Lessen 10 1002

A security group is a collection of user accounts that can be assigned permissions in the same way as
a single user object. Security groups are used when assigning permissions and rights, as it is more
efficient to assign permissions to a group than to assign them individually to each user. You can
assign permissions to a user simply by adding the user to the appropriate group(s).

Built-in groups are given a standard set of rights

that allow them to perform appropriate system
tasks. Starter and Home editions of Windows allow
the use of two groups only:
 Limited/standard user.
Built-in
Local  Computer administrator.
Groups
For Windows Professional/Business, the principal built-in local groups include Administrators, Users,
Guests, and Power Users.

Note: If the computer is not part of a domain, the "Administrator" account is re-enabled in
Safe Mode if all other administrative accounts have been deleted or disabled (as a disaster recovery
mechanism). Note that the "Administrator" account is not subject to UAC and so should be left
disabled if the computer is to be used securely.

When a new user is created, they are typically added

to the standard Users group. The group is able to
perform most common tasks, such as shutting down
the computer, running applications, and using
printers. Ordinary users can also change the time
zone and install a local printer, provided there is a
Users suitable driver already installed.

Guests The Guests group has only limited rights; for

example, members can browse the network and
Internet and shut down the computer but cannot
save changes made to the desktop environment.
Generally you should disable the Guest account (its
default condition) and establish a proper user
 account for each user accessing your system. If the
account is enabled, then any user attempting to
access your computer who does not hold their own
user account, will be connected using the Guest
account credentials.

Note: The default Guest account is the only

member of the Guests group. While the Guest user
account is usually disabled, the Guests group is not.

The Power Users group still appears to support

legacy applications but its use is strongly
deprecated. The rights allocated to this account type
can be abused to allow the user to obtain more
powerful Administrator or System privileges. You
can read more about issues with using Power Users
at support.microsoft.com/en-us/help/825069/a-
Power member-of-the-power-users-group-may-be-able-
Users to-gain-administrator-ri

System There are a number of other default groups,

Groups providing a means to easily configure things like
privileges to access remote desktop, backup, event
logs, and so on. Windows also includes built-in
system groups. Their membership cannot be
changed manually, as it is dependent on what users
are doing at the time.
 Everyone—All users who access the
computer are members of the group Everyone.
This includes users who have not been
authenticated and who are accessing the
computer as a guest.
 Authenticated Users—All users who access
the computer and have a valid user account.
 Creator Owner—The Creator Owner group
includes the account of the resource owner.
Normally the creator of a resource is the owner,
but administrators (and other users who have
been allowed to do so) are able to take
ownership.
 Interactive—This group contains the user
account of the person currently working locally
at the computer.
  Network—This group contains the user
account(s) of any users currently connected to
the computer over a network.

There are also some non-interactive accounts that you should be aware of. Users cannot
sign in to these accounts. They are "owned" by the OS (NT_AUTHORITY). They are used to
run Windows processes and services:
 LocalSystem—An account with the same, or in some ways better, privileges as the
default Administrator account. A process executed using the system account is
unrestricted in terms of making changes to the system configuration and file system.
 LocalService—A limited account used to run services that cannot make system-wide
changes. LocalService can access the network anonymously.
 NetworkService—An account that has the same privileges as LocalService but can
access the network using the computer's machine account's credentials.

You can also manage accounts at the command line using the net user command. You
need to execute these commands in an administrative command prompt:
 net user dmartin Pa$$w0rd /add /fullname:"David Martin"
/logonpasswordchg:yes

This example adds a new user account and forces the user to choose a new password at
first login.
 net user dmartin /active:no
Disables the dmartin account.
 net user dmartin
Show the properties of the dmartin account.
 net localgroup Administrators dmartin /add
Add the dmartin account to the Administrators local group.

Note: Don't confuse net user commands with net use, which is for configuring file
shares.

Policies are the most fine-grained means of adjusting registry settings outside of editing the registry
directly. Policies can be used to configure almost any aspect of Windows, from the color of the
desktop to the number of characters required in a user password.

Note: The policy editors are not included in the Starter or Home editions of Windows.

Single Sign-On (SSO) means that a user only has to authenticate to a system once to gain access to
all its resources (that is, all the resources to which the user has been granted rights). An example is
the Kerberos authentication and authorization model for Active Directory domain networks. This
means, for instance, that a user who has authenticated with Windows is also authenticated with the
Windows domain's SQL Server and Exchange Server services. Another example is the use of a
Microsoft account to sign in to Windows and also be signed in to web applications such as OneDrive
and Office365.

Note: It is critical that users do not re-use work passwords or authentication information on
third-party sites. Of course, this is almost impossible to enforce, so security managers have to rely on
effective user training.