This article is based on an article in the Microsoft TechNet Library and is presented here to enable those outside of Microsoft who are interested and knowledgeable on this topic to improve it. The
original article exists on TechNet as
Default User Accounts and Groups (http://technet.microsoft.com/en-us/library/bb726980.aspx).
When you install Windows 2000, the operating system installs default users and groups. These accounts are designed to provide the basic setup necessary to grow your network. Three types of default accounts are provided:
Predefined User and group accounts installed with the operating system.
Built-In User and group accounts installed with the operating system, applications, and services.
Implicit Special groups created implicitly when accessing network resources; also known as
Note: Although you can modify the default users and groups, you can't delete default users and groups created by the operating system. The reason you can't delete these accounts is that you wouldn't be able to re-create them. The SIDs of
the old and new accounts wouldn't match, and the permissions and privileges of these accounts would be lost.
Built-in user accounts have special uses on Windows 2000. While all Windows 2000 systems have one built-in account called LocalSystem, other built-in user accounts may be available.
LocalSystem is a pseudo-account for running system processes and handling system-level tasks. The account is available on the local system only. You can't change the settings for the LocalSystem account with the user administration tools. Users can't log
on to a computer with this account.
Note: While users can't log on to a computer with the LocalSystem account, certain processes
can log on using this account. For example, Windows 2000 services can be configured to log on to a computer using the System account. For more information, see the section of Chapter 3 entitled "Managing System Services."
Other Built-In Accounts
When you install add-ons or other applications on a workstation or server, other default accounts may be installed. You can usually delete these accounts.
When you install Internet Information Services, you may find several new accounts, including IUSR_host and IWAM_host, where
host is the computer name. The IUSR_host account is the built-in account for anonymous access to Internet Information Services. The IWAM_host account is used by Internet Information Services to start out of process applications. These
accounts are defined in Active Directory when they're configured on a domain. However, they're defined as local users when they're configured on a stand-alone server or workstation. Another built-in account that you may see is TSInternetUser. This account
is used by Terminal Services.
Two predefined user accounts are installed with Windows 2000—Administrator and Guest. With workstations and member servers, predefined accounts are local to the individual system they're installed on.
Predefined accounts have counterparts in Active Directory. These accounts have domain-wide access and are completely separate from the local accounts on individual systems.
The Administrator Account
Administrator is a predefined account that provides complete access to files, directories, services, and other facilities. You can't delete or disable this account. In Active Directory, the Administrator account has domain-wide access and privileges. Otherwise,
the Administrator account generally has access only to the local system. Although files and directories can be protected from the Administrator account temporarily, the Administrator account can take control of these resources at any time by changing the access
Tip To prevent unauthorized access to the system or domain, be sure to give the account an especially secure password. Also, because this is a known Windows 2000 account, you may want to rename the account as an extra security precaution.
In most instances you won't need to change the basic settings for this account. However, you may need to change its advanced settings, such as membership in particular groups. By default, the Administrator account for a domain is a member of these groups:
Administrators, Domain Admins, Domain Users, Enterprise Admins, Schema Admins, and Group Policy Creator Owners. You'll find more information on these groups in the next section.
Real World In a domain environment, you'll use the local Administrator account primarily to manage the system when you first install it. This allows you to set up the system without getting locked out. You probably won't use the account
once the system has been installed. Instead, you'll probably want to make your administrators members of the Administrators group. This ensures that you can revoke administrator privileges without having to change the passwords for all the Administrator accounts.
For a system that's part of a workgroup where each individual computer is managed separately, you'll typically rely on this account anytime you need to perform your system administration duties. Here, you probably won't want to set up individual accounts
for each person who has administrative access to a system. Instead, you'll use a single Administrator account on each computer.
The Guest Account
Guest is designed for users who need one-time or occasional access. While guests have limited system privileges, you should be very careful about using this account. Whenever you use this account, you open the system to potential security problems. The potential
is so great that the account is initially disabled when you install Windows 2000.
Tip If you decide to enable the Guest account, be sure to restrict its use and to change the password regularly. As with the Administrator account, you may want to rename the account as an added security precaution.
Built-in groups are installed with all Windows 2000 workstations and servers. Use the built-in groups to grant a user the group's privileges and permissions. You do this by making the user a member of the group. For example, you give a user administrative
access to the system by making a user a member of the local Administrators group. You give a user administrative access to the domain by making a user a member of the domain local Administrators group in Active Directory.
The availability of a specific built-in group depends on the current system configuration. Use Table 7-2 to determine the availability of the various built-in groups. Each of these groups is discussed later in the chapter.
Table 7-2 Availability of Built-In Groups Based on the Type of Network Resource
Active Directory Domain
Windows 2000 Professional or Member Server
Built-In Local, Local
Pre-Windows 2000 Compatible Access
Predefined groups are installed with Active Directory domains. Use these groups to assign additional permissions to users, computers, and other groups. You do this by making the user a member of the group. Predefined groups include domain local, global,
and universal groups. The availability of a specific built-in group depends on the domain configuration.
Use Table 7-3 to determine the availability of the various predefined groups. Key predefined groups are discussed later in this chapter.
Note: The group scope for Enterprise Admins and Schema Admins can be either universal or global, depending on the operations mode. In mixed mode, these are global groups. In native mode, these are universal groups.
Table 7-3 Availability of Predefined Groups Based on Domain Configuration
Group Policy Creator Owners
RAS and IAS Servers
With remote access services
In Windows NT implicit groups were assigned implicitly during logon and were based on how a user accessed a network resource. For example, if a user accessed a resource through interactive logon, the user was automatically a member of the implicit group
called Interactive. In Windows 2000, the object-based approach to the directory structure changes the original rules for implicit groups. While you still can't view the membership of special identities, you can grant membership in implicit groups to users,
groups, and computers.
To reflect the new role, implicit groups are also referred to as special identities. A special identity is a group whose membership can be set implicitly, such as during logon, or explicitly through security access permissions. As with other default
groups, the availability of a specific implicit group depends on the current configuration. Use Table 7-4 to determine the availability of the various implicit groups. Implicit groups are discussed later in this chapter.
Table 7-4 Availability of Implicit Groups Based on the Type of Network Resource
Enterprise Domain Controllers
Terminal Server User
When you set up a user account, you can grant the user specific capabilities. You generally assign these capabilities by making the user a member of one or more groups, thus giving the user the capabilities of these groups. You then assign additional capabilities
by making a user a member of the appropriate groups. You withdraw capabilities by removing group membership.
In Windows 2000, you can assign various types of capabilities to an account. These capabilities include
Privileges A type of user right that grants permissions to perform specific administrative tasks. You can assign privileges to both user and group accounts. An example of a privilege is the ability to shut down the system.
Logon rights A type of user right that grants logon permissions. You can assign logon rights to both user and group accounts. An example of a logon right is the ability to log on locally.
Built-in capabilities A type of user right that is assigned to groups and includes the automatic capabilities of the group. Built-in capabilities are predefined and unchangeable, but they can be delegated to users with permission to manage
objects, organizational units, or other containers. An example of a built-in capability is the ability to create, delete, and manage user accounts. This capability is assigned to administrators and account Operators. Thus, if a user is a member of the Administrators
group, the user can create, delete, and manage user accounts.
Access permissions A type of user right that defines the operations that can be performed on network resources. You can assign access permissions to users, computers, and groups. An example of an access permission is the ability to create
a file in a directory. Access permissions are discussed in Chapter 13.
As an administrator, you'll be dealing with account capabilities every day. To help track built-in capabilities, refer to the sections that follow. Keep in mind that while you can't change the built-in capabilities of a group, you can change the default
rights of a group. For example, an administrator could revoke network access to a computer by removing a group's right to access the computer from the network.
A privilege is a type of user right that grants permissions to perform a specific administrative task. You assign privileges through group policies, which can be applied to individual computers, organizational units, and domains. Although you can assign
privileges to both users and groups, you'll usually want to assign privileges to groups. In this way, users are automatically assigned the appropriate privileges when they become members of a group. Assigning privileges to groups also makes it easier to manage
Table 7-5 provides a brief summary of each of the privileges that can be assigned to users and groups. To learn how to assign privileges, see Chapter 8.
Table 7-5 Windows 2000 Privileges for Users and Groups
Act as part of the operating system
Allows a process to authenticate as any user and gain access to resources as any user. Processes that require this privilege should use the LocalSystem account, which already has this privilege.
Add workstations to domain
Allows users to add computers to the domain.
Back up files and directories
Allows users to back up the system regardless of the permissions set on files and directories.
Bypass traverse checking
Allows users to pass through directories while navigating an object path regardless of permissions set on the directories. The privilege doesn't allow the user to list directory contents.
Change the system time
Allows users to set the time for the system clock.
Create a pagefile
Allows users to create and change paging file size for virtual memory.
Create a token object
Allows processes to create token objects that can be used to gain access to local resources. Processes that require this privilege should use the LocalSystem account, which already has this privilege.
Create permanent shared objects
Allows processes to create directory objects in the Windows 2000 object manager. Most components already have this privilege and it's not necessary to specifically assign it.
Allows users to perform debugging.
Enable user and computer accounts to be trusted for delegation
Allows users and computers to change or apply the trusted-for-delegation setting, provided they have write access to the object.
Force shutdown of a remote system
Allows users to shut down a computer from a remote location on the network.
Generate security audits
Allows processes to make security log entries for auditing object access.
Allows processes to increase the processor quota assigned to other process, provided they have write access to the process.
Increase scheduling priority
Allows processes to increase the scheduling priority assigned to other processes, provided they have write access to the processes.
Load and unload device drivers
Allows users to install and uninstall plug-and-play device drivers. This doesn't affect device drivers that aren't plug-and-play, which can only be installed by administrators.
Lock pages in memory
In Windows NT, allowed processes to keep data in physical memory, preventing the system from paging data to virtual memory on disk. Not used in Windows 2000.
Manage auditing and security log
Allows users to specify auditing options and access the security log. You must turn on auditing in the group policy first.
Modify firmware environment values
Allows users and processes to modify system environment variables.
Profile a single process
Allows users to monitor the performance of nonsystem processes.
Profile system performance
Allows users to monitor the performance of system processes.
Remove computer from docking station
Allows users to unlock a computer
Replace a process-level token
Allows processes to replace the default token for subprocesses.
Restore files and directories
Allows users to restore backed up files and directories, regardless of the permissions set on files and directories.
Shut down the system
Allows users to shut down the local computer.
Synchronize directory service data
Allows users to synchronize directory service data on domain controllers.
Take ownership of files
Allows users to take ownership of any or other objects Active Directory objects.
A logon right is a type of user right that grants logon permissions. You can assign logon rights to both user and group accounts. As with privileges, you assign logon rights through group policies and you'll usually want to assign logon rights to groups
rather than individual users.
Table 7-6 provides a brief summary of each of the logon rights that can be assigned to users and groups. To learn how to assign logon rights, see Chapter 8
Table 7-6 Windows 2000 Logon Rights for Users and Groups
Access this computer from the network
Allows users to connect to the computer over the network. By default, this privilege is granted to Administrators, Everyone, and Power Users.
Deny access to this computer from the network
Denies remote access to the computer.
Deny logon as batch job
Denies the right to log on through a batch job or script.
Deny logon as service
Denies the right to log on as a service.
Deny logon locally
Denies the right to log on to the computer's keyboard.
Log on as a batch job
Allows users to log on using a batch-queue facility. This capability is not supported in the current release of Windows 2000. By default, this privilege is granted to Administrators.
Log on as a service
Allows a security principal to log on as a service, as a way of establishing a security context. The LocalSystem account always retains the right to log on as a service. Any service that runs under a separate account must be granted this right. By default,
this right is not granted to anyone.
Log on locally
Allows users to log on at the computer's keyboard. By default, this right is granted to Administrators, Account Operators, Backup Operators, Print Operators, and Server Operators.
The built-in capabilities for groups in Active Directory are fairly extensive. The tables that follow summarize the most common capabilities that are assigned by default. Table 7-7 shows the default user rights for groups in Active Directory domains. This
includes both privileges and logon rights. Note that any action that's available to the Everyone group is available to all groups, including the Guests group. This means that although the Guests group doesn't have explicit permission to access the computer
from the network, Guests can still access the system because the Everyone group has this right.
Table 7-7 Default User Rights for Groups in Active Directory
Administrators, Server Operators, Backup Operators
Administrators, Server Operators
Force shutdown from a remote system
Administrators, Server Operators, Account Operators, Backup Operators, Print Operators
Modify firmware environment variables
Take ownership of files or other objects
Table 7-8 shows the default user rights for local groups on member servers and workstations. Again, this includes both privileges and logon rights. Note that on these systems, Power Users have privileges that normal users don't.
Table 7-8 Default User Rights for Local Groups
Administrators, Power Users, Everyone
Administrators, Backup Operators
Administrators, Power Users
Administrators, Backup Operators, Power Users, Users, Everyone, Guests
Administrators, Power Users, Users
Administrators, Backup Operators, Power Users, Users
Table 7-9 summarizes capabilities that can be delegated to other users and groups. As you study the table, note that restricted accounts include the Administrator user account, the user accounts of administrators, and the group accounts for Administrators,
Server Operators, Account Operators, Backup Operators, and Print Operators. Because these accounts are restricted, Account Operators can't create or modify them.
Table 7-9 Other Capabilities for Built-In and Local Groups
Group Normally Assigned
Assign user rights
Allows users to assign user rights to other users
Create, delete, and manage user accounts
Allows users to administer domain user accounts
Administrators, Account Operators
Modify the membership of a group
Allows users to add and remove users from domain groups
Create and delete groups
Allows users to create a new group and delete existing groups
Administrators, Account operators
Reset passwords on user accounts
Allows users to reset passwords on user accounts
Read all user information
Allows users to view user account information
Administrators, Server Operators, Account Operators
Manage group policy links
Allows users to apply existing group policies to sites, domains, and organizational units for which they have write access to the related objects
Allows users to modify printer settings and manage print queues
Administrators, Server Operators, Printer Operators
Create and delete printers
Allows users to create and delete printers