Share via


Local Users and Groups best practices

Applies To: Windows Server 2008

Best practices

  • As a security best practice, it is recommended that you do not log on to your computer with administrative credentials.

    When you are logged on to your computer without administrative credentials, you can use Run as Administrator to accomplish tasks that require a higher level of privilege than a standard user account. For more information, see Using Run as (https://go.microsoft.com/fwlink/?LinkId=28314).

  • To further secure your local computer, it is recommended that you implement the following security guidelines:

    • Limit the number of users in the Administrators group because members of the Administrators group on a local computer have Full Control permissions on that computer.

      For more information, see Why you should not run your computer as an administrator.

    • Leave the Guest account disabled. The Guest account is used by people who do not have an actual account on the computer. The Guest account does not require a password; therefore, it is a security risk. The Guest account is disabled by default, and it is recommended that it stay disabled.

      For more information, see Local user accounts.

    • Leave the Administrator account disabled. The Administrator account is disabled by default, and it is recommended that it stay disabled.

      For more information, see Local user accounts.

    • Some default user rights that are assigned to specific default local groups may allow members of those groups to gain additional rights on your computer, including administrative rights. Therefore, you must trust equally all personnel that are members of the Administrators and Backup Operators groups.

      For more information about these groups, see Default local groups.

    • Review important security considerations about local users and groups.

  • Use passwords no longer than 14 characters if you are on a network with computers running Windows 95 and Windows 98.

    You can create a password containing up to 127 characters. However, computers running Windows 95 and Windows 98 support passwords up to only 14 characters. If your password is longer than 14 characters, you may not be able to log on to the network from computers running Windows 95 and Windows 98.

    For more information, see Create a local user account.