How-to: Windows Built-in Users, Default Groups and Special Identities

Special identities are implicit placeholders, they are not listed in Active Directory but are available when applying permissions – membership is automatically calculated by the OS.

Default Group Default User or Session owner Special Identity Description
Access Control Assistance Operators     Remotely query authorization attributes and permissions for resources on the computer.
BuiltIn Local.
Default User Rights: None
Account Operators    

Grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups, and members can log in locally to domain controllers.

Members of the Account Operators group cannot manage the Administrator user account, the user accounts of administrators, or the Administrators, Server Operators, Account Operators, Backup Operators, or Print Operators groups. Members of this group cannot modify user rights.
Default User Rights: Allow log on locally: SeInteractiveLogonRight

  Administrator   A user account for the system administrator. This account is the first account created during operating system installation. The account cannot be deleted or locked out. It is a member of the Administrators group and cannot be removed from that group.
Administrators    

A built-in group . Grants complete and unrestricted access to the computer, or if the computer is promoted to a domain controller, members have unrestricted access to the domain.

This group cannot be renamed, deleted, or moved. This built-in group controls access to all the domain controllers in its domain, and it can change the membership of all administrative groups. Membership can be modified by members of the following groups: the default service Administrators, Domain Admins in the domain, or Enterprise Admins.

The group is the default owner of any object that is created by a member of the group.
Default User Rights for Administrators

Allowed RODC Password Replication Group     Manage a RODC password replication policy. The Denied RODC Password Replication Group group contains a variety of high-privilege accounts and security groups. The Denied RODC Password Replication group supersedes the Allowed RODC Password Replication group.
Default User Rights: None
    Anonymous Logon A user who has logged on anonymously. This identity allows anonymous access to resources, such as a web page that is published on corporate servers.
Default User Rights: None
    Authenticated Users A group that includes all users whose identities were authenticated when they logged on. Membership is controlled by the operating system. This identity allows access to shared resources within the domain, such as files in a shared folder that should be accessible to all the workers in the organization.
Default User Rights:
Access this computer from the network: SeNetworkLogonRight
Add workstations to domain: SeMachineAccountPrivilege (Often removed in environments that have an IT administrator.)
Bypass traverse checking: SeChangeNotifyPrivilege
Backup Operators     A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down.
Default User Rights:
Allow log on locally: SeInteractiveLogonRight
Back up files and directories: SeBackupPrivilege
Log on as a batch job: SeBatchLogonRight
Restore files and directories: SeRestorePrivilege
Shut down the system: SeShutdownPrivilege
    Batch Any user or process that accesses the system as a batch job (or through the batch queue) has the Batch identity. This identity allows batch jobs to run scheduled tasks, such as a nightly cleanup jobMembership is controlled by the operating system.
Default User Rights: None
Certificate Service DCOM Access     Members of this group are allowed to connect to certification authorities in the enterprise.
Default User Rights: None
Cert Publishers     A global group that includes all computers that are running an enterprise certificate authority. Cert Publishers are authorized to publish certificates for User objects in Active Directory.
Default User Rights: None
Cert Server Admins     Certificate Authority Administrators - authorized to administer certificates for User objects in Active Directory. (Domain Local)
Cert Requesters     Members can request certificates (Domain Local)
Cloneable Domain Controllers     Members of the Cloneable Domain Controllers group that are domain controllers may be cloned. Default User Rights: None
Cryptographic Operators     Members of this group are authorized to perform cryptographic operations. This security group was added in Windows Vista Service Pack 1 (SP1) to configure Windows Firewall for IPsec in Common Criteria mode. Default User Rights: None
    Creator Group The person who created the file or the directory is a member of this special identity group. Windows Server operating systems use this identity to automatically grant access permissions to the creator of a file or directory. A placeholder security identifier (SID) is created in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces this SID with the SID for the primary group of the object’s current owner.
The primary group is used only by the Portable Operating System Interface for UNIX (POSIX) subsystem.
Default User Rights: None
    Creator Owner The person who created the file or the directory is a member of this special identity group. Windows Server operating systems use this identity to automatically grant access permissions to the creator of a file or directory. A placeholder SID is created in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the object’s current owner.
Denied RODC Password Replication Group     Members of the Denied RODC Password Replication group cannot have their passwords replicated to any Read-only domain controller. The purpose of this security group is to manage a RODC password replication policy. This group contains a variety of high-privilege accounts and security groups.
Default User Rights: None
Device Owners    

This group is not currently used in Windows.

Default User Rights:
Allow log on locally: SeInteractiveLogonRight
Access this computer from the network: SeNetworkLogonRight
Bypass traverse checking: SeChangeNotifyPrivilege
Change the time zone: SeTimeZonePrivilege

    Dialup Any user who accesses the system through a dial-up connection has the Dial-Up identity. This identity distinguishes dial-up users from other types of authenticated users.
    Digest Authentication Default User Rights: None
Distributed COM Users     Members of the Distributed COM Users group are allowed to launch, activate, and use Distributed COM objects on the computer.
Default User Rights: None
DnsAdmins (installed with DNS)     Members of this group have administrative access to the DNS Server service. The default permissions are as follows: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions. This group has no default members.
Default User Rights: None
DnsUpdateProxy (installed with DNS)     Members of this group are DNS clients that can perform dynamic updates on behalf of other clients, such as DHCP servers. This group has no default members. Default User Rights: None
Domain Admins     A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created in the domain's Active Directory by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group.
Default User Rights: as Administrators
Domain Computers     A global group that includes all computers that have joined the domain, excluding domain controllers. Default User Rights: None
Domain Controllers     A global group that includes all domain controllers in the domain. New domain controllers are added to this group automatically. Default Default User Rights: None
Domain Guests     A global group that, by default, has only one member, the domain's built-in Guest account.
Default User Rights: See 'Guests'
Domain Users     A global group that, by default, includes all user accounts in a domain. When you create a user account in a domain, it is added to this group automatically.
Default User Rights: See 'Users'
Enterprise Admins     A group that exists only in the root domain of an Active Directory forest of domains. It is a universal group if the domain is in native mode, a global group if the domain is in mixed mode. The group is authorized to make forest-wide changes in Active Directory, such as adding child domains. By default, the only member of the group is the Administrator account for the forest root domain.
Default User Rights:
See Administrators
See Denied RODC Password Replication Group
Enterprise Key Admins     Members of this group can perform administrative actions on key objects within the forest. The Enterprise Key Admins group was introduced in Windows Server 2016. Default User Rights: None
Enterprise Read-Only Domain Controllers     Members of this group are Read-Only Domain Controllers in the enterprise. Except for account passwords, a Read-only domain controller holds all the Active Directory objects and attributes that a writable domain controller holds.
Default User Rights: None
    Enterprise Domain Controllers A group that includes all domain controllers an Active Directory directory service forest of domains. Membership is controlled by the operating system.
Default User Rights:
Access this computer from the network: SeNetworkLogonRight
Allow log on locally: SeInteractiveLogonRight
Event Log Readers     Members of this group can read event logs from local computers. The group is created when the server is promoted to a domain controller. Default User Rights: None
    Everyone All interactive, network, dial-up, and authenticated users are members of the Everyone group. This special identity group gives wide access to system resources. Whenever a user logs on to the network, the user is automatically added to the Everyone group. On computers running Windows 2000 and earlier, the Everyone group included the Anonymous Logon group as a default member, but as of Windows Server 2003, the Everyone group contains only Authenticated Users and Guest; and it no longer includes Anonymous Logon by default (although this can be changed). Membership is controlled by the operating system.
Default User Rights:
Access this computer from the network: SeNetworkLogonRight
Act as part of the operating system: SeTcbPrivilege
Bypass traverse checking: SeChangeNotifyPrivilege
Group Policy Creators Owners     A global group that is authorized to create new Group Policy objects in Active Directory. By default, the only member of the group is Administrator. The default owner of a new Group Policy object is usually the user who created it. If the user is a member of Administrators or Domain Admins, all objects that are created by the user are owned by the group. Owners have full control of the objects they own. Default User Rights: See 'Denied RODC Password Replication Group'.
  Guest   A user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled.
Guests     A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account. When a member of the Guests group signs out, the entire profile is deleted. This includes everything that is stored in the %userprofile% directory, including the user's registry hive information, custom desktop icons, and other user-specific settings. This implies that a guest must use a temporary profile to sign in to the system.
Default User Rights: None
Hyper-V Administrators     Members of the Hyper-V Administrators group have complete and unrestricted access to all the features in Hyper-V. Adding members to this group helps reduce the number of members required in the Administrators group, and further separates access.
Introduced in Windows Server 2012. Default User Rights: None
IIS_IUSRS     IIS_IUSRS is a built-in group that is used by Internet Information Services beginning with IIS 7.0. A built-in account and group are guaranteed by the operating system to always have a unique SID. IIS 7.0 replaces the IUSR_MachineName account and the IIS_WPG group with the IIS_IUSRS group to ensure that the actual names that are used by the new account and group will never be localized.
Default User Rights: None
Incoming Forest Trust Builders     Members of the Incoming Forest Trust Builders group can create incoming, one-way trusts to this forest. Active Directory provides security across multiple domains or forests through domain and forest trust relationships. This group cannot be renamed, deleted, or moved. Default User Rights: None
Key Admins     Members of this group can perform administrative actions on key objects within the domain.
Default User Rights: None
    Interactive Any user who is logged on to the local system has the Interactive identity. This identity allows only local users to access a resource. Whenever a user accesses a given resource on the computer to which they are currently logged on, the user is automatically added to the Interactive group. Membership is controlled by the operating system.
Default User Rights: None
  KRBTGT   A service account that is used by the Key Distribution Center (KDC) service.
    Local Service The Local Service account is similar to an Authenticated User account. The Local Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session with anonymous credentials. The name of the account is NT AUTHORITY\LocalService. This account does not have a password.
Default User Rights:
Adjust memory quotas for a process: SeIncreaseQuotaPrivilege
Bypass traverse checking: SeChangeNotifyPrivilege
Change the system time: SeSystemtimePrivilege
Change the time zone: SeTimeZonePrivilege
Create global objects: SeCreateGlobalPrivilege
Generate security audits: SeAuditPrivilege
Impersonate a client after authentication: SeImpersonatePrivilege
Replace a process level token: SeAssignPrimaryTokenPrivilege
    Local System This is a service account that is used by the operating system. The LocalSystem account is a powerful account that has full access to the system and acts as the computer on the network. If a service logs on to the LocalSystem account on a domain controller, that service has access to the entire domain. Some services are configured by default to log on to the LocalSystem account. Do not change the default service setting. The name of the account is LocalSystem. This account does not have a password.
Default User Rights: None
    Network This group implicitly includes all users who are logged on through a network connection. Any user who accesses the system through a network has the Network identity. This identity allows only remote users to access a resource. Whenever a user accesses a given resource over the network, the user is automatically added to the Network group. Membership is controlled by the operating system.
Default User Rights: None
    Network Service The Network Service account is similar to an Authenticated User account. The Network Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Network Service account access network resources by using the credentials of the computer account. The name of the account is NT AUTHORITY\NetworkService. This account does not have a password.
Default User Rights:
Adjust memory quotas for a process: SeIncreaseQuotaPrivilege
Bypass traverse checking: SeChangeNotifyPrivilege
Create global objects: SeCreateGlobalPrivilege
Generate security audits: SeAuditPrivilege
Impersonate a client after authentication: SeImpersonatePrivilege
Restore files and directories: SeRestorePrivilege
Replace a process level token: SeAssignPrimaryTokenPrivilege
Network Configuration Operators     Members of this group can make changes to TCP/IP settings, Rename/Enable/disable LAN connections,Delete/rename remote access connections, enter the PIN unblock key (PUK) for mobile broadband devices that support a SIM card and renew and release TCP/IP addresses on domain controllers in the domain. This group has no default members.
Default User Rights: None
    NTLM Authentication Default User Rights: None
    Other Organization This group implicitly includes all users who are logged on to the system through a dial-up connection. Membership is controlled by the operating system. Default User Rights: None
Performance Monitor Users     Members of this group can monitor performance counters on domain controllers in the domain, locally and from remote clients without being a member of the Administrators or Performance Log Users groups.
Default User Rights: None
Performance Log Users     Members of this group can manage performance counters, logs and alerts on domain controllers in the domain, locally and from remote clients without being a member of the Administrators group.
Default User Rights: Log on as a batch job: SeBatchLogonRight
Power Users     By default, members of this group have no more user rights or permissions than a standard user account.
The Power Users group did once grant users specific admin rights and permissions in previous versions of Windows.
Pre-Windows 2000 Compatible Access     A backward compatibility group which allows read access on all users and groups in the domain. By default, the special identity Everyone is a member of this group. Add users to this group only if they are running Windows NT 4.0 or earlier.
Default User Rights:
Access this computer from the network: SeNetworkLogonRight
Bypass traverse checking: SeChangeNotifyPrivilege
    Principal Self
or
Self
This identify is a placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal that is represented by the object.
Default User Rights: None
Print Operators     A built-in group that exists only on domain controllers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues. They can also manage Active Directory printer objects in the domain. Members of this group can locally sign in to and shut down domain controllers in the domain.
Because members of this group can load and unload device drivers on all domain controllers in the domain, add users with caution. This group cannot be renamed, deleted, or moved.
Default User Rights:
Allow log on locally: SeInteractiveLogonRight
Load and unload device drivers: SeLoadDriverPrivilege
Shut down the system: SeShutdownPrivilege
Protected Users     Members of the Protected Users group are afforded additional protection against the compromise of credentials during authentication processes. This security group is designed as part of a strategy to effectively protect and manage credentials within the enterprise. Members of this group automatically have non-configurable protection applied to their accounts. Membership in the Protected Users group is meant to be restrictive and proactively secure by default. The only method to modify the protection for an account is to remove the account from the security group. This group was introduced in Windows Server 2012 R2.
Default User Rights: None
RAS and IAS Servers     Servers in this group are permitted access to the remote access properties of users. A domain local group . By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically. Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information. Default User Rights: None
RDS Endpoint Servers     Servers that are members in the RDS Endpoint Servers group can run virtual machines and host sessions where user RemoteApp programs and personal virtual desktops run. This group needs to be populated on servers running RD Connection Broker. Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group.
Default User Rights: None
RDS Management Servers     Servers that are members in the RDS Management Servers group can be used to perform routine administrative actions on servers running Remote Desktop Services. This group needs to be populated on all servers in a Remote Desktop Services deployment. The servers running the RDS Central Management service must be included in this group. Default User Rights: None
RDS Remote Access Servers     Servers in the RDS Remote Access Servers group provide users with access to RemoteApp programs and personal virtual desktops. In Internet facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers that are used in the deployment need to be in this group. Default User Rights: None
Read-Only Domain Controllers     This group is comprised of the Read-only domain controllers in the domain. A Read-only domain controller makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role. Default User Rights See 'Denied RODC Password Replication Group'.
Remote Desktop Users     The Remote Desktop Users group on an RD Session Host server is used to grant users and groups permissions to remotely connect to an RD Session Host server. This group cannot be renamed, deleted, or moved. It appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
Default User Rights: None
    Remote Interactive Logon This identity represents all users who are currently logged on to a computer by using a Remote Desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
Default User Rights: None
Remote Management Users     Members of the Remote Management Users group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user. The Remote Management Users group is generally used to allow users to manage servers through the Server Manager console, whereas the WinRMRemoteWMIUsers_ group is allows remotely running Windows PowerShell commands.
Default User Rights: None
Replicator    

Computers that are members of the Replicator group support file replication in a domain. Windows Server operating systems use the File Replication service (FRS) to replicate system policies and logon scripts stored in the System Volume (SYSVOL).

The DFS Replication service is a replacement for FRS, and it can be used to replicate the contents of a SYSVOL shared resource, DFS folders, and other custom (non-SYSVOL) data. You should migrate all non-SYSVOL FRS replica sets to DFS Replication.
Default User Rights: None

    Restricted Users and computers with restricted capabilities have the Restricted identity. This identity group is used by a process that is running in a restricted security context, such as running an application with the RunAs service. When code runs at the Restricted security level, the Restricted SID is added to the user’s access token.
Default User Rights: None
    SChannel Authentication Default User Rights: None
Schema Admins     A group that exists only in the root domain of an Active Directory forest of domains. It is a universal group if the domain is in native mode , a global group if the domain is in mixed mode . The group is authorized to make schema  changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain. Because this group has significant power in the forest, add users with caution.
Default User Rights: See 'Denied RODC Password Replication Group'.
Server Operators     A built-in group that exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer.
Default User Rights:
Allow log on locally: SeInteractiveLogonRight
Back up files and directories: SeBackupPrivilege
Change the system time: SeSystemTimePrivilege
Change the time zone: SeTimeZonePrivilege
Force shutdown from a remote system: SeRemoteShutdownPrivilege
Restore files and directories SeRestorePrivilege
Shut down the system: SeShutdownPrivilege
    Service

Any service that accesses the system has the Service identity. This identity group includes all security principals that are signed in as a service. This identity grants access to processes that are being run by Windows Server services. Membership is controlled by the operating system.
Default User Rights:
Create global objects: SeCreateGlobalPrivilege
Impersonate a client after authentication: SeImpersonatePrivilege

Storage Replica Administrators     Members of this group have complete and unrestricted access to all features of Storage Replica.
Default User Rights: None
System Managed Accounts Group     Members of this group are managed by the system.
Default User Rights: None
Terminal Server License Servers     Members of the Terminal Server License Servers group can update user accounts in Active Directory with information about license issuance. This is used to track and report TS Per User CAL usage. A TS Per User CAL gives one user the right to access a Terminal Server from an unlimited number of client computers or devices. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
Default User Rights: None
    Terminal Server Users Any user accessing the system through Terminal Services has the Terminal Server User identity. This identity allows users to access Terminal Server applications and to perform other necessary tasks with Terminal Server services. Membership is controlled by the operating system.
Default User Rights: None
    This Organization Default User Rights: None
Users     A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer. Users can perform tasks such as running applications, using local and network printers, shutting down the computer, and locking the computer. Users can install applications that only they are allowed to use if the installation program of the application supports per-user installation.
This group cannot be renamed, deleted, or moved.
Default User Rights: None
Windows Authorization Access Group     Members of this group have access to the computed token GroupsGlobalAndUniversal attribute on User objects. Some applications have features that read the token-groups-global-and-universal (TGGAU) attribute on user account objects or on computer account objects in Active Directory Domain Services.
Default User Rights: None
    Window Manager\Window Manager Group Default User Rights:
Bypass traverse checking: SeChangeNotifyPrivilege
Increase a process working set: SeIncreaseWorkingSetPrivilege
WinRMRemoteWMIUsers_    

In Windows 8 and in Windows Server 2012, a Share tab was added to the Advanced Security Settings user interface. This tab displays the security properties of a remote file share. To view this information, you must have the following permissions and memberships, as appropriate for the version of Windows Server that the file server is running.

The WinRMRemoteWMIUsers_ group allows running PowerShell commands remotely whereas the 'Remote Management Users' group is generally used to allow users to manage servers by using the Server Manager console. This security group was introduced in Windows Server 2012.
Default User Rights: None

Default Admin Users and Groups:

Admin Groups in AD

Related commands

How-to: Understand the different types of Active Directory group, Local Domain, Global and Universal.
Q271876 - Large Numbers of ACEs in ACLs Impair Directory Service Performance.
Q243330 - Well-known security identifiers (sids) in Windows operating systems.
Q277752 - Security Identifiers for built-in groups are unresolved when modifying group policy.
AdminSdHolder FAQ - High-privilege accounts (Admins and Account Operators) are protected from inadvertent modification.
Active Directory Security Groups - docs.microsoft.com


 
Copyright © 1999-2024 SS64.com
Some rights reserved