2009 Microsoft Corporation. All rights reserved.

Default groups
Updated: January 21, 2005

Default groups
Default groups, such as the Domain Admins group, are security groups that are created automatically when you create an Active Directory domain. You can use these predefined groups to help you control access to shared resources and delegate specific domain-wide administrative roles. For information about default groups stored on local computers, see Default local groups [ http://technet.microsoft.com/en-us/library/cc785098(WS.10).aspx ] . Many default groups are automatically assigned a set of user rights that authorize members of the group to perform specific actions in a domain, such as logging on to a local system or backing up files and folders. For example, a member of the Backup Operators group has the right to perform backup operations for all domain controllers in the domain. When you add a user to a group, the user receives all the user rights assigned to the group and all the permissions assigned to the group on any shared resources. For more information about user rights and permissions, see Group types [ http://technet.microsoft.com/enus/library/cc781446(WS.10).aspx ] . You can manage groups by using Active Directory Users and Computers. Default groups are located in the Builtin container and the Users container. The Builtin container contains groups that are defined with domain local scope. The Users container contains groups that are defined with global scope and groups that are defined with domain local scope. You can move groups located in these containers to other groups or organizational units within the domain, but you cannot move them to other domains. As a security best practice, it is recommended that members of default groups with broad administrative access use Run as to perform administrative tasks. For more information, see Using Run as [ http://technet.microsoft.com/en-us/library/cc780931(WS.10).aspx ] . For information about security best practices, see Active Directory Best practices [ http://technet.microsoft.com/enus/library/cc778219(WS.10).aspx ] . For information about additional security measures that can be used to protect Active Directory, see Securing Active Directory [ http://technet.microsoft.com/enus/library/cc728372(WS.10).aspx ] . Note

To learn what group you need to be a member of to perform a particular procedure, many

procedural topics under How To in Help and Support Center provide a note that identifies this information.

Groups in the Builtin container

The following table provides descriptions of the default groups located in the Builtin container and lists the assigned user rights for each group. For complete descriptions of the user rights listed in the table, see User Rights Assignment [ http://technet.microsoft.com/enus/library/cc780182(WS.10).aspx ] . For information about editing these rights, see Edit security settings on a Group Policy object [ http://technet.microsoft.com/enus/library/cc736516(WS.10).aspx ] .

Group

Description

Default user rights

Account Operators

Members of this group can create, modify, and Allow log on locally; Shut delete accounts for users, groups, and down the system. computers located in the Users or Computers containers and organizational units in the domain, except the Domain Controllers organizational unit. Members of this group do not have permission to modify the Administrators or the Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. Members of this group can log on locally to domain controllers in the domain and shut them down. Because this group has significant power in the domain, add users with caution. Members of this group have full control of all domain controllers in the domain. By default, the Domain Admins and Enterprise Admins groups are members of the Administrators group. The Administrator account is also a default member. Because this group has full control in the domain, add users with caution. Access this computer from the network; Adjust memory quotas for a process; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug programs; Enable computer and user accounts to be trusted for delegation; Force a shutdown from a remote system; Increase scheduling priority; Load and unload device drivers; Allow log on locally; Manage auditing and security log; Modify firmware environment values; Profile single process; Profile system performance; Remove computer from docking station; Restore files and directories; Shut down the system; Take ownership of files or other objects. Back up files and directories; Allow log on locally; Restore files and directories; Shut down the system.

Administrators

Backup Operators

Members of this group can back up and restore all files on domain controllers in the domain, regardless of their own individual permissions on those files. Backup Operators can also log on to domain controllers and shut them down. This group has no default members. Because this group has significant power on domain controllers, add users with caution.

Guests

By default, the Domain Guests group is a No default user rights. member of this group. The Guest account (which is disabled by default) is also a default member of this group. Members of this group can create one-way, No default user rights. incoming forest trusts to the forest root domain. For example, members of this group residing in Forest A can create a one-way, incoming forest trust from Forest B. This one-way, incoming forest trust allows users in Forest A to access resources located in Forest B. Members of this group are granted the permission Create Inbound Forest Trust on the forest root domain. This group has no default members. For more

Incoming Forest Trust Builders (only appears in the forest root domain)

information about creating forest trusts, see Create a forest trust [ http://technet.microsoft.com/enus/library/cc780479(WS.10).aspx ] . Network Configuration Operators Performance Monitor Users Members of this group can make changes to TCP/IP settings and renew and release TCP/IP addresses on domain controllers in the domain. This group has no default members. No default user rights.

Members of this group can monitor performance No default user rights. counters on domain controllers in the domain, locally and from remote clients without being a member of the Administrators or Performance Log Users groups.

Performance Log Members of this group can manage performance No default user rights. Users counters, logs and alerts on domain controllers in the domain, locally and from remote clients without being a member of the Administrators group. Pre-Windows 20 Members of this group have read access on all Access this computer from 00 Compatible users and groups in the domain. This group is the network; Bypass traverse Access provided for backward compatibility for checking. computers running Windows NT 4.0 and earlier. By default, the special identity Everyone is a member of this group. For more information about special identities, see Special identities [ http://technet.microsoft.com/enus/library/cc778060(WS.10).aspx ] . Add users to this group only if they are running Windows NT 4.0 or earlier. Print Operators Members of this group can manage, create, Allow log on locally; Shut share, and delete printers connected to domain down the system. controllers in the domain. They can also manage Active Directory printer objects in the domain. Members of this group can log on locally to domain controllers in the domain and shut them down. This group has no default members. Because members of this group can load and unload device drivers on all domain controllers in the domain, add users with caution. No default user rights.

Remote Desktop Members of this group can remotely log on to Users domain controllers in the domain. This group has no default members. Replicator

This group supports directory replication No default user rights. functions and is used by the File Replication service on domain controllers in the domain. This group has no default members. Do not add users to this group. On domain controllers, members of this group can log on interactively, create and delete shared resources, start and stop some services, back up and restore files, format the hard disk, and shut down the computer. This group has no default members. Because this group has significant power on domain controllers, add users with caution. Members of this group can perform most common tasks, such as running applications, Back up files and directories; Change the system time; Force shutdown from a remote system; Allow log on locally; Restore files and directories; Shut down the system. No default user rights.

Server Operators

Users

using local and network printers, and locking the server. By default, the Domain Users group, Authenticated Users, and Interactive are members of this group. Therefore, any user account created in the domain becomes a member of this group.

Groups in the Users container

The following table provides a description of the default groups located in the Users container and lists the assigned user rights for each group. For complete descriptions of the user rights listed in the table, see User Rights Assignment [ http://technet.microsoft.com/enus/library/cc780182(WS.10).aspx ] . For information about editing these rights, see Edit security settings on a Group Policy object [ http://technet.microsoft.com/enus/library/cc736516(WS.10).aspx ] .

Group Cert Publishers

Description Members of this group are permitted to publish certificates for users and computers. This group has no default members.

Default user rights No default user rights.

DnsAdmins (installed with DNS) DnsUpdateProxy (installed with DNS)

Members of this group have No default user rights. administrative access to the DNS Server service. This group has no default members. Members of this group are DNS clients that can perform dynamic updates on behalf of other clients, such as DHCP servers. This group has no default members. Members of this group have full control of the domain. By default, this group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain. By default, the Administrator account is a member of this group. Because the group has full control in the domain, add users with caution. No default user rights.

Domain Admins

Access this computer from the network; Adjust memory quotas for a process; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug programs; Enable computer and user accounts to be trusted for delegation; Force a shutdown from a remote system; Increase scheduling priority; Load and unload device drivers; Allow log on locally; Manage auditing and security log; Modify firmware environment values; Profile single process; Profile system performance; Remove computer from docking station; Restore files and directories; Shut down the system; Take ownership of files or other objects.

Domain Computers

This group contains all workstations and No default user rights. servers joined to the domain. By default, any computer account created becomes a member of this group automatically.

Domain Controllers Domain Guests Domain Users

This group contains all domain controllers in the domain. This group contains all domain guests.

No default user rights. No default user rights.

This group contains all domain users. By No default user rights. default, any user account created in the domain becomes a member of this group automatically. This group can be used to represent all users in the domain. For example, if you want all domain users to have access to a printer, you can assign permissions for the printer to this group (or add the Domain Users group to a local group, on the print server, that has permissions for the printer). Members of this group have full control of all domains in the forest. By default, this group is a member of the Administrators group on all domain controllers in the forest. By default, the Administrator account is a member of this group. Because this group has full control of the forest, add users with caution. Access this computer from the network; Adjust memory quotas for a process; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug programs; Enable computer and user accounts to be trusted for delegation; Force shutdown from a remote system; Increase scheduling priority; Load and unload device drivers; Allow log on locally; Manage auditing and security log; Modify firmware environment values; Profile single process; Profile system performance; Remove computer from docking station; Restore files and directories; Shut down the system; Take ownership of files or other objects.

Enterprise Admins (only appears in the forest root domain)

Group Policy Creator Owners

Members of this group can modify Group No default user rights. Policy in the domain. By default, the Administrator account is a member of this group. Because this group has significant power in the domain, add users with caution.

IIS_WPG (installed The IIS_WPG group is the Internet No default user rights. with IIS) Information Services (IIS) 6.0 worker process group. Within the functioning of IIS 6.0 are worker processes that serve specific namespaces. For example, www.microsoft.com is a namespace served by one worker process, which can run under an identity added to the IIS_WPG group, such as MicrosoftAccount. This group has no default members. RAS and IAS Servers Schema Admins (only appears in the forest root Servers in this group are permitted access to the remote access properties of users. No default user rights.

Members of this group can modify the No default user rights. Active Directory schema. By default, the Administrator account is a member of

domain)

this group. Because this group has significant power in the forest, add users with caution.

Tags: ad default groups

Community Content