How-To: Windows Built-in Users, Default Groups and Special Identities

Special identities are implicit placeholders, they are not listed in Active Directory but are available when applying
permissions – membership is automatically calculated by the OS.

Default
User or
Default Group Special Identity Description
Session
owner

Remotely query authorization attributes and

Access Control Assistance permissions for resources on the computer.
Operators BuiltIn Local.
Default User Rights: None

grants limited account creation privileges to a

user. Members of this group can create and
modify most types of accounts, including those
of users, local groups, and global groups, and
members can log in locally to domain
controllers.

Members of the Account Operators group

Account Operators
cannot manage the Administrator user
account, the user accounts of administrators,
or the Administrators, Server Operators,
Account Operators, Backup Operators, or Print
Operators groups. Members of this group
cannot modify user rights.
Default User Rights: Allow log on
locally: SeInteractiveLogonRight

A user account for the system administrator.

This account is the first account created during
operating system installation. The account
Administrator
cannot be deleted or locked out. It is a
member of the Administrators group and
cannot be removed from that group.

A built-in group . Grants complete and

unrestricted access to the computer, or if the
computer is promoted to a domain controller,
members have unrestricted access to the
domain.

This group cannot be renamed, deleted, or

moved. This built-in group controls access to
all the domain controllers in its domain, and it
Administrators
can change the membership of all
administrative groups. Membership can be
modified by members of the following groups:
the default service Administrators, Domain
Admins in the domain, or Enterprise Admins.

The group is the default owner of any object

that is created by a member of the group.
Default User Rights

Manage a RODC password replication policy.

Allowed RODC Password
The Denied RODC Password Replication
Replication Group
Group group contains a variety of high-
 privilege accounts and security groups. The
Denied RODC Password Replication group
supersedes the Allowed RODC Password
Replication group.
Default User Rights: None

A user who has logged on anonymously. This

identity allows anonymous access to
Anonymous Logon resources, such as a web page that is
published on corporate servers.
Default User Rights: None

A group that includes all users whose identities

were authenticated when they logged on.
Membership is controlled by the operating
system. This identity allows access to shared
resources within the domain, such as files in a
shared folder that should be accessible to all
the workers in the organization.
Authenticated Default User Rights:
Users Access this computer from the
network: SeNetworkLogonRight
Add workstations to
domain: SeMachineAccountPrivilege (Often
removed in environments that have an IT
administrator.)
Bypass traverse
checking: SeChangeNotifyPrivilege

A built-in group. By default, the group has no

members. Backup Operators can back up and
restore all files on a computer, regardless of
the permissions that protect those files.
Backup Operators also can log on to the
computer and shut it down.
Default User Rights:
Backup Operators
Allow log on locally: SeInteractiveLogonRight
Back up files and
directories: SeBackupPrivilege
Log on as a batch job: SeBatchLogonRight
Restore files and
directories: SeRestorePrivilege
Shut down the system: SeShutdownPrivilege

Any user or process that accesses the system

as a batch job (or through the batch queue)
has the Batch identity. This identity allows
Batch batch jobs to run scheduled tasks, such as a
nightly cleanup jobMembership is controlled
by the operating system.
Default User Rights: None

Members of this group are allowed to connect

Certificate Service DCOM
to certification authorities in the enterprise.
Access
Default User Rights: None

A global group that includes all computers that

are running an enterprise certificate authority.
Cert Publishers Cert Publishers are authorized to publish
certificates for User objects in Active Directory.
Default User Rights: None
 Certificate Authority Administrators -
Cert Server Admins authorized to administer certificates for User
objects in Active Directory. (Domain Local)

Members can request certificates (Domain

Cert Requesters
Local)

Members of the Cloneable Domain Controllers

Cloneable Domain
group that are domain controllers may be
Controllers
cloned. Default User Rights: None

Members of this group are authorized to

perform cryptographic operations. This
security group was added in Windows Vista
Cryptographic Operators
Service Pack 1 (SP1) to configure Windows
Firewall for IPsec in Common Criteria mode.
Default User Rights: None

The person who created the file or the

directory is a member of this special identity
group. Windows Server operating systems use
this identity to automatically grant access
permissions to the creator of a file or
directory. A placeholder security identifier
(SID) is created in an inheritable access control
Creator Group
entry (ACE). When the ACE is inherited, the
system replaces this SID with the SID for the
primary group of the object’s current owner.
The primary group is used only by the Portable
Operating System Interface for UNIX (POSIX)
subsystem.
Default User Rights: None

The person who created the file or the

directory is a member of this special identity
group. Windows Server operating systems use
this identity to automatically grant access
Creator Owner permissions to the creator of a file or
directory. A placeholder SID is created in an
inheritable ACE. When the ACE is inherited,
the system replaces this SID with the SID for
the object’s current owner.

Members of the Denied RODC Password

Replication group cannot have their passwords
replicated to any Read-only domain controller.
Denied RODC Password The purpose of this security group is to
Replication Group manage a RODC password replication policy.
This group contains a variety of high-privilege
accounts and security groups.
Default User Rights: None

This group is not currently used in Windows.

Default User Rights:

Allow log on locally: SeInteractiveLogonRight
Device Owners Access this computer from the
network: SeNetworkLogonRight
Bypass traverse
checking: SeChangeNotifyPrivilege
Change the time zone: SeTimeZonePrivilege
 Any user who accesses the system through a
dial-up connection has the Dial-Up identity.
Dialup
This identity distinguishes dial-up users from
other types of authenticated users.

Digest
Default User Rights: None
Authentication

Members of the Distributed COM Users group

are allowed to launch, activate, and use
Distributed COM Users
Distributed COM objects on the computer.
Default User Rights: None

Members of this group have administrative

access to the DNS Server service. The default
permissions are as follows: Allow: Read, Write,
DnsAdmins (installed with
Create All Child objects, Delete Child objects,
DNS)
Special Permissions. This group has no default
members.
Default User Rights: None

Members of this group are DNS clients that

can perform dynamic updates on behalf of
DnsUpdateProxy (installed
other clients, such as DHCP servers. This group
with DNS)
has no default members. Default User
Rights: None

A global group whose members are authorized

to administer the domain. By default, the
Domain Admins group is a member of the
Administrators group on all computers that
have joined a domain, including the domain
controllers. Domain Admins is the default
Domain Admins
owner of any object that is created in the
domain's Active Directory by any member of
the group. If members of the group create
other objects, such as files, the default owner
is the Administrators group.
Default User Rights: as Administrators

A global group that includes all computers that

Domain Computers have joined the domain, excluding domain
controllers. Default User Rights: None

A global group that includes all domain

controllers in the domain. New domain
Domain Controllers controllers are added to this group
automatically. Default Default User
Rights: None

A global group that, by default, has only one

Domain Guests member, the domain's built-in Guest account.
Default User Rights: See 'Guests'

A global group that, by default, includes all

user accounts in a domain. When you create a
Domain Users user account in a domain, it is added to this
group automatically.
Default User Rights: See 'Users'

A group that exists only in the root domain of

Enterprise Admins an Active Directory forest of domains. It is a
universal group if the domain is in native
 mode, a global group if the domain is in mixed
mode. The group is authorized to make forest-
wide changes in Active Directory, such as
adding child domains. By default, the only
member of the group is the Administrator
account for the forest root domain.
Default User Rights:
See Administrators
See Denied RODC Password Replication Group

Members of this group can perform

administrative actions on key objects within
Enterprise Key Admins the forest. The Enterprise Key Admins group
was introduced in Windows Server 2016.
Default User Rights: None

Members of this group are Read-Only Domain

Controllers in the enterprise. Except for
account passwords, a Read-only domain
Enterprise Read-Only
controller holds all the Active Directory objects
Domain Controllers
and attributes that a writable domain
controller holds.
Default User Rights: None

A group that includes all domain controllers an

Active Directory directory service forest of
domains. Membership is controlled by the
Enterprise
operating system.
Domain
Default User Rights:
Controllers
Access this computer from the
network: SeNetworkLogonRight
Allow log on locally: SeInteractiveLogonRight

Members of this group can read event logs

from local computers. The group is created
Event Log Readers
when the server is promoted to a domain
controller. Default User Rights: None

All interactive, network, dial-up, and

authenticated users are members of the
Everyone group. This special identity group
gives wide access to system resources.
Whenever a user logs on to the network, the
user is automatically added to the Everyone
group. On computers running Windows 2000
and earlier, the Everyone group included the
Anonymous Logon group as a default member,
but as of Windows Server 2003, the Everyone
group contains only Authenticated Users and
Everyone
Guest; and it no longer includes Anonymous
Logon by default (although this can be
changed). Membership is controlled by the
operating system.
Default User Rights:
Access this computer from the
network: SeNetworkLogonRight
Act as part of the operating
system: SeTcbPrivilege
Bypass traverse
checking: SeChangeNotifyPrivilege
 A global group that is authorized to create new
Group Policy objects in Active Directory. By
default, the only member of the group is
Administrator. The default owner of a new
Group Policy object is usually the user who
Group Policy Creators
created it. If the user is a member of
Owners
Administrators or Domain Admins, all objects
that are created by the user are owned by the
group. Owners have full control of the objects
they own. Default User Rights: See 'Denied
RODC Password Replication Group'.

A user account for people who do not have

individual accounts. This user account does not
Guest
require a password. By default, the Guest
account is disabled.

A built-in group. By default, the only member

is the Guest account. The Guests group allows
occasional or one-time users to log on with
limited privileges to a computer's built-in
Guest account. When a member of the Guests
group signs out, the entire profile is deleted.
Guests This includes everything that is stored in the
%userprofile% directory, including the user's
registry hive information, custom desktop
icons, and other user-specific settings. This
implies that a guest must use a temporary
profile to sign in to the system.
Default User Rights: None

Members of the Hyper-V Administrators group

have complete and unrestricted access to all
the features in Hyper-V. Adding members to
this group helps reduce the number of
Hyper-V Administrators
members required in the Administrators
group, and further separates access.
Introduced in Windows Server 2012. Default
User Rights: None

IIS_IUSRS is a built-in group that is used by

Internet Information Services beginning with
IIS 7.0. A built-in account and group are
guaranteed by the operating system to always
have a unique SID. IIS 7.0 replaces the
IIS_IUSRS
IUSR_MachineName account and the IIS_WPG
group with the IIS_IUSRS group to ensure that
the actual names that are used by the new
account and group will never be localized.
Default User Rights: None

Members of the Incoming Forest Trust Builders

group can create incoming, one-way trusts to
this forest. Active Directory provides security
Incoming Forest Trust
across multiple domains or forests through
Builders
domain and forest trust relationships. This
group cannot be renamed, deleted, or moved.
Default User Rights: None

Members of this group can perform

Key Admins
administrative actions on key objects within
 the domain.
Default User Rights: None

Any user who is logged on to the local system

has the Interactive identity. This identity
allows only local users to access a resource.
Whenever a user accesses a given resource on
Interactive the computer to which they are currently
logged on, the user is automatically added to
the Interactive group. Membership is
controlled by the operating system.
Default User Rights: None

A service account that is used by the Key

KRBTGT
Distribution Center (KDC) service.

The Local Service account is similar to an

Authenticated User account. The Local Service
account has the same level of access to
resources and objects as members of the
Users group. This limited access helps
safeguard your system if individual services or
processes are compromised. Services that run
as the Local Service account access network
resources as a null session with anonymous
credentials. The name of the account is NT
AUTHORITY\LocalService. This account does
not have a password.
Default User Rights:
Local Service
Adjust memory quotas for a
process: SeIncreaseQuotaPrivilege
Bypass traverse
checking: SeChangeNotifyPrivilege
Change the system
time: SeSystemtimePrivilege
Change the time zone: SeTimeZonePrivilege
Create global objects: SeCreateGlobalPrivilege
Generate security audits: SeAuditPrivilege
Impersonate a client after
authentication: SeImpersonatePrivilege
Replace a process level
token: SeAssignPrimaryTokenPrivilege

This is a service account that is used by the

operating system. The LocalSystem account is
a powerful account that has full access to the
system and acts as the computer on the
network. If a service logs on to the
LocalSystem account on a domain controller,
Local System that service has access to the entire domain.
Some services are configured by default to log
on to the LocalSystem account. Do not change
the default service setting. The name of the
account is LocalSystem. This account does not
have a password.
Default User Rights: None

This group implicitly includes all users who are

logged on through a network connection. Any
Network
user who accesses the system through a
network has the Network identity. This
 identity allows only remote users to access a
resource. Whenever a user accesses a given
resource over the network, the user is
automatically added to the Network group.
Membership is controlled by the operating
system.
Default User Rights: None

The Network Service account is similar to an

Authenticated User account. The Network
Service account has the same level of access to
resources and objects as members of the
Users group. This limited access helps
safeguard your system if individual services or
processes are compromised. Services that run
as the Network Service account access
network resources by using the credentials of
the computer account. The name of the
account is NT AUTHORITY\NetworkService.
This account does not have a password.
Network Service Default User Rights:
Adjust memory quotas for a
process: SeIncreaseQuotaPrivilege
Bypass traverse
checking: SeChangeNotifyPrivilege
Create global objects: SeCreateGlobalPrivilege
Generate security audits: SeAuditPrivilege
Impersonate a client after
authentication: SeImpersonatePrivilege
Restore files and
directories: SeRestorePrivilege
Replace a process level
token: SeAssignPrimaryTokenPrivilege

Members of this group can make changes to

TCP/IP settings, Rename/Enable/disable LAN
connections,Delete/rename remote access
connections, enter the PIN unblock key (PUK)
Network Configuration
for mobile broadband devices that support a
Operators
SIM card and renew and release TCP/IP
addresses on domain controllers in the
domain. This group has no default members.
Default User Rights: None

NTLM
Default User Rights: None
Authentication

This group implicitly includes all users who are

Other logged on to the system through a dial-up
Organization connection. Membership is controlled by the
operating system. Default User Rights: None

Members of this group can monitor

performance counters on domain controllers
Performance Monitor in the domain, locally and from remote clients
Users without being a member of the Administrators
or Performance Log Users groups.
Default User Rights: None

Members of this group can manage

Performance Log Users performance counters, logs and alerts on
domain controllers in the domain, locally and
 from remote clients without being a member
of the Administrators group.
Default User Rights: Log on as a batch
job: SeBatchLogonRight

By default, members of this group have no

more user rights or permissions than a
standard user account.
Power Users
The Power Users group did once grant users
specific admin rights and permissions in
previous versions of Windows.

A backward compatibility group which allows

read access on all users and groups in the
domain. By default, the special
identity Everyone is a member of this group.
Add users to this group only if they are running
Pre-Windows 2000
Windows NT 4.0 or earlier.
Compatible Access
Default User Rights:
Access this computer from the
network: SeNetworkLogonRight
Bypass traverse
checking: SeChangeNotifyPrivilege

This identify is a placeholder in an ACE on a

user, group, or computer object in Active
Directory. When you grant permissions to
Principal Self, you grant them to the security
Principal Self
principal that is represented by the object.
or
During an access check, the operating system
Self
replaces the SID for Principal Self with the SID
for the security principal that is represented by
the object.
Default User Rights: None

A built-in group that exists only on domain

controllers. By default, the only member is the
Domain Users group. Print Operators can
manage printers and document queues. They
can also manage Active Directory printer
objects in the domain. Members of this group
can locally sign in to and shut down domain
controllers in the domain.
Print Operators Because members of this group can load and
unload device drivers on all domain controllers
in the domain, add users with caution. This
group cannot be renamed, deleted, or moved.
Default User Rights:
Allow log on locally: SeInteractiveLogonRight
Load and unload device
drivers: SeLoadDriverPrivilege
Shut down the system: SeShutdownPrivilege

Members of the Protected Users group are

afforded additional protection against the
compromise of credentials during
authentication processes. This security group
Protected Users
is designed as part of a strategy to effectively
protect and manage credentials within the
enterprise. Members of this group
automatically have non-configurable
 protection applied to their accounts.
Membership in the Protected Users group is
meant to be restrictive and proactively secure
by default. The only method to modify the
protection for an account is to remove the
account from the security group. This group
was introduced in Windows Server 2012 R2.
Default User Rights: None

Servers in this group are permitted access to

the remote access properties of users. A
domain local group . By default, this group has
no members. Computers that are running the
Routing and Remote Access service are added
RAS and IAS Servers to the group automatically. Members of this
group have access to certain properties of
User objects, such as Read Account
Restrictions, Read Logon Information, and
Read Remote Access Information. Default User
Rights: None

Servers that are members in the RDS Endpoint

Servers group can run virtual machines and
host sessions where user RemoteApp
programs and personal virtual desktops run.
RDS Endpoint Servers This group needs to be populated on servers
running RD Connection Broker. Session Host
servers and RD Virtualization Host servers used
in the deployment need to be in this group.
Default User Rights: None

Servers that are members in the RDS

Management Servers group can be used to
perform routine administrative actions on
servers running Remote Desktop Services. This
RDS Management Servers group needs to be populated on all servers in a
Remote Desktop Services deployment. The
servers running the RDS Central Management
service must be included in this group. Default
User Rights: None

Servers in the RDS Remote Access Servers

group provide users with access to RemoteApp
programs and personal virtual desktops. In
Internet facing deployments, these servers are
RDS Remote Access typically deployed in an edge network. This
Servers group needs to be populated on servers
running RD Connection Broker. RD Gateway
servers and RD Web Access servers that are
used in the deployment need to be in this
group. Default User Rights: None

The Remote Desktop Users group on an RD

Session Host server is used to grant users and
groups permissions to remotely connect to an
RD Session Host server. This group cannot be
Remote Desktop Users
renamed, deleted, or moved. It appears as a
SID until the domain controller is made the
primary domain controller and it holds the
operations master role (also known as flexible
 single master operations or FSMO).
Default User Rights: None

This group is comprised of the Read-only

domain controllers in the domain. A Read-only
domain controller makes it possible for
organizations to easily deploy a domain
controller in scenarios where physical security
Read-Only Domain
cannot be guaranteed, such as branch office
Controllers
locations, or in scenarios where local storage
of all domain passwords is considered a
primary threat, such as in an extranet or in an
application-facing role. Default User Rights See
'Denied RODC Password Replication Group'.

This identity represents all users who are

currently logged on to a computer by using a
Remote Desktop connection. This group is a
Remote
subset of the Interactive group. Access tokens
Interactive Logon
that contain the Remote Interactive Logon SID
also contain the Interactive SID.
Default User Rights: None

Members of the Remote Management Users

group can access WMI resources over
management protocols (such as WS-
Management via the Windows Remote
Management service). This applies only to
WMI namespaces that grant access to the
Remote Management
user. The Remote Management Users group is
Users
generally used to allow users to manage
servers through the Server Manager console,
whereas the WinRMRemoteWMIUsers_ group
is allows remotely running Windows
PowerShell commands.
Default User Rights: None

Computers that are members of the Replicator

group support file replication in a domain.
Windows Server operating systems use the File
Replication service (FRS) to replicate system
policies and logon scripts stored in the System
Volume (SYSVOL).
Replicator
The DFS Replication service is a replacement
for FRS, and it can be used to replicate the
contents of a SYSVOL shared resource, DFS
folders, and other custom (non-SYSVOL) data.
You should migrate all non-SYSVOL FRS replica
sets to DFS Replication.
Default User Rights: None

Users and computers with restricted

capabilities have the Restricted identity. This
identity group is used by a process that is
running in a restricted security context, such
Restricted as running an application with the RunAs
service. When code runs at the Restricted
security level, the Restricted SID is added to
the user’s access token.
Default User Rights: None
 SChannel
Default User Rights: None
Authentication

A group that exists only in the root domain of

an Active Directory forest of domains. It is a
universal group if the domain is in native mode
, a global group if the domain is in mixed mode
. The group is authorized to make
schema changes in Active Directory. By
Schema Admins
default, the only member of the group is the
Administrator account for the forest root
domain. Because this group has significant
power in the forest, add users with caution.
Default User Rights: See 'Denied RODC
Password Replication Group'.

A built-in group that exists only on domain

controllers. By default, the group has no
members. Server Operators can log on to a
server interactively; create and delete network
shares; start and stop services; back up and
restore files; format the hard disk of the
computer; and shut down the computer.
Default User Rights:
Allow log on locally: SeInteractiveLogonRight
Server Operators
Back up files and
directories: SeBackupPrivilege
Change the system
time: SeSystemTimePrivilege
Change the time zone: SeTimeZonePrivilege
Force shutdown from a remote
system: SeRemoteShutdownPrivilege
Restore files and directories SeRestorePrivilege
Shut down the system: SeShutdownPrivilege

Any service that accesses the system has the

Service identity. This identity group includes all
security principals that are signed in as a
service. This identity grants access to
processes that are being run by Windows
Service Server services. Membership is controlled by
the operating system.
Default User Rights:
Create global objects: SeCreateGlobalPrivilege
Impersonate a client after
authentication: SeImpersonatePrivilege

Members of this group have complete and

Storage Replica unrestricted access to all features of Storage
Administrators Replica.
Default User Rights: None

Members of this group are managed by the

System Managed Accounts
system.
Group
Default User Rights: None

Members of the Terminal Server License

Servers group can update user accounts in
Terminal Server License Active Directory with information about
Servers license issuance. This is used to track and
report TS Per User CAL usage. A TS Per User
CAL gives one user the right to access a
 Terminal Server from an unlimited number of
client computers or devices. This group
appears as a SID until the domain controller is
made the primary domain controller and it
holds the operations master role (also known
as flexible single master operations or FSMO).
Default User Rights: None

Any user accessing the system through

Terminal Services has the Terminal Server User
identity. This identity allows users to access
Terminal Server Terminal Server applications and to perform
Users other necessary tasks with Terminal Server
services. Membership is controlled by the
operating system.
Default User Rights: None

This Organization Default User Rights: None

A built-in group. After the initial installation of

the operating system, the only member is the
Authenticated Users group. When a computer
joins a domain, the Domain Users group is
added to the Users group on the computer.
Users can perform tasks such as running
applications, using local and network printers,
Users shutting down the computer, and locking the
computer. Users can install applications that
only they are allowed to use if the installation
program of the application supports per-user
installation.
This group cannot be renamed, deleted, or
moved.
Default User Rights: None

Members of this group have access to the

computed token GroupsGlobalAndUniversal
attribute on User objects. Some applications
Windows Authorization have features that read the token-groups-
Access Group global-and-universal (TGGAU) attribute on
user account objects or on computer account
objects in Active Directory Domain Services.
Default User Rights: None

Default User Rights:

Window Bypass traverse
Manager\Window checking: SeChangeNotifyPrivilege
Manager Group Increase a process working
set: SeIncreaseWorkingSetPrivilege

In Windows 8 and in Windows Server 2012, a

Share tab was added to the Advanced Security
Settings user interface. This tab displays the
security properties of a remote file share. To
view this information, you must have the
following permissions and memberships, as
WinRMRemoteWMIUsers_
appropriate for the version of Windows Server
that the file server is running.

The WinRMRemoteWMIUsers_ group allows

running PowerShell commands remotely
whereas the 'Remote Management Users'
 group is generally used to allow users to
manage servers by using the Server Manager
console. This security group was introduced in
Windows Server 2012.
Default User Rights: None

Default Admin Users and Groups:

Related: