There are a few differences between user groups in standalone Windows computersthose not part of a domainand those created in the Active Directory. The following groups are available on a local server whether it is part of a domain or a standalone server:
of this group have full control over the local server. As recommended earlier in this chapter, it is a good idea from a security standpoint to rename the Administrator account. Then you can create individual accounts for administrative-level users and grant them the same rights by adding them to this
This group lets you specify which users can perform backup and restore operations.
If you have installed a DHCP server on the computer, this group will be created automatically. Place members into this group if you want them to be able to manage the DHCP service.
This group simply lets members view information about the DHCP database. They cannot make changes to it, however.
This group grants members the rights that the Administrator account possesses. It is a good idea to create accounts with a name other than Administrator and put them in this group, and then change the
of the Administrator account. This will enable you to track in the event log which Domain Administrators user has made changes to the system, and protect you from simple attacks that target the known Administrator account.
This group is disabled by default and is used to let members log on using a temporary user profile. No rights are granted by default to this group. You should probably leave this group disabled for security reasons.
This group also does not possess any default rights. If you do grant rights to this group (which you should not!), then they will apply to all Microsoft help applications, such as Remote assistance. Because this group is used by applications, you should not place user accounts into this group.
Network Configuration Operators
This group enables its members to make changes to network protocols, such as TCP/IP.
Performance Monitor Users
This group enables its members to use performance monitor counters to evaluate the operation of the local server.
Performance Log Users
This group is a superset of the
group, in that its members can also manage which performance counters are enabled, and enable logs and alerts on the local server.
This group is granted the following rights, and should be used only for users who understand what these rights can do: Access this computer from the network; Allow log on locally; Bypass traverse checking; Change the system time; Profile single process; Remove computer from docking station; and Shut down the system.
This group's members can manage printer resources on the local computer.
Remote Desktop Users
This group holds the right Allow log on through Terminal Services. Its members can log on to a server remotely.
No user accounts should be added to this group. It is used by several replication functions,
those used to access replication services on a domain controller.
Terminal Server Users
This group is made up of users who are currently logged on as Terminal Services users. It is
used to run older applications, such as those created for Windows NT 4.0.
This group contains any user account currently logged on to the computer, as well as the Domain Users group, if the computer is joined to a domain. Members can perform everyday functions such as running applications and using resources such as printers attached to the computer.
If you are still using the Windows Internet Naming Service (WINS) this late in the game, this group will be present if WINS is installed and running. Members of this group can only read information from the WINS database, but cannot change it.