delete users

Users are deleted with NetUserDel.

Read system state

Standard native calls are made to read the state of local user accounts on the system such as NetUserEnum, NetLocalGroupGetMembers, LookupAccountSidW, WTSEnumerateSessions, and WTSQuerySessionInformation.