2. Local Users and Groups - Introduction
Local Users and Groups is located in Computer Management, a collection of administrative tools
that you can use to manage a single local or remote computer.
You can use Local Users and Groups to secure and manage user accounts and groups stored
locally on your computer.
A local user or group account can be assigned permissions and rights on a particular computer
and that computer only.
Using Local Users and Groups you can limit the ability of users and groups to perform certain
actions by assigning them rights and permissions.
A right authorizes a user to perform certain actions on a computer, such as backing up files and
folders or shutting down a computer.
A permission is a rule associated with an object (usually a file, folder, or printer), and it regulates
which users can have access to the object and in what manner.
3. Local Users and Groups- Introduction
(Contd..)
You cannot use Local Users and Groups to view local user and group accounts once a member
server has been promoted to a domain controller.
However, you can use Local Users and Groups on a domain controller to target remote
computers (that are not domain controllers) on the network.
Use Active Directory Users and Computers to manage users and groups in Active Directory.
4. Local Users Accounts
The Users folder located in the Local Users and Groups Microsoft Management Console (MMC)
displays the default user accounts as well as the user accounts you create.
These default user accounts are created automatically when you install a stand-alone server or
member server running Windows Server 2003.
5. Administrator Account
The Administrator account has full control of the server and can assign user rights and access
control permissions to users as necessary.
This account must be used only for tasks that require administrative credentials.
It is highly recommended that you set up this account to use a strong password.
The Administrator account is a member of the Administrators group on the server.
6. Administrator Account (Contd..)
The Administrator account can never be deleted or removed from the Administrators group, but
it can be renamed or disabled.
Because the Administrator account is known to exist on many versions of Windows, renaming or
disabling this account will make it more difficult for malicious users to try and gain access to it.
The Administrator account is the account you use when you first set up the server. You use this
account before you create an account for yourself.
Important : Even when the Administrator account has been disabled, it can still be used to gain
access to a computer using Safe Mode.
7. Guest Account
The Guest account is used by people who do not have an actual account on the computer.
A user whose account is disabled, but not deleted, can also use the Guest account.
The Guest account does not require a password. The Guest account is disabled by default, but
you can enable it.
You can set rights and permissions for the Guest account just like any user account.
By default, the Guest account is a member of the default Guests group, which allows a user to
log on to a server.
Additional rights, as well as any permissions, must be granted to the Guests group by a member
of the Administrators group.
The Guest account is disabled by default, and it is recommended that it stay disabled.
8. Help Assistance Account
The primary account used to establish a Remote Assistance session.
This account is created automatically when you request a Remote Assistance session and has
limited access to the computer.
The HelpAssistant account is managed by the Remote Desktop Help Session Manager service
and will be automatically deleted if no Remote Assistance requests are pending.
9. Default Local Groups
The Groups folder located in the Local Users and Groups Microsoft Management Console (MMC)
displays the default local groups as well as the local groups that you create.
The default local groups are automatically created when you install a stand-alone server or a
member server running Windows Server 2003.
Belonging to a local group gives a user the rights and abilities to perform various tasks on the
local computer.
You can add local user accounts, domain user accounts, computer accounts, and group accounts
to local groups.
However, you cannot add local user accounts and local group accounts to domain group
accounts
10. Default Local Groups (Contd..)
Group accounts are used to manage privileges for multiple users.
Global group accounts, for domain use, are created in Active Directory Users And Computers,
while local group accounts, for local system use, are created in Local Users And Groups.
Generally, group accounts are created to facilitate the management of similar types of users.
The types of groups that can be created include the following:
Groups for departments within the organization: Generally, users who work in the same
department need access to similar resources. Because of this, groups can be created that are
organized by department, such as Business Development, Sales, Marketing, or Engineering.
11. Default Local Groups(Contd..)
Groups for users of specific applications: Often, users will need access to an application and
resources related to the application. Application-specific groups can be created so that users get
proper access to the necessary resources and application files.
Groups for roles within the organization: Groups could also be organized by the user's role
within the organization. For example, executives probably need access to different resources
than supervisors and general users. Thus, by creating groups based on roles within the
organization, proper access is given to the users that need it.
A local user group is created locally.
These are the groups you can use directly on a Windows 10 computer without adding the
computer to an Active Directory domain.