Windows 7 / Networking

Using Built-in Groups

On a Windows 7 computer, default local groups have already been created and assigned all necessary permissions to accomplish basic tasks. In addition, there are built-in special groups that the Windows 7 system handles automatically. These groups are described in the following sections.

Using Default Local Groups
A local group is a group that is stored on the local computer's accounts database. These are the groups you can add users to and can manage directly on a Windows 7 computer. By default, the following local groups are created on Windows 7 computers:
  • Administrators
  • Backup Operators
  • Cryptographic Operators
  • Distributed COM Users
  • Event Log Readers
  • Guests
  • IIS_IUSRS
  • Network Configuration Operators
  • Performance Log Users
  • Performance Monitor Users
  • Power Users
  • Remote Desktop Users
  • Replicator
  • Users
We briefly describe each group, its default permissions, and the users assigned to the group by default.
Built-in Groups If possible, you should add users to the built-in local groups rather than creating new groups from scratch. This simplifies administration because the built-in groups already have the appropriate permissions. All you need to do is add the users whom you want to be members of the group.

The Administrators Group
The Administrators group has full permissions and privileges. Its members can grant themselves any permissions they do not have by default to manage all the objects on the computer. (Objects include the file system, printers, and account management.) By default, the Administrator account, which is disabled by default, and the initial user account are members of the Administrators local group.

Administrators Group Assign users to the Administrators group with caution because they will have full permissions to manage the computer.

Members of the Administrators group can perform the following tasks:
  • Install the operating system.
  • Install and configure hardware device drivers.
  • Install system services.
  • Install service packs, hot fixes, andWindows updates.
  • Upgrade the operating system.
  • Repair the operating system.
  • Install applications that modify the Windows system files.
  • Configure password policies.
  • Configure audit policies.
  • Manage security logs.
  • Create administrative shares.
  • Create administrative accounts.
  • Modify groups and accounts that have been created by other users.
  • Remotely access the Registry.
  • Stop or start any service.
  • Configure services.
  • Increase and manage disk quotas.
  • Increase and manage execution priorities.
  • Remotely shut down the system.
  • Assign and manage user rights.
  • Reenable locked-out and disabled accounts.
  • Manage disk properties, including formatting hard drives.
  • Modify systemwide environment variables.
  • Access any data on the computer.
  • Back up and restore all data.
The Backup Operators Group
Members of the Backup Operators group have permissions to back up and restore the file system, even if the file system is NTFS and they have not been assigned permissions to access the file system. However, the members of Backup Operators can access the file system only using the Backup utility. To access the file system directly, Backup Operators must have explicit permissions assigned. There are no default members of the Backup Operators local group.

The Cryptographic Operators Group
The Cryptographic Operators group has access to perform cryptographic operations on the computer. There are no default members of the Cryptographic Operators local group.

The Distributed COM Users Group
The Distributed COM Users group has the ability to launch and run Distributed COM objects on the computer. There are no default members of the Distributed COM Users local group.

The Event Log Readers Group
The Event Log Readers group has access to read the event log on the local computer. There are no default members of the Event Log Readers local group. The Guests Group The Guests group has limited access to the computer. This group is provided so that you can allow people who are not regular users to access specific network resources. As a general rule, most administrators do not allow Guest access because it poses a potential security risk. By default, the Guest user account is a member of the Guests local group.

The IIS_IUSRS Group
The IIS_IUSRS group is used by Internet Information Services (IIS). The NT AUTHORITY\IUSR user account is a member of the IIS_IUSRS group by default.

The Network Configuration Operators Group
Members of the Network Configuration Operators group have some administrative rights to manage the computer's network configuration -for example, editing the computer's TCP/IP settings.

The Performance Log Users Group
The Performance Log Users group has the ability to access and schedule logging of performance counters and can create and manage trace counters on the computer.

The Performance Monitor Users Group
The Performance Monitor Users group has the ability to access and view performance counter information on the computer. Users who are members of this group can access performance counters both locally and remotely.

The Power Users Group
The Power Users group is included in Windows 7 for backward compatibility. The Power Users group is included to ensure that computers upgraded from Windows XP function as before with regard to folders that allow access to members of the Power Users group. Otherwise, the Power Users group has limited administrative rights.

The Remote Desktop Users Group
The Remote Desktop Users group allows members of the group to log on remotely for the purpose of using the Remote Desktop service. The Replicator Group The Replicator group is intended to support directory replication, which is a feature that domain servers use. Only domain users who will start the replication service should be assigned to this group. The Replicator local group has no default members.

The Users Group
The Users group is intended for end users who should have very limited system access. If you have installed a fresh copy of Windows 7, the default settings for the Users group prohibit its members from compromising the operating system or program files. By default, all users who have been created on the computer, except Guest, are members of the Users local group.

Another type of group that is used by Windows 7 is special groups. In the next section we will look at special groups and how they work.

[Contents] [Next]

In this tutorial:

  1. Creating and Managing Groups
  2. Using Built-in Groups
  3. Using Special Groups
  4. Working with Groups
  5. Creating New Groups
  6. Managing Group Membership
  7. Renaming Groups
  8. Deleting Groups