Windows 2000 Server: Default User Accounts and Groups
This article is based on an article in the Microsoft TechNet Library and is presented here to enable those outside of Microsoft who are interested and knowledgeable on this topic to improve it. The original article exists on TechNet as Default User Accounts and Groups (http://technet.microsoft.com/en-us/library/bb726980.aspx).
When you install Windows 2000, the operating system installs default users and groups. These accounts are designed to provide the basic setup necessary to grow your network. Three types of default accounts are provided:
Predefined User and group accounts installed with the operating system.
Built-In User and group accounts installed with the operating system, applications, and services.
Implicit Special groups created implicitly when accessing network resources; also known as special identities.
Note: Although you can modify the default users and groups, you can't delete default users and groups created by the operating system. The reason you can't delete these accounts is that you wouldn't be able to re-create them. The SIDs of the old and new accounts wouldn't match, and the permissions and privileges of these accounts would be lost.
Built-In User Accounts
Built-in user accounts have special uses on Windows 2000. While all Windows 2000 systems have one built-in account called LocalSystem, other built-in user accounts may be available.
The LocalSystem Account
LocalSystem is a pseudo-account for running system processes and handling system-level tasks. The account is available on the local system only. You can't change the settings for the LocalSystem account with the user administration tools. Users can't log on to a computer with this account.
Note: While users can't log on to a computer with the LocalSystem account, certain processes can log on using this account. For example, Windows 2000 services can be configured to log on to a computer using the System account. For more information, see the section of Chapter 3 entitled "Managing System Services."
Other Built-In Accounts
When you install add-ons or other applications on a workstation or server, other default accounts may be installed. You can usually delete these accounts.
When you install Internet Information Services, you may find several new accounts, including IUSR_host and IWAM_host, where host is the computer name. The IUSR_host account is the built-in account for anonymous access to Internet Information Services. The IWAM_host account is used by Internet Information Services to start out of process applications. These accounts are defined in Active Directory when they're configured on a domain. However, they're defined as local users when they're configured on a stand-alone server or workstation. Another built-in account that you may see is TSInternetUser. This account is used by Terminal Services.
Predefined User Accounts
Two predefined user accounts are installed with Windows 2000—Administrator and Guest. With workstations and member servers, predefined accounts are local to the individual system they're installed on.
Predefined accounts have counterparts in Active Directory. These accounts have domain-wide access and are completely separate from the local accounts on individual systems.
The Administrator Account
Administrator is a predefined account that provides complete access to files, directories, services, and other facilities. You can't delete or disable this account. In Active Directory, the Administrator account has domain-wide access and privileges. Otherwise, the Administrator account generally has access only to the local system. Although files and directories can be protected from the Administrator account temporarily, the Administrator account can take control of these resources at any time by changing the access permissions.
Tip To prevent unauthorized access to the system or domain, be sure to give the account an especially secure password. Also, because this is a known Windows 2000 account, you may want to rename the account as an extra security precaution.
In most instances you won't need to change the basic settings for this account. However, you may need to change its advanced settings, such as membership in particular groups. By default, the Administrator account for a domain is a member of these groups: Administrators, Domain Admins, Domain Users, Enterprise Admins, Schema Admins, and Group Policy Creator Owners. You'll find more information on these groups in the next section.
Real World In a domain environment, you'll use the local Administrator account primarily to manage the system when you first install it. This allows you to set up the system without getting locked out. You probably won't use the account once the system has been installed. Instead, you'll probably want to make your administrators members of the Administrators group. This ensures that you can revoke administrator privileges without having to change the passwords for all the Administrator accounts.
For a system that's part of a workgroup where each individual computer is managed separately, you'll typically rely on this account anytime you need to perform your system administration duties. Here, you probably won't want to set up individual accounts for each person who has administrative access to a system. Instead, you'll use a single Administrator account on each computer.
The Guest Account
Guest is designed for users who need one-time or occasional access. While guests have limited system privileges, you should be very careful about using this account. Whenever you use this account, you open the system to potential security problems. The potential is so great that the account is initially disabled when you install Windows 2000.
Tip If you decide to enable the Guest account, be sure to restrict its use and to change the password regularly. As with the Administrator account, you may want to rename the account as an added security precaution.
Built-In Groups
Built-in groups are installed with all Windows 2000 workstations and servers. Use the built-in groups to grant a user the group's privileges and permissions. You do this by making the user a member of the group. For example, you give a user administrative access to the system by making a user a member of the local Administrators group. You give a user administrative access to the domain by making a user a member of the domain local Administrators group in Active Directory.
The availability of a specific built-in group depends on the current system configuration. Use Table 7-2 to determine the availability of the various built-in groups. Each of these groups is discussed later in the chapter.
Table 7-2 Availability of Built-In Groups Based on the Type of Network Resource
Group Name |
Group Type |
Active Directory Domain |
Windows 2000 Professional or Member Server |
|---|---|---|---|
Account Operators |
Built-In Local |
Yes |
No |
Administrators |
Built-In Local, Local |
Yes |
Yes |
Backup Operators |
Built-In Local, Local |
Yes |
Yes |
Guests |
Built-In Local, Local |
Yes |
Yes |
Power Users |
Local |
No |
Yes |
Pre-Windows 2000 Compatible Access |
Built-In Local |
Yes |
No |
Print Operators |
Built-In Local |
Yes |
No |
Replicator |
Built-In Local, Local |
Yes |
Yes |
Server Operators |
Built-In Local |
Yes |
No |
Users |
Built-In Local, Local |
Yes |
Yes |
Predefined Groups
Predefined groups are installed with Active Directory domains. Use these groups to assign additional permissions to users, computers, and other groups. You do this by making the user a member of the group. Predefined groups include domain local, global, and universal groups. The availability of a specific built-in group depends on the domain configuration.
Use Table 7-3 to determine the availability of the various predefined groups. Key predefined groups are discussed later in this chapter.
Note: The group scope for Enterprise Admins and Schema Admins can be either universal or global, depending on the operations mode. In mixed mode, these are global groups. In native mode, these are universal groups.
Table 7-3 Availability of Predefined Groups Based on Domain Configuration
Group Name |
Group Type |
When Installed |
|---|---|---|
Cert Publishers |
Global |
By default |
DHCP Administrators |
Domain Local |
With DHCP |
DHCP Users |
Domain Local |
With DHCP |
DnsAdmins |
Domain Local |
With DNS |
DnsUpdateProxy |
Global |
With DNS |
Domain Admins |
Global |
By default |
Domain Computers |
Global |
By default |
Domain Controllers |
Global |
By default |
Domain Guests |
Global |
By default |
Domain Users |
Global |
By default |
Enterprise Admins |
Universal/Global |
By default |
Group Policy Creator Owners |
Global |
By default |
RAS and IAS Servers |
Domain Local |
With remote access services |
Schema Admins |
Universal/Global |
By default |
WINS Users |
Domain Local |
WINS |
Implicit Groups and Special Identities
In Windows NT implicit groups were assigned implicitly during logon and were based on how a user accessed a network resource. For example, if a user accessed a resource through interactive logon, the user was automatically a member of the implicit group called Interactive. In Windows 2000, the object-based approach to the directory structure changes the original rules for implicit groups. While you still can't view the membership of special identities, you can grant membership in implicit groups to users, groups, and computers.
To reflect the new role, implicit groups are also referred to as special identities. A special identity is a group whose membership can be set implicitly, such as during logon, or explicitly through security access permissions. As with other default groups, the availability of a specific implicit group depends on the current configuration. Use Table 7-4 to determine the availability of the various implicit groups. Implicit groups are discussed later in this chapter.
Table 7-4 Availability of Implicit Groups Based on the Type of Network Resource
Group Name |
Group Type |
Active Directory Domain |
Windows 2000 Professional or Member Server |
|---|---|---|---|
Anonymous Logon |
Implicit |
Yes |
Yes |
Authenticated Users |
Implicit |
Yes |
Yes |
Batch |
Implicit |
Yes |
Yes |
Creator Group |
Implicit |
Yes |
Yes |
Creator Owner |
Implicit |
Yes |
Yes |
Dialup |
Implicit |
Yes |
Yes |
Enterprise Domain Controllers |
Implicit |
Yes |
No |
Everyone |
Implicit |
Yes |
Yes |
Interactive |
Implicit |
Yes |
Yes |
Network |
Implicit |
Yes |
Yes |
Proxy |
Implicit |
Yes |
No |
Restricted |
Implicit |
Yes |
No |
Self |
Implicit |
Yes |
No |
Service |
Implicit |
Yes |
Yes |
System |
Implicit |
Yes |
Yes |
Terminal Server User |
Implicit |
No |
Yes |
Account Capabilities
When you set up a user account, you can grant the user specific capabilities. You generally assign these capabilities by making the user a member of one or more groups, thus giving the user the capabilities of these groups. You then assign additional capabilities by making a user a member of the appropriate groups. You withdraw capabilities by removing group membership.
In Windows 2000, you can assign various types of capabilities to an account. These capabilities include
Privileges A type of user right that grants permissions to perform specific administrative tasks. You can assign privileges to both user and group accounts. An example of a privilege is the ability to shut down the system.
Logon rights A type of user right that grants logon permissions. You can assign logon rights to both user and group accounts. An example of a logon right is the ability to log on locally.
Built-in capabilities A type of user right that is assigned to groups and includes the automatic capabilities of the group. Built-in capabilities are predefined and unchangeable, but they can be delegated to users with permission to manage objects, organizational units, or other containers. An example of a built-in capability is the ability to create, delete, and manage user accounts. This capability is assigned to administrators and account Operators. Thus, if a user is a member of the Administrators group, the user can create, delete, and manage user accounts.
Access permissions A type of user right that defines the operations that can be performed on network resources. You can assign access permissions to users, computers, and groups. An example of an access permission is the ability to create a file in a directory. Access permissions are discussed in Chapter 13.
As an administrator, you'll be dealing with account capabilities every day. To help track built-in capabilities, refer to the sections that follow. Keep in mind that while you can't change the built-in capabilities of a group, you can change the default rights of a group. For example, an administrator could revoke network access to a computer by removing a group's right to access the computer from the network.
Privileges
A privilege is a type of user right that grants permissions to perform a specific administrative task. You assign privileges through group policies, which can be applied to individual computers, organizational units, and domains. Although you can assign privileges to both users and groups, you'll usually want to assign privileges to groups. In this way, users are automatically assigned the appropriate privileges when they become members of a group. Assigning privileges to groups also makes it easier to manage user accounts.
Table 7-5 provides a brief summary of each of the privileges that can be assigned to users and groups. To learn how to assign privileges, see Chapter 8.
Table 7-5 Windows 2000 Privileges for Users and Groups
Privilege |
Description |
|---|---|
Act as part of the operating system |
Allows a process to authenticate as any user and gain access to resources as any user. Processes that require this privilege should use the LocalSystem account, which already has this privilege. |
Add workstations to domain |
Allows users to add computers to the domain. |
Back up files and directories |
Allows users to back up the system regardless of the permissions set on files and directories. |
Bypass traverse checking |
Allows users to pass through directories while navigating an object path regardless of permissions set on the directories. The privilege doesn't allow the user to list directory contents. |
Change the system time |
Allows users to set the time for the system clock. |
Create a pagefile |
Allows users to create and change paging file size for virtual memory. |
Create a token object |
Allows processes to create token objects that can be used to gain access to local resources. Processes that require this privilege should use the LocalSystem account, which already has this privilege. |
Create permanent shared objects |
Allows processes to create directory objects in the Windows 2000 object manager. Most components already have this privilege and it's not necessary to specifically assign it. |
Debug programs |
Allows users to perform debugging. |
Enable user and computer accounts to be trusted for delegation |
Allows users and computers to change or apply the trusted-for-delegation setting, provided they have write access to the object. |
Force shutdown of a remote system |
Allows users to shut down a computer from a remote location on the network. |
Generate security audits |
Allows processes to make security log entries for auditing object access. |
Increase quotas |
Allows processes to increase the processor quota assigned to other process, provided they have write access to the process. |
Increase scheduling priority |
Allows processes to increase the scheduling priority assigned to other processes, provided they have write access to the processes. |
Load and unload device drivers |
Allows users to install and uninstall plug-and-play device drivers. This doesn't affect device drivers that aren't plug-and-play, which can only be installed by administrators. |
Lock pages in memory |
In Windows NT, allowed processes to keep data in physical memory, preventing the system from paging data to virtual memory on disk. Not used in Windows 2000. |
Manage auditing and security log |
Allows users to specify auditing options and access the security log. You must turn on auditing in the group policy first. |
Modify firmware environment values |
Allows users and processes to modify system environment variables. |
Profile a single process |
Allows users to monitor the performance of nonsystem processes. |
Profile system performance |
Allows users to monitor the performance of system processes. |
Remove computer from docking station |
Allows users to unlock a computer |
Replace a process-level token |
Allows processes to replace the default token for subprocesses. |
Restore files and directories |
Allows users to restore backed up files and directories, regardless of the permissions set on files and directories. |
Shut down the system |
Allows users to shut down the local computer. |
Synchronize directory service data |
Allows users to synchronize directory service data on domain controllers. |
Take ownership of files |
Allows users to take ownership of any or other objects Active Directory objects. |
Logon Rights
A logon right is a type of user right that grants logon permissions. You can assign logon rights to both user and group accounts. As with privileges, you assign logon rights through group policies and you'll usually want to assign logon rights to groups rather than individual users.
Table 7-6 provides a brief summary of each of the logon rights that can be assigned to users and groups. To learn how to assign logon rights, see Chapter 8
Table 7-6 Windows 2000 Logon Rights for Users and Groups
Logon Right |
Description |
|---|---|
Access this computer from the network |
Allows users to connect to the computer over the network. By default, this privilege is granted to Administrators, Everyone, and Power Users. |
Deny access to this computer from the network |
Denies remote access to the computer. |
Deny logon as batch job |
Denies the right to log on through a batch job or script. |
Deny logon as service |
Denies the right to log on as a service. |
Deny logon locally |
Denies the right to log on to the computer's keyboard. |
Log on as a batch job |
Allows users to log on using a batch-queue facility. This capability is not supported in the current release of Windows 2000. By default, this privilege is granted to Administrators. |
Log on as a service |
Allows a security principal to log on as a service, as a way of establishing a security context. The LocalSystem account always retains the right to log on as a service. Any service that runs under a separate account must be granted this right. By default, this right is not granted to anyone. |
Log on locally |
Allows users to log on at the computer's keyboard. By default, this right is granted to Administrators, Account Operators, Backup Operators, Print Operators, and Server Operators. |
Built-In Capabilities for Groups in Active Directory
The built-in capabilities for groups in Active Directory are fairly extensive. The tables that follow summarize the most common capabilities that are assigned by default. Table 7-7 shows the default user rights for groups in Active Directory domains. This includes both privileges and logon rights. Note that any action that's available to the Everyone group is available to all groups, including the Guests group. This means that although the Guests group doesn't have explicit permission to access the computer from the network, Guests can still access the system because the Everyone group has this right.
Table 7-7 Default User Rights for Groups in Active Directory
User Right |
Groups Assigned |
|---|---|
Access this computer from the network |
Everyone |
Add workstations to domain |
Administrators |
Back up files and directories |
Administrators, Server Operators, Backup Operators |
Bypass traverse checking |
Everyone |
Change the system time |
Administrators, Server Operators |
Create a pagefile |
Administrators |
Debug programs |
Administrators |
Force shutdown from a remote system |
Administrators, Server Operators |
Increase quotas |
Administrators |
Increase scheduling priority |
Administrators |
Load and unload device drivers |
Administrators |
Log on locally |
Administrators, Server Operators, Account Operators, Backup Operators, Print Operators |
Manage auditing and security log |
Administrators |
Modify firmware environment variables |
Administrators |
Profile a single process |
Administrators |
Profile system performance |
Administrators |
Remove computer from docking station |
Administrators |
Restore files and directories |
Administrators, Server Operators, Backup Operators |
Shut down the system |
Administrators, Server Operators, Account Operators, Backup Operators, Print Operators |
Take ownership of files or other objects |
Administrators |
Table 7-8 shows the default user rights for local groups on member servers and workstations. Again, this includes both privileges and logon rights. Note that on these systems, Power Users have privileges that normal users don't.
Table 7-8 Default User Rights for Local Groups
User Right |
Groups Assigned |
|---|---|
Access this computer from the network |
Administrators, Power Users, Everyone |
Back up files and directories |
Administrators, Backup Operators |
Bypass traverse checking |
Everyone |
Change the system time |
Administrators, Power Users |
Create a pagefile |
Administrators |
Debug programs |
Administrators |
Force shutdown from a remote system |
Administrators |
Increase quotas |
Administrators |
Increase scheduling priority |
Administrators |
Load and unload device drivers |
Administrators |
Log on locally |
Administrators, Backup Operators, Power Users, Users, Everyone, Guests |
Manage auditing and security log |
Administrators |
Modify firmware environment variables |
Administrators |
Profile a single process |
Administrators, Power Users |
Profile system performance |
Administrators |
Remove computer from docking station |
Administrators, Power Users, Users |
Restore files and directories |
Administrators, Backup Operators |
Shut down the system |
Administrators, Backup Operators, Power Users, Users |
Take ownership of files or other objects |
Administrators |
Table 7-9 summarizes capabilities that can be delegated to other users and groups. As you study the table, note that restricted accounts include the Administrator user account, the user accounts of administrators, and the group accounts for Administrators, Server Operators, Account Operators, Backup Operators, and Print Operators. Because these accounts are restricted, Account Operators can't create or modify them.
Table 7-9 Other Capabilities for Built-In and Local Groups
Task |
Description |
Group Normally Assigned |
|---|---|---|
Assign user rights |
Allows users to assign user rights to other users |
Administrators |
Create, delete, and manage user accounts |
Allows users to administer domain user accounts |
Administrators, Account Operators |
Modify the membership of a group |
Allows users to add and remove users from domain groups |
Administrators, Account Operators |
Create and delete groups |
Allows users to create a new group and delete existing groups |
Administrators, Account operators |
Reset passwords on user accounts |
Allows users to reset passwords on user accounts |
Administrators, Account Operators |
Read all user information |
Allows users to view user account information |
Administrators, Server Operators, Account Operators |
Manage group policy links |
Allows users to apply existing group policies to sites, domains, and organizational units for which they have write access to the related objects |
Administrators |
Manage printers |
Allows users to modify printer settings and manage print queues |
Administrators, Server Operators, Printer Operators |
Create and delete printers |
Allows users to create and delete printers |
Administrators, Server Operators, Printer Operators |