Overview#Security Account Manager (SAM) is a database that stores local user accounts and groups for Microsoft Windows Operating Systems
Security Account Manager is present in every Windows Client and Windows Server Operating System; however, when a Microsoft Windows computer is joined to a domain, Microsoft Active Directory manages AD DOMAIN accounts in Microsoft Active Directory.
For example, client computers running Windows Client participate in a network AD DOMAIN by communicating with a Domain Controller even when no human user is logged on. To initiate communications, the computer must have an active account in the AD DOMAIN. Before accepting communications from the computer, the Local Security Authority on the Domain Controller authenticates the computer’s identity and then constructs the computer’s security context just as it would for a human security principal.
This security context defines the identity and capabilities of a user or service on a particular computer or a user, service, or computer on a network.
For example, the access token contained within the security context defines the resources (such as a file share or printer) that can be accessed and the actions (such as Read, Write, or Modify) that can be performed by that principal—a user, computer, or service on that resource.
The security context of a user or computer can vary from one computer to another, such as when a user logs on to a server or a workstation other than the user’s own primary workstation. It can also vary from one session to another, such as when an administrator modifies the user’s rights and permissions. In addition, the security context is usually different when a user or computer is operating on a stand-alone basis, in a network, or as part of an AD DOMAIN