Default Local Groups

Default local groups exist locally on a Windows computer and available only on that computer. This video looks at the local groups that are created by default on every Windows 7 and Windows Server 2008 operating system.

Show lesson content

Demonstration 10:17

Administrators 1:30

Users 2:10

Power Users 3:26

Guests 4:43

Backup Operators 5:32

Remote Desktop Users 5:53

Offer Remote Assistance Helpers 6:24

Network Configuration Operators 7:05

Performance Monitor Users 7:28

Performance Log Users 7:56


Replicator 8:45

Distributed COM Users 9:17

Cartographic Operators 09:39

Any user added to this group has full control over that computer. By default, the administrator will have access to everything, for example all files and folders. If an administrator has been denied access they can take ownership of the object in question and give themselves permissions to the object.

This group is designed for the general user. It allows them to run software and change settings that relate to them.

Power Users
The power users group was introduced in Windows XP to give the user more access than the user group but less than an administrator. In Windows Vista this group was removed and in Windows 7 it was added again. In Windows 7, the Power Users group does not provide any access other than user access and is included only for legacy reasons. If you want to give this group the same permissions as Windows XP, you can apply a security template as explained below. This security template should only be applied as a last resort. The process is not reversible and may not function as expected with newer software.

To apply the security template to the Power Users Group

1. Open mmc and add the snap-in Configuration and Security Analysis

2. Right click Security Configuration and Analysis and select open database

3. Enter a new database name or open an existing database

4. When prompted open c:\windows\inf\puwk.inf. If not prompted, right click Security Configuration and Analysis and select open template

5. Right click Security Configuration and Analysis and select configure computer now

The guest group gives the user the ability to login and run software. Any changes that are made by that user, for example changing the wallpaper, will be lost when the user logs off. The guest account is usually used for computers that are set up as kiosks. In this case, you want the user to have access to run software and make changes if they need to, but when the next user uses the computer, you want to ensure that the new user gets the default settings and not the modified settings.

Backup Operators
This group allows the user to access any file on the system for the purpose of backing and restoring. It does not give them full control over files and folders, for example, they cannot change the NTFS permissions on the file.

Remote Desktop Users
A user that is added to this group is allowed to access that computer using remote desktop. This is assuming that remote desktop is enabled and allowed through the firewall. Administrators do not need to be added to this group to connect to the computer using Remote Desktop. Assuming remote desktop is enabled and allowed through the firewall, an administrator without being a member of this group will be able to use remote desktop to access the computer.

Offer Remote Assistance Helpers
Remote assistance allows a user to request help from another user. Using remote assistance, the other user can see the desktop and even take control if allowed. In order for this to occur, the user wanting help must create an invitation which is opened by the other user. If a user is a member of this group, they can offer their help to a user on that computer without having to wait for an invitation to be created and sent to them. Regardless of whether a user is in this group or not, the user on that computer can also reject any remote assistance connections that come into the computer. Being a member of this group essentially means you can offer unsolicited help (Help not asked for) rather than only being able to offer solicited help. (Help that was asked for)

Network Configuration Operators
Members of this group can make changes to network adapter settings on the computer. For example, they can change the IP configuration on an adapter and renew or release DHCP configuration on that adapter.

Performance Monitor Users
This allows the user to monitor performance of the computer using software like Performance Monitor. This includes monitoring the computer remotely assuming it has been enabled and allowed through the firewall. Members of this group can also use data collector sets that were created by another user but cannot create a new data collector set.

Performance Log Users
This group has all the same rights as performance monitors users but can also create data collector sets.

This group is used by IIS. The idea being permissions and access required by IIS can be isolated to this group. In other words, the rights and permissions that are needed to run IIS can be gained by using this group. Since this is a local group, if you copy IIS files from one computer to another, they will have the same access on the other computer since this group will exist on the other computer. You would normally not need to add users to this group.

Used by the replicator service on a domain controller. You should not need to add users to this group. In Windows Vista there was a service called DFS replication which may have used this group. In Windows 7, this service does not exist so this group is not used in Windows 7.

This is a Microsoft Technology that allows for distributed network components. It may also be referred to as DCom. Users in this group can start, activate, and use DCom Objects.

Cryptographic Operators
Members of this group can perform specialized cryptographic operations. Normal operations like encryption files and using VPN do not require the user to be a member of this group. This group is only required in very special circumstances so it is unlikely you will ever need to add users to this group.

To access basic user settings, open the control panel, select user accounts and then select user accounts again. To change user account settings, select the bottom option “manage user accounts”. Select the user that you want and press the button properties. Once open, select the group membership tab and this will allow you to select which group you want the user to be a member of. You can only select one group here so you are more than likely going to want to use the tools described below instead. Depending on which version of Windows you are running and which service pack you have, the options may be different.

To access Local Users and Groups Snap-in you can type in lusrmgr.msc from the start menu. You can also launch Local Users and Groups by opening the control panel and selecting user accounts and then select user accounts again and finally select the advanced option. From this interface you can right click a group and select add to group to add a user or group to that group.

To make changes to users and computer, you can also open computer management from the start menu and select local users and groups under system tools.

“Default local groups” http://technet.microsoft.com/en-us/library/cc771990.aspx
“Understanding Built-In User and Group Accounts in IIS 7“ http://learn.iis.net/page.aspx/140/understanding-built-in-user-and-group-accounts-in-iis/
“Crypto Operators security group“ http://support.microsoft.com/kb/949299
“Offering Remote Assistance” http://technet.microsoft.com/en-us/library/cc505914.aspx
“List of features removed in Windows 7” http://en.wikipedia.org/wiki/List_of_features_removed_in_Windows_7


Lesson tags: 70-640-active-directory
Back to: 70-640 Introduction to Active Directory > Maintaining Active Directory Objects

Active Directory is a system which offers centralized control of your computers.


Active Directory Infrastructure


Group Policy