Accounts enable individual users to log on to the network and access network resources.
The permissions and privileges you assign to accounts determine the actions users can perform.

You control access to network resources with the components of the Microsoft Windows NT security model. These components include:

• Interactive logon processes
• Local security authority
• Security account manager
• Security resource monitor

User accounts are designed for individuals. Group accounts are designed to ease administration for multiple users. While you can log on to user accounts, you cannot log on to a group account(zxxu:加入一个组代表拥有这个组所拥有的权限).

Although Windows NT displays user names to describe privileges and permissions, the key identifiers for accounts are SIDs (security identifiers). SIDs are unique identifiers that are generated when accounts are created.

When you change a user name, you tell Windows NT to map a particular SID to a new name. When you delete an account, you tell Windows NT that a particular SID is no longer valid. Afterward, even if you create an account with the same user name, the new account will not have the same privileges and permissions as the previous one. That's because the new account will have a new SID.

Windows NT also uses unique security identifiers to track group accounts. This means that you cannot delete a group account, re-create it, and expect all the permissions and privileges to remain the same. The new group will have a new security identifier.

User and group accounts can have different scopes—global or local. That is, the accounts have different areas in which they are valid.

When you create accounts with the User Manager tool on a Windows NT workstation, the accounts are valid only on that single workstation. This means that the accounts have a local scope.When you create accounts with User Manager for Domains, the accounts are by default usable throughout the currently selected domain. This means that the accounts have a global scope. NT allows you to create both local and global group accounts with User Manager for Domains.

总结:

Account Type: User,Group.

Account Scope:Local,Global

Local User Account: for workgroups or computers not part of a Windows NT domain

Local Group Account: for workgroups or computers not part of a Windows NT domain.

Global User Account: for use throughout the currently selected domain.

Global Group Account: for use throughout the currently selected domain.