3.1.4.2 Default Accounts
The following accounts MUST be present in a server's database.<41>
Non-DC configuration, user accounts.
|
Name |
Domain |
Rid |
userAccountControl |
|---|---|---|---|
|
Administrator |
Account |
500 |
UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWORD |
|
Guest |
Account |
501 |
UF_NORMAL_ACCOUNT | UF_ACCOUNTDISABLE | UF_DONT_EXPIRE_PASSWORD |
Non-DC configuration, alias accounts.
|
Name |
Domain |
Rid |
Member |
|---|---|---|---|
|
Administrators |
Built-in |
544 |
Administrator |
|
Users |
Built-in |
545 |
|
|
Guests |
Built-in |
546 |
Guest |
|
Power Users |
Built-in |
547 |
|
|
Print Operators |
Built-in |
550 |
|
|
Backup Operators |
Built-in |
551 |
|
|
Replicator |
Built-in |
552 |
|
|
Remote Desktop Users |
Built-in |
555 |
|
|
Network Configuration Operators |
Built-in |
556 |
|
|
Performance Monitor Users |
Built-in |
558 |
|
|
Performance Log Users |
Built-in |
559 |
|
|
Distributed COM Users |
Built-in |
562 |
|
|
IIS_IUSRS |
Built-in |
568 |
IUSR |
|
Cryptographic Operators |
Built-in |
569 |
|
|
Event Log Readers |
Built-in |
573 |
|
DC configuration, user accounts.
|
Name |
Domain |
Rid |
userAccountControl |
|---|---|---|---|
|
Administrator |
Account |
500 |
UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWORD |
|
Guest |
Account |
501 |
UF_NORMAL_ACCOUNT | UF_ACCOUNTDISABLE | UF_DONT_EXPIRE_PASSWORD |
|
krbtgt |
Account |
502 |
UF_NORMAL_ACCOUNT | UF_ACCOUNTDISABLE |
DC configuration, universal group accounts (only on root domain).
|
Name |
Domain |
Rid |
Member |
|---|---|---|---|
|
Schema Admins |
Account |
518 |
Administrator |
|
Enterprise Admins |
Account |
519 |
Administrator |
|
Enterprise Read-only Domain Controllers |
Account |
498 |
|
DC configuration, group accounts.
|
Name |
Domain |
Rid |
Member |
|---|---|---|---|
|
Domain Admins |
Account |
512 |
Administrator |
|
Domain Users |
Account |
513 |
|
|
Domain Guests |
Account |
514 |
Guest |
|
Domain Computers |
Account |
515 |
|
|
Domain Controllers |
Account |
516 |
|
|
Group Policy Creator Owners |
Account |
520 |
Administrator |
|
Read-only Domain Controllers |
Account |
521 |
|
DC configuration, alias accounts.
|
Name |
Domain |
Rid |
Member |
|---|---|---|---|
|
Administrators |
Built-in |
544 |
Administrator, Enterprise Admins |
|
Users |
Built-in |
545 |
Domain Users |
|
Guests |
Built-in |
546 |
Domain Guests, Guest |
|
Account Operators |
Built-in |
548 |
|
|
System Operators |
Built-in |
549 |
|
|
Print Operators |
Built-in |
550 |
|
|
Backup Operators |
Built-in |
551 |
|
|
Replicator |
Built-in |
552 |
|
|
Cert Publishers |
Account |
517 |
|
|
RAS and IAS Servers |
Account |
553 |
|
|
* Pre-Windows 2000 operating system Compatible Access |
Built-in |
554 |
Everyone, Anonymous Logon, Authenticated Users |
|
Remote Desktop Users |
Built-in |
555 |
|
|
Network Configuration Operators |
Built-in |
556 |
|
|
Incoming Forest Trust Builders |
Built-in |
557 |
|
|
Performance Monitor Users |
Built-in |
558 |
|
|
Performance Log Users |
Built-in |
559 |
|
|
Windows Authorization Access Group |
Built-in |
560 |
Enterprise Domain Controllers |
|
Terminal Server License Servers |
Built-in |
561 |
|
|
Distributed COM Users |
Built-in |
562 |
|
|
IIS_IUSRS |
Built-in |
568 |
IUSR |
|
Cryptographic Operators |
Built-in |
569 |
|
|
Allowed RODC Password Replication Group |
Account |
571 |
|
|
Denied RODC Password Replication Group |
Account |
572 |
Group Policy Creator Owners, Domain Admins, Cert Publishers, Domain Controllers, Krbtgt, Enterprise Admins, Schema Admins, Read-only Domain Controllers |
|
Event Log Readers |
Built-in |
573 |
|
|
Certificate Service DCOM Access |
Built-in |
574 |
|
* The information about Pre-Windows 2000 Compatible Access is qualified by the following product behavior note.<42>