The first local user account that is created during installation is placed in the local Administrators group. However, when multiple users run as local administrators, the IT staff has no control over these users or their client computers. In this case, Group Policy can be used to enable secure settings that can control the use of the local Administrators group automatically on every server or client computer.
Blank passwords are not allowed in the versions designated in the Applies To list at the beginning of this topic. Even when the Administrator account has been disabled, it can still be used to gain access to a computer by using safe mode.
In the Recovery Console or in safe mode, the Administrator account is automatically enabled. When normal operations are resumed, it is disabled. The Guest account lets occasional or one-time users, who do not have an account on the computer, temporarily sign in to the local server or client computer with limited user rights.
By default, the Guest account has a blank password. Because the Guest account can provide anonymous access, it is a security risk. For this reason, it is a best practice to leave the Guest account disabled, unless its use is entirely necessary.
By default, the Guest account is the only member of the default Guests group, which lets a user sign in to a server. On occasion, an administrator who is a member of the Administrators group can set up a user with a Guest account on one or more computers. When an administrator enables the Guest account, it is a best practice to create a strong password for this account.
In addition, the administrator on the computer should also grant only limited rights and permissions for the Guest account. For security reasons, the Guest account should not be used over the network and made accessible to other computers.
When a computer is shutting down or starting up, it is possible that a guest user or anyone with local access could gain unauthorized access to the computer. To help prevent this risk, do not grant the Guest account the Shut down the system user right. In addition, the guest user in the Guest account should not be able to view the event logs.
After the Guest account is enabled, it is a best practice to monitor the Guest account frequently to ensure that other users cannot use services and other resources, such as resources that were unintentionally left available by a previous user.
The Windows Remote Assistance session can be used to connect from the server to another computer running the Windows operating system.
For solicited remote assistance, a user initiates a Windows Remote Assistance session, and it is initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance. The HelpAssistant account provides limited access to the computer to the person who provides assistance. The HelpAssistant account is automatically deleted after there are no Remote Assistance requests are pending.
This group includes all users who sign in to a server with Remote Desktop Services enabled. This group includes all users who sign in to the computer by using Remote Desktop Connection.
This group is a subset of the Interactive group. For the Windows Server operating system, Remote Assistance is an optional component that is not installed by default. You must install Remote Assistance before it can be used. In comparison, for the Windows client operating system, the HelpAssistant account is enabled on installation by default. For more information about remote desktop connections for those client operating systems designated in the Applies To list at the beginning of this topic, see Enable Remote Desktop.
The system account and the Administrator account of the Administrators group have the same file rights and permissions, but they have different functions. The system account is used by the operating system and by services that run under Windows. There are many services and processes in the Windows operating system that need the capability to sign in internally, such as during a Windows installation. The system account was designed for that purpose. It is an internal account that does not show up in User Manager, it cannot be added to any groups, and it cannot have user rights assigned to it.
Here the system account has the same functional rights and permissions as the Administrator account. To grant the account Administrators group file permissions does not implicitly give permission to the system account.
The system account's permissions can be removed from a file, but we do not recommend removing them. The Users folder is located in the Local Users and Groups folder in the local Computer Management Microsoft Management Console MMC , a collection of administrative tools that you can use to manage a single local or remote computer.
For more information about creating and managing local user accounts, see Manage Local Users. You can use Local Users and Groups to assign rights and permissions on the local server, and that server only, to limit the ability of local users and groups to perform certain actions. A right authorizes a user to perform certain actions on a server, such as backing up files and folders or shutting down a server. An access permission is a rule that is associated with an object, usually a file, folder, or printer.
It regulates which users can have access to an object on the server and in what manner. You cannot use Local Users and Groups to view local users and groups after a member server is used as a domain controller. However, you can use Local Users and Groups on a domain controller to target remote computers that are not domain controllers on the network.
An administrator can use a number of approaches to prevent malicious users from using stolen credentials, such as a stolen password or password hash, for a local account on one computer from being used to authenticate on another computer with administrative rights; this is also called "lateral movement". The simplest approach is to sign in to your computer with a standard user account, instead of using the Administrator account for tasks, for example, to browse the Internet, send email, or use a word processor.
When you want to perform an administrative task, for example, to install a new program or to change a setting that affects other users, you don't have to switch to an Administrator account. You can use User Account Control UAC to prompt you for permission or an administrator password before performing the task, as described in the next section.
The other approaches that can be used to restrict and protect user accounts with administrative rights include:. A user account for people who do not have individual accounts. Every computer has a local Guest account, and every domain has a domain Guest account.
By default, Guest is a member of the Everyone and the Guests groups. Unlike Anonymous Logon, Guest is a real account, and it can be used to log on interactively. By default, the account is enabled in Windows client operating systems that are designated in the Applies To list, and disabled in Windows Server operating systems that are designated in the Applies To list. The Guest account does not require a password, but it can have one.
The account exists only on domain controllers. A global group with members that are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined the domain, including domain controllers. If members of the group create other objects, such as files, the default owner is the Administrators group.
A global group that includes all users in a domain. When you create a new User object in Active Directory, the user is automatically added to this group. A global group that includes all computers that have joined the domain, excluding domain controllers. A global group that includes all domain controllers in the domain. New domain controllers are added to this group automatically. A group that exists only in the forest root domain. It is a universal group if the domain is in native mode, and it is a global group if the domain is in mixed mode.
The Schema Admins group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain. The Enterprise Admins group is authorized to make changes to the forest infrastructure, such as adding child domains, configuring sites, authorizing DHCP servers, and installing enterprise certification authorities.
By default, the only member of Enterprise Admins is the Administrator account for the forest root domain. The group is a default member of every Domain Admins group in the forest.
By default, the only member of the group is Administrator. Objects that are created by members of Group Policy Creator Owners are owned by the individual user who creates them. Objects that are created by members of these groups are owned by the group rather than by the individual.
A local domain group. By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically. A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account.
When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.
After the initial installation of the operating system, the only member is the Authenticated Users group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account. By default, the group has no members. Power users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups.
Power users also can install programs; create, manage, and delete local printers; and create and delete file shares. A built-in group that exists only on domain controllers. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units of Active Directory except the Builtin container and the Domain Controllers OU.
Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. Description: A built-in group that exists only on domain controllers. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer.
By default, the only member is the Domain Users group. Print Operators can manage printers and document queues. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down. A built-in group that is used by the File Replication service on domain controllers. Do not add users to this group.
A group that includes all service processes that are configured on the system. The group is created when the Hyper-V role is installed.
The guest-user account in a domain. Users who do not have an account can automatically sign in to this account. A group that contains all user accounts in a domain. All users are automatically added to this group. The certificate publishers' group. Computers running Active Directory Certificate Services are members of this group. The enterprise administrators' group. Members of this group have full access to all domains in the Active Directory forest.
Enterprise administrators are responsible for forest-level operations such as adding or removing new domains. A user or a set of users who expect to treat a system as if it were their personal computer rather than as a workstation for multiple users. A local group that is responsible for copying security databases from the primary domain controller to the backup domain controllers.
These accounts are used only by the system. This group permits access to various attributes of User objects.
The following table describes changes in SID implementation in the Windows operating systems that are designated in the Applies To list. The purpose of this change is to prevent a process that is running as an administrator or under the LocalSystem account from automatically replacing the operating system files.
When restricting SIDs are present, Windows performs two access checks. The first is the normal access check, and the second is the same access check against the restricting SIDs in the token. Both access checks must pass to allow the process to access the object. Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode. Note The structure used in all SIDs that were created by a Windows Server operating system and earlier versions is revision level 1.
Note This group includes authenticated security principals from any trusted domain, not only the current domain. In this article. A user who has connected to the computer without supplying a user name and password. An identity that is used locally by the operating system and by services that are configured to sign in as LocalSystem. System is a hidden member of Administrators. That is, any process running as System has the SID for the built-in Administrators group in its access token.
When a process that is running locally as System accesses network resources, it does so by using the computer's domain identity. Its access token on the remote computer includes the SID for the local computer's domain account plus SIDs for security groups that the computer is a member of, such as Domain Computers and Authenticated Users. An identity that is used by services that are local to the computer, have no need for extensive local access, and do not need authenticated network access.
Services that run as LocalService access local resources as ordinary users, and they access network resources as anonymous users. As a result, a service that runs as LocalService has significantly less authority than a service that runs as LocalSystem locally and on the network. An identity that is used by services that have no need for extensive local access but do need authenticated network access.
Services running as NetworkService access local resources as ordinary users and access network resources by using the computer's identity. As a result, a service that runs as NetworkService has the same network access as a service that runs as LocalSystem, but it has significantly reduced local access. A user account for the system administrator. Every computer has a local Administrator account and every domain has a domain Administrator account.
The Administrator account is the first account created during operating system installation. The account cannot be deleted, disabled, or locked out, but it can be renamed. By default, the Administrator account is a member of the Administrators group, and it cannot be removed from that group. A user account for people who do not have individual accounts.
Every computer has a local Guest account, and every domain has a domain Guest account. By default, Guest is a member of the Everyone and the Guests groups. Unlike Anonymous Logon, Guest is a real account, and it can be used to log on interactively. The Guest account does not require a password, but it can have one. The account exists only on domain controllers. A global group with members that are authorized to administer the domain.
By default, the Domain Admins group is a member of the Administrators group on all computers that have joined the domain, including domain controllers. Domain Admins is the default owner of any object that is created in the domain's Active Directory by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group.
A global group that includes all users in a domain. When you create a new User object in Active Directory, the user is automatically added to this group. A global group that includes all computers that have joined the domain, excluding domain controllers. A global group that includes all domain controllers in the domain. New domain controllers are added to this group automatically. A global group that includes all computers that host an enterprise certification authority.
Cert Publishers are authorized to publish certificates for User objects in Active Directory. A group that exists only in the forest root domain. It is a universal group if the domain is in native mode, and it is a global group if the domain is in mixed mode.
The Schema Admins group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain. The Enterprise Admins group is authorized to make changes to the forest infrastructure, such as adding child domains, configuring sites, authorizing DHCP servers, and installing enterprise certification authorities. By default, the only member of Enterprise Admins is the Administrator account for the forest root domain.
The group is a default member of every Domain Admins group in the forest. By default, the only member of the group is Administrator. Objects that are created by members of Group Policy Creator Owners are owned by the individual user who creates them. Objects that are created by members of these groups are owned by the group rather than by the individual.
A local domain group. By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically. A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account.
When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group. After the initial installation of the operating system, the only member is the Authenticated Users group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account.
By default, the group has no members. Power users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power users also can install programs; create, manage, and delete local printers; and create and delete file shares. A built-in group that exists only on domain controllers.
By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.
Description: A built-in group that exists only on domain controllers. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues.
Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down.
A built-in group that is used by the File Replication service on domain controllers. Do not add users to this group. An alias added by Windows A backward compatibility group that allows read access on all users and groups in the domain.
An alias. Members in this group can have some administrative privileges to manage configuration of networking features. Members of this group have remote access to schedule logging of performance counters on this computer.
Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects. A group for Terminal Server License Servers. When Windows Server Service Pack 1 is installed, a new local group is created. A group for COM to provide computer-wide access controls that govern access to all call, activation, or launch requests on the computer. A built-in local group. Members of this group are allowed to connect to Certification Authorities in the enterprise.
Servers in this group enable users of RemoteApp programs and personal virtual desktops access to these resources. In Internet-facing deployments, these servers are typically deployed in an edge network.
This group needs to be populated on servers running RD Connection Broker. Servers in this group run virtual machines and host sessions where users RemoteApp programs and personal virtual desktops run. A builtin local group.
0コメント