Local Users and Groups

Local Users and Groups overview

Local Users and Groups is located in Computer Management, a collection of administrative tools that you can use to manage a single local or remote computer. You can use Local Users and Groups to secure and manage user accounts and groups stored locally on your computer. A local user or group account can be assigned permissions and rights on a particular computer and that computer only. 

Using Local Users and Groups you can limit the ability of users and groups to perform certain actions by assigning them rights and permissions. A right authorizes a user to perform certain actions on a computer, such as backing up files and folders or shutting down a computer. A permission is a rule associated with an object (usually a file, folder, or printer), and it regulates which users can have access to the object and in what manner.

You cannot use Local Users and Groups to view local user and group accounts once a member server has been promoted to a domain controller. However, you can use Local Users and Groups on a domain controller to target remote computers (that are not domain controllers) on the network. Use Active Directory Users and Computers to manage users and groups in Active Directory.

Local user accounts

The Users folder located in the Local Users and Groups Microsoft Management Console (MMC) displays the default user accounts as well as the user accounts you create. These default user accounts are created automatically when you install a stand-alone server or member server running Windows Server 2003. The following table describes each default user account on servers running Windows Server 2003.

 

Default user account Description

Administrator account

The Administrator account has full control of the server and can assign user rights and access control permissions to users as necessary. This account must be used only for tasks that require administrative credentials. It is highly recommended that you set up this account to use a strong password. For more information, see Strong passwords. For additional security considerations for accounts with administrative credentials, see Local Users and Groups Best practices.

The Administrator account is a member of the Administrators group on the server. The Administrator account can never be deleted or removed from the Administrators group, but it can be renamed or disabled. Because the Administrator account is known to exist on many versions of Windows, renaming or disabling this account will make it more difficult for malicious users to try and gain access to it. For more information about how to rename or disable a user account, see Rename a local user account and Disable or activate a local user account.

The Administrator account is the account you use when you first set up the server. You use this account before you create an account for yourself.

Important

  • Even when the Administrator account has been disabled, it can still be used to gain access to a computer using Safe Mode.

Guest account

The Guest account is used by people who do not have an actual account on the computer. A user whose account is disabled, but not deleted, can also use the Guest account. The Guest account does not require a password. The Guest account is disabled by default, but you can enable it.

You can set rights and permissions for the Guest account just like any user account. By default, the Guest account is a member of the default Guests group, which allows a user to log on to a server. Additional rights, as well as any permissions, must be granted to the Guests group by a member of the Administrators group. The Guest account is disabled by default, and it is recommended that it stay disabled.

HelpAssistant account (installed with a Remote Assistance session)

The primary account used to establish a Remote Assistance session. This account is created automatically when you request a Remote Assistance session and has limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service and will be automatically deleted if no Remote Assistance requests are pending. For more information about Remote Assistance, see Administering Remote Assistance.

Default local groups

The Groups folder located in the Local Users and Groups Microsoft Management Console (MMC) displays the default local groups as well as the local groups that you create. The default local groups are automatically created when you install a stand-alone server or a member server running Windows Server 2003. Belonging to a local group gives a user the rights and abilities to perform various tasks on the local computer. For more information about domain-based groups, see Default groups.

You can add local user accounts, domain user accounts, computer accounts, and group accounts to local groups. However, you cannot add local user accounts and local group accounts to domain group accounts. For more information about adding members to local groups, see Add a member to a local group.

Note

  • To learn what group you need to be a member of to perform a particular procedure, many procedural topics under How To in Help and Support Center provide a note that identifies this information.

The following table provides descriptions of the default groups located in the Groups folder and lists the assigned user rights for each group. These rights are assigned within the local security policy. For complete descriptions of the user rights listed in the table, see User Rights Assignment. For information about editing these rights, see Assign user rights for your local computer.

 

Group Description Default user rights

Administrators

Members of this group have full control of the server and can assign user rights and access control permissions to users as necessary. The Administrator account is also a default member. When this server is joined to a domain, the Domain Admins group is automatically added to this group. Because this group has full control of the server, add users with caution. For more information, see Default local groups and Default groups.

Access this computer from the network; Adjust memory quotas for a process; Allow log on locally; Allow log on through Terminal Services; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug programs; Force shutdown from a remote system; Increase scheduling priority; Load and unload device drivers; Manage auditing and security log; Modify firmware environment variables; Perform volume maintenance tasks; Profile single process; Profile system performance; Remove computer from docking station; Restore files and directories; Shut down the system; Take ownership of files or other objects.

Backup Operators

Members of this group can back up and restore files on the server, regardless of any permissions that protect those files. This is because the right to perform a backup takes precedence over all file permissions. They cannot change security settings.

Access this computer from the network; Allow log on locally; Back up files and directories; Bypass traverse checking; Restore files and directories; Shut down the system.

DHCP Administrators (installed with the DHCP Server service)

Members of this group have administrative access to the Dynamic Host Configuration Protocol (DHCP) Server service. This group provides a way to assign limited administrative access to the DHCP server only, while not providing full access to the server. Members of this group can administer DHCP on a server using the DHCP console or the Netsh command, but are not able to perform other administrative actions on the server.

No default user rights.

DHCP Users (installed with the DHCP Server service)

Members of this group have read-only access to the DHCP Server service. This allows members to view information and properties stored at a specified DHCP server. This information is useful to support staff when they need to obtain DHCP status reports.

No default user rights.

Guests

Members of this group will have a temporary profile created at log on, and when the member logs off, the profile will be deleted. The Guest account (which is disabled by default) is also a default member of this group.

No default user rights.

HelpServicesGroup

This group allows administrators to set rights common to all support applications. By default, the only group member is the account associated with Microsoft support applications, such as Remote Assistance. Do not add users to this group.

No default user rights.

Network Configuration Operators

Members of this group can make changes to TCP/IP settings and renew and release TCP/IP addresses. This group has no default members.

No default user rights.

Performance Monitor Users

Members of this group can monitor performance counters on the server locally and from remote clients without being a member of the Administrators or Performance Log Users groups.

No default user rights.

Performance Log Users

Members of this group can manage performance counters, logs and alerts on the server locally and from remote clients without being a member of the Administrators group.

No default user rights.

Power Users

Members of this group can create user accounts and then modify and delete the accounts they have created. They can create local groups and then add or remove users from the local groups they have created. They can also add or remove users from the Power Users, Users, and Guests groups. Members can create shared resources and administer the shared resources they have created. They cannot take ownership of files, back up or restore directories, load or unload device drivers, or manage security and auditing logs.

Access this computer from the network; Allow log on locally; Bypass traverse checking; Change the system time; Profile single process; Remove computer from docking station; Shut down the system.

Print Operators

Members of this group can manage printers and print queues.

No default user rights.

Remote Desktop Users

Members of this group can remotely log on to a server.

For more information, see Enabling users to connect remotely to the server.

Allow log on through Terminal Services.

Replicator

The Replicator group supports replication functions. The only member of the Replicator group should be a domain user account used to log on the Replicator services of a domain controller. Do not add user accounts of actual users to this group.

No default user rights.

Terminal Server Users

This group contains any users who are currently logged on to the system using Terminal Server. Any program that a user can run with Windows NT 4.0 will run for a member of the Terminal Server User group. The default permissions assigned to this group enable its members to run most earlier programs.

No default user rights

Users

Members of this group can perform common tasks, such as running applications, using local and network printers, and locking the server. Users cannot share directories or create local printers. By default, the Domain Users, Authenticated Users, and Interactive groups are members of this group. Therefore, any user account created in the domain becomes a member of this group.

Access this computer from the network; Allow log on locally; Bypass traverse checking.

WINS Users (installed with WINS service)

Members of this group are permitted read-only access to Windows Internet Name Service (WINS). This allows members to view information and properties stored at a specified WINS server. This information is useful to support staff when they need to obtain WINS status reports.

No default user rights.