Local and Domain Default Groups
Applies To: Windows SBS 2003, Windows SBS 2008, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 Foundation, Windows Server 2008 R2, Windows Server 2012
Default groups are created when you install Windows client or server operating systems and Active Directory Domain Services (AD DS) domains. Domain member computers and stand-alone computers have default local groups that are created automatically in their local security accounts database. Domain controllers are an exception: they use the central Active Directory database to create default groups. All domain member computers can access the central Active Directory database.
Default local groups
The Groups folder in the Local Users and Groups Microsoft Management Console (MMC) snap-in displays the default local groups as well as the local groups that you create. Belonging to a local group gives a user the rights and abilities to perform various tasks on the local computer. For more information about domain-based groups, see Default domain groups.
You can add local user accounts, domain user accounts, computer accounts, and group accounts to local groups. However, you cannot add local user accounts and local group accounts to domain group accounts. For more information about adding members to local groups, see Add a member to a local group (https://go.microsoft.com/fwlink/?LinkId=148785).
The following table describes the default groups in the Groups folder, and it lists the default user rights for each group. These user rights are assigned in the local security policy. For complete descriptions of the user rights that are listed in the table, see User Rights Assignment (https://go.microsoft.com/fwlink/?LinkId=148787). For information about editing these rights, see Assign user rights for your local computer (https://go.microsoft.com/fwlink/?LinkId=148788).
| Group | Description | Default user rights |
|---|---|---|
Administrators |
Members of this group have full control of the server, and they can assign user rights and access control permissions to users as necessary. The Administrator account is also a default member of this group. When this server is joined to a domain, the Domain Admins group is automatically added to this group. Because this group has full control of the server, add users to this group with caution. For more information, see Default local groups (https://go.microsoft.com/fwlink/?LinkId=149101) and Default groups (https://go.microsoft.com/fwlink/?LinkID=131422). |
|
Backup Operators |
Members of this group can back up and restore files on the server, regardless of any permissions that protect those files. This is because the right to perform a backup takes precedence over all file permissions. Members of this group cannot change security settings. |
|
DHCP Administrators (installed with the DHCP Server service) |
Members of this group have administrative access to the Dynamic Host Configuration Protocol (DHCP) Server service. This group provides a way to assign limited administrative access to the DHCP server role only, while not providing full access to the server. Members of this group can administer DHCP on a server by using the DHCP console or the netsh command, but they are not able to perform other administrative actions on the server. |
No default user rights |
DHCP Users (installed with the DHCP Server service) |
Members of this group have read-only access to the DHCP Server service. This access allows members to view information and properties that are stored at a specified DHCP server. This information is useful to support staff when they need to obtain DHCP status reports. |
No default user rights |
Guests |
A member of this group will have a temporary profile created when they log on, and when they log off, the profile will be deleted. The Guest account (which is disabled by default) is also a default member of this group. |
No default user rights |
HelpServicesGroup |
Administrators can use this group to set rights that are common to all support applications. By default, the only group member is the account that is associated with Microsoft support applications, such as Remote Assistance. Do not add users to this group. |
No default user rights |
Network Configuration Operators |
Members of this group can make changes to TCP/IP settings, and they can renew and release TCP/IP addresses. This group has no default members. |
No default user rights |
Performance Monitor Users |
Members of this group can monitor performance counters on the server, locally and from remote clients, without being members of the Administrators or Performance Log Users groups. |
No default user rights |
Performance Log Users |
Members of this group can manage performance counters, logs, and alerts on the server, locally and from remote clients, without being members of the Administrators group. |
No default user rights |
Power Users |
Members of this group can create user accounts and then modify and delete the accounts that they created. They can create local groups and then add or remove users from the local groups that they created. They can also add or remove users from the Power Users, Users, and Guests groups. Members can create shared resources and administer the shared resources that they created. They cannot take ownership of files, back up or restore directories, load or unload device drivers, or manage security and auditing logs. |
|
Print Operators |
Members of this group can manage printers and print queues. |
No default user rights |
Remote Desktop Users |
Members of this group can log on remotely to a server. For more information, see Enabling users to connect remotely to the server (https://go.microsoft.com/fwlink/?LinkID=136310). |
Allow log on through Terminal Services |
Replicator |
The Replicator group supports replication functions. The only member of the Replicator group should be a domain user account that is used to log on the Replicator services of a domain controller. Do not add user accounts of actual users to this group. |
No default user rights |
Terminal Server Users |
This group contains any users who are currently logged on to the system with Terminal Server. Any program that a user can run with Windows NT 4.0 will run for a member of the Terminal Server User group. The default permissions that are assigned to this group enable its members to run most earlier programs. |
No default user rights |
Users |
Members of this group can perform common tasks, such as running applications, using local and network printers, and locking the server. Users cannot share directories or create local printers. By default, the Domain Users, Authenticated Users, and Interactive groups are members of this group. Therefore, any user account that is created in the domain becomes a member of this group. |
|
WINS Users (installed with WINS service) |
Members of this group are permitted read-only access to Windows Internet Name Service (WINS). This allows members of the group to view information and properties that are stored at a specified WINS server. This information is useful to support staff when they need to obtain WINS status reports. |
No default user rights |
For more information about the most common default groups, see Default security settings for groups (https://go.microsoft.com/fwlink/?LinkId=149130).
Default domain groups
Default groups, such as the Domain Admins group, are security groups that are created automatically when you create an Active Directory domain. You can use these predefined groups to help control access to shared resources and to delegate specific domain-wide administrative roles.
Many default groups are automatically assigned a set of user rights that authorize members of the group to perform specific actions in a domain, such as logging on to a local system or backing up files and folders. For example, a member of the Backup Operators group has the right to perform backup operations for all domain controllers in the domain.
When you add a user to a group, the user receives all the user rights that are assigned to the group and all the permissions that are assigned to the group on any shared resources. For more information about user rights and permissions, see Group types (https://go.microsoft.com/fwlink/?LinkId=149131).
You can manage groups by using the Active Directory Users and Computers snap-in. Default groups are located in the Builtin container and the Users container. The Builtin container contains groups that are defined with domain local scope. The Users container contains groups that are defined with global scope and groups that are defined with domain local scope. You can move groups that are located in these containers to other groups or organizational units (OUs) within the domain, but you cannot move them to other domains.
As a security best practice, we recommend that members of default groups with broad administrative access use the Run as command to perform administrative tasks. For more information, see Using Run as (https://go.microsoft.com/fwlink/?LinkID=149133). For information about security best practices, see Active Directory Best Practices (https://go.microsoft.com/fwlink/?LinkId=149135). For information about additional security measures that you can use to protect Active Directory, see Securing Active Directory (https://go.microsoft.com/fwlink/?LinkId=149136).
Groups in the Builtin container
The following table provides descriptions of the default groups that are located in the Builtin container, and it lists the assigned user rights for each group. For complete descriptions of the user rights that are listed in the table, see User rights assignment. For information about editing these rights, see To edit a security setting on a Group Policy object.
| Group | Description | Default user rights |
|---|---|---|
Account Operators |
Members of this group can create, modify, and delete accounts for users, groups, and computers that are located in the Users or Computers containers and OUs in the domain, except the Domain Controllers OU. Members of this group do not have permission to modify the Administrators or the Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. Members of this group can log on locally to domain controllers in the domain and shut them down. Because this group has significant power in the domain, add users to this group with caution. |
|
Administrators |
Members of this group have full control of all domain controllers in the domain. By default, the Domain Admins and Enterprise Admins groups are members of the Administrators group. The Administrator account is also a default member of the Administrators group. Because this group has full control in the domain, add users to this group with caution. |
|
Backup Operators |
Members of this group can back up and restore all files on domain controllers in the domain, regardless of their own individual permissions on those files. Backup Operators can also log on to domain controllers and shut them down. This group has no default members. Because this group has significant power on domain controllers, add users to this group with caution. |
|
Guests |
By default, the Domain Guests group is a member of this group. The Guest account (which is disabled by default) is also a default member of this group. |
No default user rights |
Incoming Forest Trust Builders (appears only in the forest root domain) |
Members of this group can create one-way, incoming forest trusts to the forest root domain. For example, members of this group that reside in Forest A can create a one-way, incoming forest trust from Forest B. This one-way, incoming forest trust allows users in Forest A to access resources in Forest B. Members of this group are granted the permission Create Inbound Forest Trust on the forest root domain. This group has no default members. For more information about creating forest trusts, see Create a forest trust (https://go.microsoft.com/fwlink/?LinkId=149137). |
No default user rights |
Network Configuration Operators |
Members of this group can make changes to TCP/IP settings and renew and release TCP/IP addresses on domain controllers in the domain. This group has no default members. |
No default user rights |
Performance Monitor Users |
Members of this group can monitor performance counters on domain controllers in the domain, locally and from remote clients, without being members of the Administrators or Performance Log Users groups. |
No default user rights |
Performance Log Users |
Members of this group can manage performance counters, logs, and alerts on domain controllers in the domain, locally and from remote clients, without being members of the Administrators group. |
No default user rights |
Pre-Windows 2000 Compatible Access |
Members of this group have read access on all users and groups in the domain. This group is provided for backward compatibility for computers running Windows NT 4.0 and earlier. By default, the special identity Everyone is a member of this group. For more information about special identities, see Special identities (https://go.microsoft.com/fwlink/?LinkId=149138). Add users to this group only if they are running Windows NT 4.0 or earlier. |
|
Print Operators |
Members of this group can manage, create, share, and delete printers that are connected to domain controllers in the domain. They can also manage Active Directory printer objects in the domain. Members of this group can log on locally to domain controllers in the domain and shut them down. This group has no default members. Because members of this group can load and unload device drivers on all domain controllers in the domain, add users to this group with caution. |
|
Remote Desktop Users |
Members of this group can log on remotely to domain controllers in the domain. This group has no default members. |
No default user rights |
Replicator |
This group supports directory replication functions. The File Replication service uses this group on domain controllers in the domain. This group has no default members. Do not add users to this group. |
No default user rights |
Server Operators |
On domain controllers, members of this group can log on interactively, create and delete shared resources, start and stop some services, back up and restore files, format the hard disk, and shut down the computer. This group has no default members. Because this group has significant power on domain controllers, add users to this group with caution. |
|
Users |
Members of this group can perform most common tasks, such as running applications, using local and network printers, and locking the server. By default, Domain Users, Authenticated Users, and Interactive are members of this group. Therefore, any user account that is created in the domain becomes a member of this group. |
No default user rights |
Groups in the Users container
The following table describes the default groups that are located in the Users container, and it lists the assigned user rights for each group. For complete descriptions of the user rights that listed in the table, see User rights assignment (https://go.microsoft.com/fwlink/?LinkID=148787). For information about editing these rights, see Edit security settings on a Group Policy object (https://go.microsoft.com/fwlink/?LinkId=149139).
| Group | Description | Default user rights |
|---|---|---|
Cert Publishers |
Members of this group are permitted to publish certificates for users and computers. This group has no default members. |
No default user rights |
DnsAdmins (installed with Domain Name System (DNS)) |
Members of this group have administrative access to the DNS Server service. This group has no default members. |
No default user rights |
DnsUpdateProxy (installed with DNS) |
Members of this group are DNS clients that can perform dynamic updates on behalf of other clients, such as DHCP servers. This group has no default members. |
No default user rights |
Domain Admins |
Members of this group have full control of the domain. By default, this group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time that they are joined to the domain. By default, the Administrator account is a member of this group. Because the group has full control in the domain, add users to this group with caution. |
|
Domain Computers |
This group contains all workstations and servers that are joined to the domain. By default, any computer account that is created becomes a member of this group automatically. |
No default user rights |
Domain Controllers |
This group contains all domain controllers in the domain. |
No default user rights |
Domain Guests |
This group contains all domain guests. |
No default user rights |
Domain Users |
This group contains all domain users. By default, any user account that is created in the domain becomes a member of this group automatically. This group can be used to represent all users in the domain. For example, if you want all domain users to have access to a printer, you can assign permissions for the printer to this group. (Or you can add the Domain Users group to a local group—on the print server—that has permissions for the printer.) |
No default user rights |
Enterprise Admins (appears only in the forest root domain) |
Members of this group have full control of all domains in the forest. By default, this group is a member of the Administrators group on all domain controllers in the forest. By default, the Administrator account is a member of this group. Because this group has full control of the forest, add users to this group with caution. |
|
Group Policy Creator Owners |
Members of this group can modify Group Policy in the domain. By default, the Administrator account is a member of this group. Because this group has significant power in the domain, add users to this group with caution. |
No default user rights |
IIS_WPG (installed with IIS) |
The IIS_WPG group is the Internet Information Services (IIS) 6.0 worker process group. IIS 6.0 contains worker processes that serve specific namespaces. For example, www.microsoft.com is a namespace that is served by one worker process, which can run under an identity that is added to the IIS_WPG group, such as MicrosoftAccount. This group has no default members. |
No default user rights |
RAS and IAS Servers |
Servers in this group are permitted access to the remote access properties of users. |
No default user rights |
Schema Admins (appears only in the forest root domain) |
Members of this group can modify the Active Directory schema. By default, the Administrator account is a member of this group. Because this group has significant power in the forest, add users to this group with caution. |
No default user rights |
See Also
Concepts
Run a program with administrative credentials
Other Resources
Using Run as
Create a shortcut using the runas command
Why you should not run your computer as an administrator