User Management
Managing Groups
Built-in Groups
Windows 7 includes built-in local groups, such as Administrators and Backup Operators. These groups already have all the permissions needed to accomplish specific tasks. Windows 7 also uses default special groups, which are managed by the system. Users become members of special groups based on their requirements for computer and network access. You can create and manage local groups through the Local Users and Groups utility. With this utility, you can add groups, change group membership, rename groups, and delete groups.
Groups are used to simplify the process of assigning security rights and permissions. Members of a group have access to all of the resources that the group has been given permissions to access.
Here are the following Windows 7 built-in groups:
- Administrators:
The Administrators group has full permissions and privileges. Its members can grant themselves any permissions they do not have by default to manage all the objects on the computer. (Objects include the file system, printers, and account management.) By default, the Administrator account, which is disabled by default, and the initial user account are members of the Administrators local group. Members of the Administrators group can perform the following tasks:
- Install the operating system.
- Install and configure hardware device drivers.
- Install system services.
- Install service packs, hot fixes, and Windows updates.
- Upgrade the operating system.
- Repair the operating system.
- Install applications that modify the Windows system files.
- Configure password policies.
- Configure audit policies.
- Manage security logs.
- Create administrative shares.
- Create administrative accounts.
- Modify groups and accounts that have been created by other users.
- Remotely access the Registry.
- Stop or start any service.
- Configure services.
- Increase and manage disk quotas.
- Increase and manage execution priorities.
- Remotely shut down the system.
- Assign and manage user rights.
- Reenable locked-out and disabled accounts.
- Manage disk properties, including formatting hard drives.
- Modify systemwide environment variables.
- Access any data on the computer.
- Back up and restore all data.
- Backup Operators:
Members of the Backup Operators group have permissions to back up and restore the file system, even if the file system is NTFS and they have not been assigned permissions to access the file system. However, the members of Backup Operators can access the file system only using the Backup utility. To access the file system directly, Backup Operators must have explicit permissions assigned. There are no default members of the Backup Operators local group.
- Cryptographic Operators:
The Cryptographic Operators group has access to perform cryptographic operations on the computer. There are no default members of the Cryptographic Operators local group.
- Distributed COM Users:
The Distributed COM Users group has the ability to launch and run Distributed COM objects on the computer. There are no default members of the Distributed COM Users local group.
- Event Log Readers:
The Event Log Readers group has access to read the event log on the local computer. There are no default members of the Event Log Readers local group.
- Guests:
The Guests group has limited access to the computer. This group is provided so that you can allow people who are not regular users to access specific network resources. As a general rule, most administrators do not allow Guest access because it poses a potential security risk. By default, the Guest user account is a member of the Guests local group.
- IIS_IUSRS:
The IIS_IUSRS group is used by Internet Information Services (IIS). The NT AUTHORITY\IUSR user account is a member of the IIS_IUSRS group by default.
- Network Configuration Operators:
Members of the Network Configuration Operators group have some administrative rights to manage the computer's network configuration-for example, editing the computer's TCP/IP settings.
- Performance Log Users:
The Performance Log Users group has the ability to access and schedule logging of performance counters and can create and manage trace counters on the computer.
- Performance Monitor Users:
The Performance Monitor Users group has the ability to access and view performance counter information on the computer. Users who are members of this group can access performance counters both locally and remotely.
- Power Users:
The Power Users group is included in Windows 7 for backward compatibility. The Power Users group is included to ensure that computers upgraded from Windows XP function as before with regard to folders that allow access to members of the Power Users group. Otherwise, the Power Users group has limited administrative rights.
- Remote Desktop Users:
The Remote Desktop Users group allows members of the group to log on remotely for the purpose of using the Remote Desktop service.
- Replicator:
The Replicator group is intended to support directory replication, which is a feature that domain servers use. Only domain users who will start the replication service should be assigned to this group. The Replicator local group has no default members.
- Users:
The Users group is intended for end users who should have very limited system access. If you have installed a fresh copy of Windows 7, the default settings for the Users group prohibit its members from compromising the operating system or program files. By default, all users who have been created on the computer, except Guest, are members of the Users local group.