Default Local Groups


Default Local Groups

A local group is created and available only on a local, single computer. Windows creates default local groups automatically during installation. These groups have default rights, permissions, and group memberships.

You can rename these groups, but cannot delete them. Some default groups are listed in the following table:




Members of the Administrators group have complete and unrestricted access to the computer, including every system right. The group contains the Administrator user account (by default) and any account designated as a computer administrator.

Backup Operators

Members of the Backup Operators group can back up and restore files

(regardless of permissions), log on locally, and shut down the system. However, members cannot change security settings.


Members of the Users group:

  • Can use the computer but cannot perform system administration tasks and might not be able to run legacy applications.
  • Cannot share directories or install printers if the driver is not yet installed.
  • Cannot view or modify system files.

You should know the following about the Users group:

  • Any user created with Local Users and Groups is automatically a member of this group.
  • User accounts designated as limited use accounts are members of this group.

Power Users

Members of the Power Users group have no more user rights or permissions than a standard user account, by default. For legacy applications requiring the same Power User rights and permissions that were present in previous versions of Windows, administrators can apply a security template that enables the Power Users group to assume the same rights and permissions present in previous versions of Windows.


Members of the Guests group have limited rights (similar to members of the Users group), such as shutting down the system. Members of the Guests group have a temporary profile created at log on, that is then deleted when the member logs off.

Note: Additional groups, such as Network Configuration Operators and Replicator, also exist. Additionally, many features or applications may create default groups. In most cases, you should not modify the membership or privileges of these groups without understanding how they are used.


AD Groups


Groups in Active Directory

A group is used to collect user accounts, computer accounts, and other group accounts into manageable units. Working with groups instead of individual user accounts helps simplify network maintenance and administration. For instance, through groups the users receive all the user rights assigned to the group and all the permissions assigned to the group on any shared resources.

Like user accounts, there are both local and domain groups.

  • Local groups exist only on the local computer, and control access to local resources.
  • Domain groups exist in Active Directory, and can be used to control access to domain and local resources. In an Enterprise environment, you will work mainly with domain groups.

Active Directory groups have a group scope. The scope defines the potential group membership and the resource access that can be controlled through the group. The following table lists the different security group scopes and their membership and use.

Group scope

Membership Resource Access


Global groups can contain members within the same domain. These include:

    Global groups in the same domain (in native mode only).

    Users and computers within the same domain.

Use global groups to group users and computers within the domain who have similar access needs.

Global groups can be assigned permissions to resources anywhere in the forest.

Create global groups to organize users (e.g., Sales or Development).



Domain local groups can contain members from any domain in the forest. These include:

    Domain local groups in the same domain (in native mode only).

    Global groups within the forest.

    Universal groups within the forest (in native mode only).

    Users and computers within the forest.

Domain local groups can be assigned permissions within a domain.

Create domain local groups representative of the domain controller resources to which you want to control access, and then assign permissions on the resource to the group.


Universal groups can contain members from any domain in the forest. These include:

    Universal groups within the forest.

    Global groups within the forest.

    Users and computers within the forest.

Universal groups can be assigned permissions to resources anywhere in the forest.

Universal group membership should be relatively stable. For this reason, you should only add global or universal groups to universal groups. Avoid adding user accounts directly to universal groups.

In addition to the group scope, there are two types of groups:







A security group is one that can be used to manage rights and permissions.

  • Group members get the permissions that are granted to the group.
  • A security group represents an object with a security identifier (SID), which through the member attribute, collects other objects, such as users, computers, contacts and other groups.

  • A distribution group is used to maintain a list of users and is typically used for sending e- mails to all group members. Distribution groups cannot be used for assigning permissions.

Be aware of the following when managing groups:

The basic best practices for user and group security are:

o Create groups based on user access needs.

o Assign user accounts to the appropriate groups.

o Assign permissions to each group based on the resource needs of the users in the group and the security needs of your network.

After creating a group, you may need to convert the group’s scope and/or type.

Converting a security group to a distribution group removes permissions assigned to the group. This could prevent or allow unwanted access.

   o You cannot directly convert a group from global to domain local or domain local to global. Instead, convert the group to a universal group and apply the changes, then convert the group to the desired scope.

If a global group is nested in another global group, the nested global group cannot be converted to a universal group because a universal group cannot be a member of a global group.

To add or remove members of a group, use one of the following methods:

On the group object, edit the Members tab and add the group members. Use this method to efficiently add multiple members to the same group.

o On the user account, edit the Members Of tab and select the group to which you want to add the user. The Member Of tab displays all of groups to which the object is a member. Use this method to efficiently add a single user to multiple groups.

Because a group can be a member of another group, a group object also has a Member Of tab. Adding objects to the Member Of tab for a group makes the group a member of another group (it does not add members to the group).

    When you delete a group, all information about the group (including any permissions assigned to the group) is deleted. User accounts, however, are not deleted. They are simply no longer associated with the group. If you delete the group, use one of the following strategies to recover it:

Re-create the group, add all the original group members, and reassign any permissions granted to the group.

   o Restore the group from a recent backup.