Learn Windows XP Professional in 15 Minutes a Week: Managing Groups in Windows XP Professional

By ServerWatch Staff (Send Email)
Posted Jul 23, 2002


by Jason Zandri
www.2000trainers.com

Jason Zandri's latest article in the Learning Windows XP Professional in 15 Minutes a Week series covers managing Groups in Windows XP Professional

Welcome to this week's installment of Learn Windows XP Professional in 15 minutes a week, the 11th in this series. This article will cover Managing Groups in Windows XP Professional in additional detail to what was discussed in the last article.

Managing Groups in Windows XP Professional

In Microsoft Windows XP Professional you will find a number of default local groups on your system which can perform the following default functions as outlined:

Administrators                        Members of the Administrators group have complete and unrestricted access to the computer and can perform all administrative tasks. The built-in Administrator account is a member of this group by default and should the Windows XP Professional system be joined to a domain (or domains), the Domain Admins group of the domain(s) joined will be added to the local Administrators group as well.

Backup Operators

Members of the Backup Operators group can use Windows Backup (NTBACKUP) to back up and restore data to the local computer. Being in this group allows them to override security restrictions for the sole purpose of backing up or restoring files.

Guests Members of the built in Guests group are limited to only having access to specific resources for which they have been assigned explicit permissions for and can only perform specific tasks for which they have been assigned explicit rights.

This is nearly the same access level as members of the Users group except for some additional restrictions.

By default, the built-in Guest account is a member of the Guests group. When the Windows XP Professional system is joined to a domain (or domains), the Domain Guests group of the domain(s) joined will be added to the local Guests group as well.

Power Users

Members of the Power Users group can create and modify local user accounts on the computer and share resources. Effectively, they are one group lower in authority on a local system from the Administrators group in that they possess most administrative powers with certain restrictions.

Users Members of the Users Group are prevented from making accidental or intentional system-wide changes and they are only slightly higher in the permission scheme than the Guests Group.

Members of the Users group are limited to only having access to specific resources for which they have been assigned explicit permissions and can only perform specific tasks for which they have been assigned explicit rights.

When a new user is created on a Windows XP Professional system, it is added to the Users group by default.

When the Windows XP Professional system is joined to a domain (or domains), the Domain Users group of the domain(s) joined will be added to the local Users group as well.

[NOTES FROM THE FIELD] - The built-in Administrator account is enabled by default and cannot be deleted from the system. The name of the account as well as the password can be changed, however, and this is a recommended best practice. It is also recommended that the default Administrator account never be used or used as infrequently as possible and only when tasks need to be performed at an Administrative level. If there is ever more than one Administrator on a workstation, each one should have an account created for their use. In the event that you need to log administrative events, this would be easier if there were a number of different administrator accounts created rather than a single one.

The Guest account also cannot be deleted from the system; however, it is DISABLED by default and unless there is some required operational need, it should stay disabled. The only "need" for the Guest account would be a kiosk type terminal in a lobby of an office building or hotel, and in that event it could be used. If there is ever a short time need to grant access to a temporary user to a system, it is always worth the "aggravation" to create an account.

Also, it is not recommended to change any of the default permissions and other settings to the built-in groups. If you need to elevate or lower permissions for all users in a built-in group, it is almost always better to create a new group, place all of the intended users into that group and then make adjustments there accordingly.

Page 1 of 7


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.