Default local groups
The Groups folder, which is located in the Local Users and Groups Microsoft Management Console (MMC) snap-in, displays the default local groups as well as the local groups that you create. Default local groups are created automatically when you install the operating system. Belonging to a local group gives a user the rights and abilities to perform various tasks on the local computer.
You can add local user accounts, domain user accounts, computer accounts, and group accounts to local groups. For more information about adding members to local groups, see Add a member to a local group.
Note | |
If you want to learn what group you need to be a member of to perform a particular procedure, many procedure topics under Local Users and Groups: How To... provide a note that identifies this information. |
The following table provides descriptions of the default groups that are located in the Groups folder. The table also lists the default user rights for each group. These user rights are assigned in the local security policy.
Group | Description | Default user rights |
---|---|---|
Administrators |
Members of this group have full control of the computer, and they can assign user rights and access control permissions to users as necessary. The Administrator account is a default member of this group. When a computer is joined to a domain, the Domain Admins group is added to this group automatically. Because this group has full control of the computer, use caution when you add users to it. |
|
Backup Operators |
Members of this group can back up and restore files on a computer, regardless of any permissions that protect those files. This is because the right to perform a backup takes precedence over all file permissions. Members of this group cannot change security settings. |
|
Cryptographic Operators |
Members of this group are authorized to perform cryptographic operations. |
|
Distributed COM Users |
Members of this group are allowed to start, activate, and use DCOM objects on a computer. |
|
Guests |
Members of this group have a temporary profile created at log on, and when the member logs off, the profile is deleted. The Guest account (which is disabled by default) is also a default member of this group. |
|
IIS_IUSRS |
This is a built-in group that is used by Internet Information Services (IIS). |
|
Network Configuration Operators |
Members of this group can make changes to TCP/IP settings, and they can renew and release TCP/IP addresses. This group has no default members. |
|
Performance Log Users |
Members of this group can manage performance counters, logs, and alerts on a computer — both locally and from remote clients — without being a member of the Administrators group. |
|
Performance Monitor Users |
Members of this group can monitor performance counters on a computer — locally and from remote clients — without being a member of the Administrators group or the Performance Log Users groups |
|
Power Users |
By default, members of this group have no more user rights or permissions than a standard user account. The Power Users group in previous versions of Windows was designed to give users specific administrator rights and permissions to perform common system tasks. In this version of Windows, standard user accounts inherently have the ability to perform most common configuration tasks, such as changing time zones. For legacy applications that require the same Power User rights and permissions that were present in previous versions of Windows, administrators can apply a security template that enables the Power Users group to assume the same rights and permissions that were present in previous versions of Windows. |
|
Remote Desktop Users |
Members of this group can log on to the computer remotely. |
|
Replicator |
This group supports replication functions. The only member of the Replicator group should be a domain user account that is used to log on the Replicator services of a domain controller. Do not add user accounts of actual users to this group. |
|
Users |
Members of this group can perform common tasks, such as running applications, using local and network printers, and locking the computer. Members of this group cannot share directories or create local printers. By default, the Domain Users, Authenticated Users, and Interactive groups are members of this group. Therefore, any user account that is created in the domain becomes a member of this group. |
|
Offer Remote Assistance Helpers |
Members of this group can offer Remote Assistance to the users of this computer. |
|