Distinguishing User Accounts from User Groups in an ACL

Q: When viewing an ACL, is there a way to distinguish user accounts from user groups? Our naming conventions result in user account names that could be mistaken for the name of a group. Does Windows include additional information with each entry in the ACL to indicate whether it's a user or a group?

A: Yes, there's an easy way to tell whether the principal in the name column of an access control entry (ACE) is a user or a group. Windows lists another version of the principal’s name in parentheses after the common name. For groups, Windows uses the pre–Windows 2000 name formatted as the domain name followed by a backslash and the group's name (e.g., A3Administrators). For users, Windows specifies the DNS logon name, which takes the same format as an email address (e.g., [email protected]). Figure 1 shows an example of both types of principals in an ACL. If in doubt as to whether the ACE applies to a user or a group, just look at the name in parentheses. If you see a backslash, the ACE applies to a group; if you see an at (@) symbol, the ACE applies to a user. Another way to tell the difference between users and groups is to look at the icon in any user- or group-related dialog box—if the icon is one person, it's a user; if the icon is two people, it's a group.