Windows 7 built in local groups

The DA group is a global security group located in the Users container for the domain. There is one DA group for each domain in the forest, and the only default member of a DA group is the domain's Built-in Administrator account. Because a domain's DA group is nested in the domain's BA group and every domain-joined system's local Administrators group, DAs not only have permissions that are specifically granted to Domain Admins, but they also inherit all rights and permissions granted to the domain's Administrators group and the local Administrators group on all systems joined to the domain.

The built-in Administrators BA group is a domain local group in a domain's Built-in container into which DAs and EAs are nested, and it is this group that is granted many of the direct rights and permissions in the directory and on domain controllers.

However, the Administrators group for a domain does not have any privileges on member servers or on workstations. Membership in domain-joined computers' local Administrators group is where local privilege is granted; and of the groups discussed, only DAs are members of all domain-joined computers' local Administrators groups by default. The Administrators group is a domain-local group in the domain's Built-in container.

By default, every domain's BA group contains the local domain's Built-in Administrator account, the local domain's DA group, and the forest root domain's EA group. Many user rights in Active Directory and on domain controllers are granted specifically to the Administrators group, not to EAs or DAs. A domain's BA group is granted full control permissions on most directory objects, and can take ownership of directory objects.

Although EA and DA groups are granted certain object-specific permissions in the forest and domains, much of the power of groups is actually "inherited" from their membership in BA groups. Although these are the default configurations of these privileged groups, a member of any one of the three groups can manipulate the directory to gain membership in any of the other groups.

In some cases, it is trivial to achieve, while in others it is more difficult, but from the perspective of potential privilege, all three groups should be considered effectively equivalent. The Schema Admins SA group is a universal group in the forest root domain and has only that domain's Built-in Administrator account as a default member, similar to the EA group. Although membership in the SA group can allow an attacker to compromise the Active Directory schema, which is the framework for the entire Active Directory forest, SAs have few default rights and permissions beyond the schema.

You should carefully manage and monitor membership in the SA group, but in some respects, this group is "less privileged" than the three highest privileged groups described earlier because the scope of its privilege is very narrow; that is, SAs have no administrative rights anywhere other than the schema.

To facilitate delegating administration in the directory, Active Directory ships with various built-in and default groups that have been granted specific rights and permissions. These groups are described briefly in the following table. The following table lists the built-in and default groups in Active Directory. Both sets of groups exist by default; however, built-in groups are located by default in the Built-in container in Active Directory, while default groups are located by default in the Users container in Active Directory.

Groups in the Built-in container are all Domain Local groups, while groups in the Users container are a mixture of Domain Local, Global, and Universal groups, in addition to three individual user accounts Administrator, Guest, and Krbtgt.

In addition to the highest privileged groups described earlier in this appendix, some built-in and default accounts and groups are granted elevated privileges and should also be protected and used only on secure administrative hosts. Because some of these groups and accounts are granted rights and permissions that can be misused to compromise Active Directory or domain controllers, they are afforded additional protections as described in Appendix C: Protected Accounts and Groups in Active Directory.

Domain-local security group Members of this group can remotely query authorization attributes and permissions for resources on this computer. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Account Operators Built-in container Domain-local security group Members can administer domain user and group accounts. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Administrator account Users container Not a group Built-in account for administering the domain.

Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Backup Operators Built-in container Domain-local security group Backup Operators can override security restrictions for the sole purpose of backing up or restoring files.

Direct user rights: Allow log on locally Back up files and directories Log on as a batch job Restore files and directories Shut down the system Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Cert Publishers Users container Domain-local security group Members of this group are permitted to publish certificates to the directory.

Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Cryptographic Operators Built-in container Domain-local security group Members are authorized to perform cryptographic operations.

Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Debugger Users This is neither a default nor a built-in group, but when present in AD DS, is cause for further investigation. The presence of a Debugger Users group indicates that debugging tools have been installed on the system at some point, whether via Visual Studio, SQL, Office, or other applications that require and support a debugging environment.

This group allows remote debugging access to computers. When this group exists at the domain level, it indicates that a debugger or an application that contains a debugger has been installed on a domain controller. Denied RODC Password Replication Group Users container Domain-local security group Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain.

Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Distributed COM Users Built-in container Domain-local security group Members of this group are allowed to launch, activate, and use distributed COM objects on this computer. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set DnsAdmins Users container Domain-local security group Members of this group have administrative access to the DNS Server service.

Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set DnsUpdateProxy Users container Global security group Members of this group are DNS clients who are permitted to perform dynamic updates on behalf of clients that cannot themselves perform dynamic updates.

Members of this group are typically DHCP servers. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Domain Admins Users container Global security group Designated administrators of the domain; Domain Admins is a member of every domain-joined computer's local Administrators group and receives rights and permissions granted to the local Administrators group, in addition to the domain's Administrators group.

Default direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Domain Controllers Users container Global security group All domain controllers in the domain. Note: Domain controllers are not a member of the Domain Computers group. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Domain Guests Users container Global security group All guests in the domain Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Domain Users Users container Global security group All users in the domain Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Enterprise Admins exists only in forest root domain Users container Universal security group Enterprise Admins have permissions to change forest-wide configuration settings; Enterprise Admins is a member of every domain's Administrators group and receives rights and permissions granted to that group.

Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Event Log Readers Built-in container Domain-local security group Members of this group in can read the event logs on domain controllers. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Group Policy Creator Owners Users container Global security group Members of this group can create and modify Group Policy Objects in the domain.

Therefore, any resources that are configured to grant access to the Authenticated Users group will not be accessible to this account. This behavior is not true of members of the Domain Guests and Guests groups, however- members of those groups do have the Authenticated Users SID added to their access tokens. Direct user rights: None Inherited user rights: Access this computer from the network Bypass traverse checking Increase a process working set Guests Built-in container Domain-local security group Guests have the same access as members of the Users group by default, except for the Guest account, which is further restricted as described earlier.

Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Hyper-V Administrators Windows Server Built-in container Domain-local security group Members of this group have complete and unrestricted access to all features of Hyper-V. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Incoming Forest Trust Builders exists only in forest root domain Built-in container Domain-local security group Members of this group can create incoming, one-way trusts to this forest.

Creation of outbound forest trusts is reserved for Enterprise Admins. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Krbtgt Users container Not a group The Krbtgt account is the service account for the Kerberos Key Distribution Center in the domain.

This account has access to all accounts' credentials stored in Active Directory. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Performance Log Users Built-in container Domain-local security group Members of this group can schedule logging of performance counters, enable trace providers, and collect event traces locally and via remote access to the computer.

Direct user rights: Log on as a batch job Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Performance Monitor Users Built-in container Domain-local security group Members of this group can access performance counter data locally and remotely.

Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Pre-Windows Compatible Access Built-in container Domain-local security group This group exists for backward compatibility with operating systems prior to Windows Server, and it provides the ability for members to read user and group information in the domain.

Direct user rights: Access this computer from the network Bypass traverse checking Inherited user rights: Add workstations to domain Increase a process working set Print Operators Built-in container Domain-local security group Members of this group can administer domain printers.

Direct user rights: Allow log on locally Load and unload device drivers Shut down the system Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set RAS and IAS Servers Users container Domain-local security group Servers in this group can read remote access properties on user accounts in the domain.

Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set RDS Endpoint Servers Windows Server Built-in container Domain-local security group Servers in this group run virtual machines and host sessions where users RemoteApp programs and personal virtual desktops run.

This group needs to be populated on servers running RD Connection Broker. These groups have been assigned specific rights and permissions to perform actions on systems and within domains. You can access the Computer Management console to view local built-in groups via the Administrative Tools menu or by clicking Start, right-clicking Computer, and selecting Manage.

You view domain built-in groups via the Active Directory Users and Computers console on a domain controller found in the Administrative Tools menu. There is a Builtin container, but additional built-in groups exist in the Users container. Some of these groups deserve special mention: Administrators local Members of the Administrators group on local computers including Windows 7 computers can do anything on that computer.

This means that the domain must be configured to support at least the AES cipher suite. This means that former connections to other systems may fail if the user is a member of the Protected Users group. The default Kerberos ticket-granting tickets TGTs lifetime setting of four hours is configurable by using Authentication Policies and Silos, which can be accessed through the Active Directory Administrative Center.

This means that when four hours has passed, the user must authenticate again. This group was introduced in Windows Server R2. For more information about how this group works, see Protected Users Security Group.

By default, this group has no members. Servers that are members in the RDS Endpoint Servers group can run virtual machines and host sessions where user RemoteApp programs and personal virtual desktops run.

This group needs to be populated on servers running RD Connection Broker. Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group. Servers that are members in the RDS Management Servers group can be used to perform routine administrative actions on servers running Remote Desktop Services.

This group needs to be populated on all servers in a Remote Desktop Services deployment. In Internet facing deployments, these servers are typically deployed in an edge network. For more information, see Host desktops and apps in Remote Desktop Services. This group is comprised of the Read-only domain controllers in the domain. A Read-only domain controller makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role.

Because administration of a Read-only domain controller can be delegated to a domain user or security group, an Read-only domain controller is well suited for a site that should not have a user who is a member of the Domain Admins group. A Read-only domain controller encompasses the following functionality:. It appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role also known as flexible single master operations or FSMO.

This applies only to WMI namespaces that grant access to the user. For more information, see What's New in MI? Computers that are members of the Replicator group support file replication in a domain. FRS can copy and maintain shared files and folders on multiple servers simultaneously. When changes occur, content is synchronized immediately within sites and by a schedule between sites.

For more information, see:. Members of the Schema Admins group can modify the Active Directory schema.

This group exists only in the root domain of an Active Directory forest of domains. The group is authorized to make schema changes in Active Directory. This group has full administrative access to the schema.

The membership of this group can be modified by any of the service administrator groups in the root domain. This is considered a service administrator account because its members can modify the schema, which governs the structure and content of the entire directory. Members in the Server Operators group can administer domain controllers.

This group exists only on domain controllers. By default, the group has no members. Members of the Server Operators group can sign in to a server interactively, create and delete network shared resources, start and stop services, back up and restore files, format the hard disk drive of the computer, and shut down the computer.

By default, this built-in group has no members, and it has access to server configuration options on domain controllers. Its membership is controlled by the service administrator groups Administrators and Domain Admins in the domain, and the Enterprise Admins group in the forest root domain.

Members in this group cannot change any administrative group memberships. This is considered a service administrator account because its members have physical access to domain controllers, they can perform maintenance tasks such as backup and restore , and they have the ability to change binaries that are installed on the domain controllers. Note the default user rights in the following table.

Members of the Terminal Server License Servers group can update user accounts in Active Directory with information about license issuance. Members of the Users group are prevented from making accidental or intentional system-wide changes, and they can run most applications. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer. Users can perform tasks such as running applications, using local and network printers, shutting down the computer, and locking the computer.

Users can install applications that only they are allowed to use if the installation program of the application supports per-user installation. Cannot be moved Safe to delegate management of this group to non-Service admins? Some applications have features that read the token-groups-global-and-universal TGGAU attribute on user account objects or on computer account objects in Active Directory Domain Services. Applications that read this attribute or that call an API referred to as a function that reads this attribute do not succeed if the calling security context does not have access to the attribute.

This tab displays the security properties of a remote file share. To view this information, you must have the following permissions and memberships, as appropriate for the version of Windows Server that the file server is running.

If the file share is hosted on a server that is running a supported version of the operating system:. If the file share is hosted on a server that is running a version of Windows Server that is earlier than Windows Server Therefore, when the Access Denied Assistance functionality is enabled, all authenticated users who have Read permissions to the file share can view the file share permissions.

Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode. Is this page helpful? Please rate your experience Yes No. Any additional feedback? Note In addition to these three scopes, the default groups in the Builtin container have a group scope of Builtin Local.

Note By default, this built-in group has no members, and it can create and manage users and groups in the domain, including its own membership and that of the Server Operators group. Note The Administrators group has built-in capabilities that give its members full control over the system. Note A Guest account is a default member of the Guests security group.

Note Prior to Windows Server , access to features in Hyper-V was controlled in part by membership in the Administrators group. Note This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role also known as flexible single master operations or FSMO.

Warning If you are a member of the Performance Log Users group, you must configure Data Collector Sets that you create to run under your credentials. Warning This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role also known as flexible single master operations or FSMO. Submit and view feedback for This product This page. View all page feedback. Hence, those people who don't really know about these true powers should not dare to use the supersecret administrator account.

There are myriads of articles on the web that explain how to enable the built-in Administrator account in Windows Vista. You probably know this other myth that "true administrators" work on the command prompt.

Usually these articles don't tell you that the built-in Administrator account can also just be enabled through the Local Users and Groups snap-in or simply Computer Management, just like the Guest account which is also disabled by default.

What I find interesting is that I wasn't able to find one article that also tells you what these magical, super secret, true administrator powers are. Well, there are indeed a few differences between members of the administrators group and the built-in administrator account. Let's see how powerful they really are:. Approval mode for the local Administrator account is disabled by default. There is a special Group Policy setting where this behavior can be changed: "Admin Approval Mode for the Built-in Administrator account".

Hence, this simply means that UAC is disabled by default for the built-in Administrator account. Of course you can change these setting also for all other administrator accounts by disabling UAC through the User accounts applet in the Control Panel or by disabling the policy " Run all administrators in Admin Approval Mode ".

Note that this doesn't just disable the UAC prompts like if you set the policy " Behavior of the elevation prompt for administrators in Admin Approval Mode " to "Elevate without prompting". It disables UAC altogether, which basically means that every program an administrator launches will be elevated automatically.

You can test this if you save a file with notepad in the Windows folder. If UAC is enabled you can't do that if you didn't elevate notepad before. Thus the main difference between the built-in Administrator account and all other admins is that every program will run with elevated privileges.

Since these default settings can be changed for the built-in admin account and the other administrator accounts there are no super secret powers involved here.

Another myth is that every time you launch a program with admin privileges it runs under the built-in Administrator account. The fact that you can use this function even if the local Administrator account is disabled should make it clear that there is no such connection between the two. You also can't launch a program under the local Administrator account using the runas command line tool if this account is disabled.

Perhaps the term "run as administrator" is a bit misleading. What this function really does is to run programs with elevated privileges or more precisely at the high integrity level , which can be done by every account that is a member of the Administrators group.

Another difference to other accounts is that the local Administrator account can't be deleted. Moreover, you can't remove this account from the built-in Administrators group. However, as noted above, it can be disabled which is the case by default. It is also possible to rename the local Administrator account. There are some legacy applications that can only be installed or run using the built-in Administrator account.

I haven't encountered such an application for a while.