Default User Accounts and Groups

When you install Windows Server 2003, the operating system installs default users and groups. These accounts are designed to provide the basic setup necessary to grow your network. Three types of default accounts are provided:

Built-In

User and group accounts installed with the operating system, applications, and services
Predefined

User and group accounts installed with the operating system
Implicit

Special groups created implicitly when accessing network resources; also known as special identities

Note

Although you can modify the default users and groups, you can't delete default users and groups created by the operating system. The reason you can't delete these accounts is that you wouldn't be able to recreate them. The SIDs of the old and new accounts wouldn't match, and the permissions and privileges of these accounts would be lost.

Built-In User Accounts

Built-in user accounts have special purposes in Windows Server 2003. All Windows Server 2003 systems have three built-in user accounts:

LocalSystem

LocalSystem is a pseudo-account for running system processes and handling system-level tasks . This account grants the logon right Log On As A Service. Most services run under the LocalSystem account. In some cases, these services have the privilege to interact with the desktop. Services that need additional privileges or logon rights run under the LocalService or NetworkService accounts.
LocalService

LocalService is a pseudo-account for running services that need additional privileges and logon rights on a local system. Services that run under this account are granted the right to Log On As A Service and the privileges Change The System Time and Generate Security Audits by default. Services that run as LocalService include Alerter, Messenger, Remote Registry, Smart Card, Smart Card Helper, SSDP Discovery Service, TCP/IP NetBIOS Helper, Uninterruptible Power Supply, and WebClient.
NetworkService

NetworkService is a pseudo-account for running services that need additional privileges and logon rights on a local system and the network. As with LocalService, services that run under the NetworkService account are granted the right to Log On As A Service and the privileges Change The System Time and Generate Security Audits. Services that run as NetworkService include Distributed Transaction Coordinator, DNS Client, Performance Logs and Alerts, and Remote Procedure Call (RPC) Locator.

When you install add-ons or other applications on a server, other default accounts might be installed. You can usually delete these accounts.

When you install IIS, you might find several new accounts, including IUSR_ hostname and IWAM_ hostname , where hostname is the computer name . The IUSR_ hostname account is the built-in account for anonymous access to IIS. IIS uses the IWAM_ hostname account to start out-of-process applications. These accounts are defined in Active Directory when they're configured on a domain. However, they're defined as local users when they're configured on a stand-alone server or workstation. Another built-in account that you might see is TSInternetUser. This account is used by Terminal Services.

Predefined User Accounts

Several predefined user accounts are installed with Windows Server 2003: Administrator, ASPNET, Guest, and Support. With member servers, predefined accounts are local to the individual system they're installed on.

Predefined accounts have counterparts in Active Directory. These accounts have domain-wide access and are completely separate from the local accounts on individual systems.

The Administrator Account

Administrator is a predefined account that provides complete access to files, directories, services, and other facilities. You can't delete or disable this account. In Active Directory, the Administrator account has domain-wide access and privileges. Otherwise, the Administrator account generally has access only to the local system. Although files and directories can be protected from the Administrator account temporarily, the Administrator account can take control of these resources at any time by changing the access permissions. See Chapter 13 , "Managing Files and Folders."

Security Alert

To prevent unauthorized access to the system or domain, be sure to give the account an especially secure password. Also, because this is a known Windows account, you might want to rename the account as an extra security precaution. If you rename the original Administrator account, you might also want to create a dummy Administrator account. This dummy account should have no permissions, rights, or privileges, and you should disable it.

In most instances you won't need to change the basic settings for this account. However, you might need to change its advanced settings, such as membership in particular groups. By default, the Administrator account for a domain is a member of these groups: Administrators, Domain Admins, Domain Users, Enterprise Admins, Group Policy Creator Owners, and Schema Admins. You'll find more information on these groups in the next section.

Real World

In a domain environment, you'll use the local Administrator account primarily to manage the system when you first install it. This allows you to set up the system without getting locked out. You probably won't use the account once the system has been installed. Instead, you'll probably want to make your administrators members of the Administrators group. This ensures that you can revoke administrator privileges without having to change the passwords for all the Administrator accounts.

For a system that's part of a workgroup where each individual computer is managed separately, you'll typically rely on this account anytime you need to perform your system administration duties . Here, you probably won't want to set up individual accounts for each person who has administrative access to a system. Instead, you'll use a single Administrator account on each computer.

The ASPNET Account

The ASPNET account is used by the built-in .NET framework and is designed so that the account can run ASP.NET worker processes. The account is a member of the Domain Users Group and as such, the account has all the same privileges as ordinary users in the domain.

The Guest Account

Guest is designed for users who need one-time or occasional access. Although guests have limited system privileges, you should be very careful about using this account. Whenever you use this account, you open the system to potential security problems. The risk is so great that the account is initially disabled when you install Windows Server 2003.

The Guest account is a member of Domain Guests and Guests by default. It is important to note that the Guest account ”like all other named accounts ”is also a member of the implicit group Everyone. The Everyone group typically has access to files and folders by default. The Everyone group also has a default set of user rights.

Security Alert

If you decide to enable the Guest account, be sure to restrict its use and to change the password regularly. As with the Administrator account, you might want to rename the account as an added security precaution.

The Support Account

The Support account is used by the built-in Help And Support service. The account is a member of the HelpServicesGroup and Domain Users. The account has the right to log on as a batch job. This user rights assignment allows the Support account to execute batch updates.

Security Alert

The Support account is denied the right to log on locally (other than as a batch job) and is also denied the right to log on to the computer over the network. These restrictions are important to ensure that system security isn't compromised.

Built-In and Predefined Groups

Built-in groups are installed with all Windows Server 2003 systems. Use built-in and predefined groups to grant a user the group's privileges and permissions. You do this by making the user a member of the group. For example, you give a user administrative access to the system by making a user a member of the local Administrators group. You give a user administrative access to the domain by making a user a member of the domain local Administrators group in Active Directory.

Implicit Groups and Special Identities

In Windows NT implicit groups were assigned implicitly during logon and were based on how a user accessed a network resource. For example, if a user accessed a resource through interactive logon, the user was automatically a member of the implicit group called Interactive. In Windows 2000 and Windows Server 2003, the object-based approach to the directory structure changes the original rules for implicit groups. Although you still can't view the membership of special identities, you can grant membership in implicit groups to users, groups, and computers.

To reflect the new role, implicit groups are also referred to as special identities . A special identity is a group whose membership can be set implicitly, such as during logon, or explicitly through security access permissions. As with other default groups, the availability of a specific implicit group depends on the current configuration. Use Table 8-2 to determine the availability of the various implicit groups. Implicit groups are discussed later in this chapter.

Table 8-2. Availability of Implicit Groups Based on the Type of Network Resource

Group Name	Group Type	Active Directory Domain	Windows Server 2003 Member Server
Anonymous Logon	Implicit	Yes	Yes
Authenticated Users	Implicit	Yes	Yes
Batch	Implicit	Yes	Yes
Creator Group	Implicit	Yes	Yes
Creator Owner	Implicit	Yes	Yes
Dialup	Implicit	Yes	Yes
Enterprise Domain Controllers	Implicit	Yes	No
Everyone	Implicit	Yes	Yes
Interactive	Implicit	Yes	Yes
Local Service	Implicit	No	Yes
Network	Implicit	Yes	Yes
Network Service	Implicit	No	Yes
Proxy	Implicit	Yes	No
Remote Interactive Logon	Implicit	No	Yes
Restricted	Implicit	Yes	No
Self	Implicit	Yes	No
Service	Implicit	Yes	Yes
System	Implicit	Yes	Yes
Terminal Server User	Implicit	Yes	Yes