Default local groups

Applies To: Windows 7, Windows 8, Windows Server 2000, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Vista

Default local groups

The Groups folder, which is located in the Local Users and Groups Microsoft Management Console (MMC) snap-in, displays the default local groups as well as the local groups that you create. Default local groups are created automatically when you install the operating system. Belonging to a local group gives a user the rights and abilities to perform various tasks on the local computer.

You can add local user accounts, domain user accounts, computer accounts, and group accounts to local groups. For more information about adding members to local groups, see Add a member to a local group.

Note

If you want to learn what group you need to be a member of to perform a particular procedure, many procedure topics under Local Users and Groups: How To... provide a note that identifies this information.

The following table provides descriptions of the default groups that are located in the Groups folder. The table also lists the default user rights for each group. These user rights are assigned in the local security policy.

Group Description Default user rights

Administrators

Members of this group have full control of the computer, and they can assign user rights and access control permissions to users as necessary. The Administrator account is a default member of this group. When a computer is joined to a domain, the Domain Admins group is added to this group automatically. Because this group has full control of the computer, use caution when you add users to it.

  • Access this computer from the network

  • Adjust memory quotas for a process

  • Allow logon locally

  • Allow logon through Remote Desktop Services

  • Back up files and directories

  • Bypass traverse checking

  • Change the system time

  • Change the time zone

  • Create a page file

  • Create global objects

  • Create symbolic links

  • Debug programs

  • Force shutdown from a remote system

  • Impersonate a client after authentication

  • Increase scheduling priority

  • Load and unload device drivers

  • Log on as a batch job

  • Manage auditing and security log

  • Modify firmware environment variables

  • Perform volume maintenance tasks

  • Profile single process

  • Profile system performance

  • Remove computer from docking station

  • Restore files and directories

  • Shut down the system

  • Take ownership of files or other objects

Backup Operators

Members of this group can back up and restore files on a computer, regardless of any permissions that protect those files. This is because the right to perform a backup takes precedence over all file permissions. Members of this group cannot change security settings.

  • Access this computer from the network

  • Allow logon locally

  • Back up files and directories

  • Bypass traverse checking

  • Log on as a batch job

  • Restore files and directories

  • Shut down the system

Cryptographic Operators

Members of this group are authorized to perform cryptographic operations.

  • No default user rights

Distributed COM Users

Members of this group are allowed to start, activate, and use DCOM objects on a computer.

  • No default user rights

Guests

In a computer joined to the domain, members of this group have a temporary profile created at log on, and when the member logs off, the profile is deleted. Profiles in workgroup environments are not deleted. The Guest account (which is disabled by default) is also a default member of this group.

Members of this group will have a temporary profile created at log on, and when the member logs off, the profile will be deleted. The Guest account (which is disabled by default) is also a default member of this group.

  • No default user rights

IIS_IUSRS

This is a built-in group that is used by Internet Information Services (IIS).

  • No default user rights

Network Configuration Operators

Members of this group can make changes to TCP/IP settings, and they can renew and release TCP/IP addresses. This group has no default members.

  • No default user rights

Performance Log Users

Members of this group can manage performance counters, logs, and alerts on a computer — both locally and from remote clients — without being a member of the Administrators group.

  • No default user rights

Performance Monitor Users

Members of this group can monitor performance counters on a computer — locally and from remote clients — without being a member of the Administrators group or the Performance Log Users groups

  • No default user rights

Power Users

By default, members of this group have no more user rights or permissions than a standard user account. The Power Users group in previous versions of Windows was designed to give users specific administrator rights and permissions to perform common system tasks. In this version of Windows, standard user accounts inherently have the ability to perform most common configuration tasks, such as changing time zones. For legacy applications that require the same Power User rights and permissions that were present in previous versions of Windows, administrators can apply a security template that enables the Power Users group to assume the same rights and permissions that were present in previous versions of Windows.

  • No default user rights

Remote Desktop Users

Members of this group can log on to the computer remotely.

  • Allow logon through Remote Desktop Services

Replicator

This group supports replication functions. The only member of the Replicator group should be a domain user account that is used to log on the Replicator services of a domain controller. Do not add user accounts of actual users to this group.

  • No default user rights

Users

Members of this group can perform common tasks, such as running applications, using local and network printers, and locking the computer. Members of this group cannot share directories or create local printers. By default, the Domain Users, Authenticated Users, and Interactive groups are members of this group. Therefore, any user account that is created in the domain becomes a member of this group.

  • Access this computer from the network

  • Allow logon locally

  • Bypass traverse checking

  • Change the time zone

  • Increase a process working set

  • Remove the computer from a docking station

  • Shut down the system

Offer Remote Assistance Helpers

Members of this group can offer Remote Assistance to the users of this computer.

  • No default user rights