Latest Blog Posts

We're members of the

We've ridden there:


Layne's certifications:


The ability to use a computer is controlled through a user account.

  • The user account identifies a specific user.
  • Logon is the process of authenticating to the computer by supplying a user account name and the password associated with that user account.
  • On Windows systems, the ability to perform actions on a computer, such as modifying system settings or installing hardware, are called rights.
  • Access to files, folders, and printers is controlled through permissions. Permissions identify what the user can do with the associated object.
  • Windows includes two built-in users.
    • The Administrator account has all rights and permissions on the computer.
    • The Guest account has very limited capabilities, usually restricted to logging on, viewing files, and running some programs. As a security measure, Windows XP and later automatically disables the Guest account to prevent logon to the system.
  • Rights and permissions can be assigned to multiple users by using groups. Privileges assigned to the group are granted to all group members.
  • On a Windows system, users and groups are stored in one of two locations:
    • Local accounts are stored on each computer and control access to resources on that computer.
    • Domain accounts are stored in a central database called the Active Directory. A domain controller is a special server that holds (among other things) user accounts, groups, and the rights and permissions assigned to them.

Windows systems have default groups that are created automatically. These groups have preassigned rights, permissions, and group memberships. You can rename these groups, but cannot delete them. The following table lists some of these groups:

Group Name Capabilities
Administrators Members of the Administrators group have complete and unrestricted access to the computer, including every system right. The Administrator user account and any account designated as a "computer administrator" is a member of this group.
Backup Operators Members of the Backup Operators group can back up and restore files (regardless of permissions), log on locally, and shut down the system. Members cannot change security settings.
Power Users Members of the Power Users group can:
  • Create user accounts and modify and delete accounts they create.
  • Create local groups and remove users from local groups they create.
  • Remove users from the Power Users, Users, and Guests groups.
  • Change the system date and time.
  • Install applications.
Members cannot:
  • Change membership of the Administrators or Backup Operators groups.
  • Take ownership of files.
  • Back up or restore files.
  • Load or unload device drivers.
  • Manage security and auditing logs.
Windows Vista/7 no longer uses the Power Users group, although it still exists for backwards compatibility.
Users Members of the Users group can use the computer but cannot perform system administration tasks and might not be able to run legacy applications.
  • Members cannot share directories or install printers if the driver is not yet installed.
  • Members cannot view or modify system files.
  • Any user created with Local Users and Groups is automatically a member of this group.
  • User accounts designated as "limited use" accounts are members of this group.
  • A user account created as a "computer administrator" is made a member of this group (in addition to being a member of the Administrators group).
Guests Members of the Guests group have limited rights (similar to members of the Users group). Members can shut down the system.

Additional groups such as Network Configuration Operators and Replicator also exist. Additionally, many features or applications may create default groups. In most cases, you should not modify the membership or privileges of these groups without understanding how they are used.