top of page

Windows - groupes et utilisateurs par défaut (Built-in Users, Default Groups and Special Identities)

Hello, long time no see, alors aujourd'hui je vous ai reformaté un tableau du site ss64.com en 3 tableaux distincts qui parlent des différents groupes et utilisateurs de Windows.


Cet article est majoritairement en anglais car j'ai repris toutes les descriptions de ss64.com qui a fait un magnifique travail de récupération des infos présentent sur la doc Microsoft.


Vous trouverez les sources ci-dessous :



Les groupes par défaut (default / built-in group)

Default Group

Description

Access Control Assistance Operators

​Remotely query authorization attributes and permissions for resources on the computer.

BuiltIn Local.

Default User Rights: None

​Account Operators

​Grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups, and members can log in locally to domain controllers.

Members of the Account Operators group cannot manage the Administrator user account, the user accounts of administrators, or the Administrators, Server Operators, Account Operators, Backup Operators, or Print Operators groups. Members of this group cannot modify user rights. Default User Rights: Allow log on locally: SeInteractiveLogonRight

​Administrators

​A built-in group . Grants complete and unrestricted access to the computer, or if the computer is promoted to a domain controller, members have unrestricted access to the domain.

This group cannot be renamed, deleted, or moved. This built-in group controls access to all the domain controllers in its domain, and it can change the membership of all administrative groups. Membership can be modified by members of the following groups: the default service Administrators, Domain Admins in the domain, or Enterprise Admins.

The group is the default owner of any object that is created by a member of the group. Default User Rights for Administrators

​Allowed RODC Password Replication Group

​Manage a RODC password replication policy. The Denied RODC Password Replication Group group contains a variety of high-privilege accounts and security groups. The Denied RODC Password Replication group supersedes the Allowed RODC Password Replication group.

Default User Rights: None

​Backup Operators

A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down.

Default User Rights:

Allow log on locally: SeInteractiveLogonRight

Back up files and directories: SeBackupPrivilege

Log on as a batch job: SeBatchLogonRight

Restore files and directories: SeRestorePrivilege

Shut down the system: SeShutdownPrivilege

​Certificate Service DCOM Access

Members of this group are allowed to connect to certification authorities in the enterprise.

Default User Rights: None

Cert Publishers

A global group that includes all computers that are running an enterprise certificate authority. Cert Publishers are authorized to publish certificates for User objects in Active Directory.

Default User Rights: None

Cert Server Admins

Certificate Authority Administrators - authorized to administer certificates for User objects in Active Directory. (Domain Local)

Cert Requesters

Members can request certificates (Domain Local)

Cloneable Domain Controllers

Members of the Cloneable Domain Controllers group that are domain controllers may be cloned. Default User Rights: None

Cryptographic Operators

Members of this group are authorized to perform cryptographic operations. This security group was added in Windows Vista Service Pack 1 (SP1) to configure Windows Firewall for IPsec in Common Criteria mode. Default User Rights: None

Denied RODC Password Replication Group

Members of the Denied RODC Password Replication group cannot have their passwords replicated to any Read-only domain controller. The purpose of this security group is to manage a RODC password replication policy. This group contains a variety of high-privilege accounts and security groups.

Default User Rights: None

Device Owners

This group is not currently used in Windows.


Default User Rights: Allow log on locally: SeInteractiveLogonRight Access this computer from the network: SeNetworkLogonRight Bypass traverse checking: SeChangeNotifyPrivilege Change the time zone: SeTimeZonePrivilege

Distributed COM Users

Members of the Distributed COM Users group are allowed to launch, activate, and use Distributed COM objects on the computer.

Default User Rights: None

DnsAdmins (installed with DNS)

Members of this group have administrative access to the DNS Server service. The default permissions are as follows: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions. This group has no default members.

Default User Rights: None

DnsUpdateProxy (installed with DNS)

Members of this group are DNS clients that can perform dynamic updates on behalf of other clients, such as DHCP servers. This group has no default members. Default User Rights: None

Domain Admins

A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created in the domain's Active Directory by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group.

Default User Rights: as Administrators

Domain Computers

A global group that includes all computers that have joined the domain, excluding domain controllers. Default User Rights: None

Domain Controllers

A global group that includes all domain controllers in the domain. New domain controllers are added to this group automatically. Default Default User Rights: None

Domain Guests

A global group that, by default, has only one member, the domain's built-in Guest account.

Default User Rights: See 'Guests'

Domain Users

A global group that, by default, includes all user accounts in a domain. When you create a user account in a domain, it is added to this group automatically.

Default User Rights: See 'Users'

Enterprise Admins

A group that exists only in the root domain of an Active Directory forest of domains. It is a universal group if the domain is in native mode, a global group if the domain is in mixed mode. The group is authorized to make forest-wide changes in Active Directory, such as adding child domains. By default, the only member of the group is the Administrator account for the forest root domain.

Default User Rights:

See Administrators

See Denied RODC Password Replication Group

Enterprise Key Admins

Members of this group can perform administrative actions on key objects within the forest. The Enterprise Key Admins group was introduced in Windows Server 2016. Default User Rights: None

Enterprise Read-Only Domain Controllers

Members of this group are Read-Only Domain Controllers in the enterprise. Except for account passwords, a Read-only domain controller holds all the Active Directory objects and attributes that a writable domain controller holds.

Default User Rights: None

Event Log Readers

Members of this group can read event logs from local computers. The group is created when the server is promoted to a domain controller. Default User Rights: None

Group Policy Creators Owners

A global group that is authorized to create new Group Policy objects in Active Directory. By default, the only member of the group is Administrator. The default owner of a new Group Policy object is usually the user who created it. If the user is a member of Administrators or Domain Admins, all objects that are created by the user are owned by the group. Owners have full control of the objects they own. Default User Rights: See 'Denied RODC Password Replication Group'.

Guests

A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account. When a member of the Guests group signs out, the entire profile is deleted. This includes everything that is stored in the %userprofile% directory, including the user's registry hive information, custom desktop icons, and other user-specific settings. This implies that a guest must use a temporary profile to sign in to the system.

Default User Rights: None

Hyper-V Administrators

Members of the Hyper-V Administrators group have complete and unrestricted access to all the features in Hyper-V. Adding members to this group helps reduce the number of members required in the Administrators group, and further separates access.

Introduced in Windows Server 2012. Default User Rights: None

IIS_IUSRS

IIS_IUSRS is a built-in group that is used by Internet Information Services beginning with IIS 7.0. A built-in account and group are guaranteed by the operating system to always have a unique SID. IIS 7.0 replaces the IUSR_MachineName account and the IIS_WPG group with the IIS_IUSRS group to ensure that the actual names that are used by the new account and group will never be localized.

Default User Rights: None

Incoming Forest Trust Builders

Members of the Incoming Forest Trust Builders group can create incoming, one-way trusts to this forest. Active Directory provides security across multiple domains or forests through domain and forest trust relationships. This group cannot be renamed, deleted, or moved. Default User Rights: None

Key Admins

Members of this group can perform administrative actions on key objects within the domain.

Default User Rights: None

Network Configuration Operators

Members of this group can make changes to TCP/IP settings, Rename/Enable/disable LAN connections,Delete/rename remote access connections, enter the PIN unblock key (PUK) for mobile broadband devices that support a SIM card and renew and release TCP/IP addresses on domain controllers in the domain. This group has no default members.

Default User Rights: None

Performance Monitor Users

Members of this group can monitor performance counters on domain controllers in the domain, locally and from remote clients without being a member of the Administrators or Performance Log Users groups.

Default User Rights: None

Performance Log Users

Members of this group can manage performance counters, logs and alerts on domain controllers in the domain, locally and from remote clients without being a member of the Administrators group.

Default User Rights: Log on as a batch job: SeBatchLogonRight

Power Users

By default, members of this group have no more user rights or permissions than a standard user account.

The Power Users group did once grant users specific admin rights and permissions in previous versions of Windows.

Pre-Windows 2000 Compatible Access

A backward compatibility group which allows read access on all users and groups in the domain. By default, the special identity Everyone is a member of this group. Add users to this group only if they are running Windows NT 4.0 or earlier.

Default User Rights:

Access this computer from the network: SeNetworkLogonRight

Bypass traverse checking: SeChangeNotifyPrivilege

Print Operators

A built-in group that exists only on domain controllers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues. They can also manage Active Directory printer objects in the domain. Members of this group can locally sign in to and shut down domain controllers in the domain.

Because members of this group can load and unload device drivers on all domain controllers in the domain, add users with caution. This group cannot be renamed, deleted, or moved.

Default User Rights:

Allow log on locally: SeInteractiveLogonRight

Load and unload device drivers: SeLoadDriverPrivilege

Shut down the system: SeShutdownPrivilege

Protected Users

Members of the Protected Users group are afforded additional protection against the compromise of credentials during authentication processes. This security group is designed as part of a strategy to effectively protect and manage credentials within the enterprise. Members of this group automatically have non-configurable protection applied to their accounts. Membership in the Protected Users group is meant to be restrictive and proactively secure by default. The only method to modify the protection for an account is to remove the account from the security group. This group was introduced in Windows Server 2012 R2.

Default User Rights: None


Vous devriez vraiment l'utiliser.


RAS and IAS Servers

Servers in this group are permitted access to the remote access properties of users. A domain local group . By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically. Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information. Default User Rights: None

RDS Endpoint Servers

Servers that are members in the RDS Endpoint Servers group can run virtual machines and host sessions where user RemoteApp programs and personal virtual desktops run. This group needs to be populated on servers running RD Connection Broker. Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group.

Default User Rights: None

RDS Management Servers

Servers that are members in the RDS Management Servers group can be used to perform routine administrative actions on servers running Remote Desktop Services. This group needs to be populated on all servers in a Remote Desktop Services deployment. The servers running the RDS Central Management service must be included in this group. Default User Rights: None

RDS Remote Access Servers

Servers in the RDS Remote Access Servers group provide users with access to RemoteApp programs and personal virtual desktops. In Internet facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers that are used in the deployment need to be in this group. Default User Rights: None

Read-Only Domain Controllers

This group is comprised of the Read-only domain controllers in the domain. A Read-only domain controller makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role. Default User Rights See 'Denied RODC Password Replication Group'.

Remote Desktop Users

The Remote Desktop Users group on an RD Session Host server is used to grant users and groups permissions to remotely connect to an RD Session Host server. This group cannot be renamed, deleted, or moved. It appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).

Default User Rights: None

Remote Management Users

Members of the Remote Management Users group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user. The Remote Management Users group is generally used to allow users to manage servers through the Server Manager console, whereas the WinRMRemoteWMIUsers_ group is allows remotely running Windows PowerShell commands.

Default User Rights: None

Replicator

Computers that are members of the Replicator group support file replication in a domain. Windows Server operating systems use the File Replication service (FRS) to replicate system policies and logon scripts stored in the System Volume (SYSVOL).

The DFS Replication service is a replacement for FRS, and it can be used to replicate the contents of a SYSVOL shared resource, DFS folders, and other custom (non-SYSVOL) data. You should migrate all non-SYSVOL FRS replica sets to DFS Replication. Default User Rights: None

Schema Admins

A group that exists only in the root domain of an Active Directory forest of domains. It is a universal group if the domain is in native mode , a global group if the domain is in mixed mode . The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain. Because this group has significant power in the forest, add users with caution.

Default User Rights: See 'Denied RODC Password Replication Group'.

Server Operators

A built-in group that exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer.

Default User Rights:

Allow log on locally: SeInteractiveLogonRight

Back up files and directories: SeBackupPrivilege

Change the system time: SeSystemTimePrivilege

Change the time zone: SeTimeZonePrivilege

Force shutdown from a remote system: SeRemoteShutdownPrivilege

Restore files and directories SeRestorePrivilege

Shut down the system: SeShutdownPrivilege

Storage Replica Administrators

Members of this group have complete and unrestricted access to all features of Storage Replica.

Default User Rights: None


System Managed Accounts Group

Members of this group are managed by the system.

Default User Rights: None

Terminal Server License Servers

Members of the Terminal Server License Servers group can update user accounts in Active Directory with information about license issuance. This is used to track and report TS Per User CAL usage. A TS Per User CAL gives one user the right to access a Terminal Server from an unlimited number of client computers or devices. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).

Default User Rights: None

Users

A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer. Users can perform tasks such as running applications, using local and network printers, shutting down the computer, and locking the computer. Users can install applications that only they are allowed to use if the installation program of the application supports per-user installation.

This group cannot be renamed, deleted, or moved.

Default User Rights: None

Windows Authorization Access Group

Members of this group have access to the computed token GroupsGlobalAndUniversal attribute on User objects. Some applications have features that read the token-groups-global-and-universal (TGGAU) attribute on user account objects or on computer account objects in Active Directory Domain Services.

Default User Rights: None

WinRMRemoteWMIUsers_

In Windows 8 and in Windows Server 2012, a Share tab was added to the Advanced Security Settings user interface. This tab displays the security properties of a remote file share. To view this information, you must have the following permissions and memberships, as appropriate for the version of Windows Server that the file server is running.

The WinRMRemoteWMIUsers_ group allows running PowerShell commands remotely whereas the 'Remote Management Users' group is generally used to allow users to manage servers by using the Server Manager console. This security group was introduced in Windows Server 2012. Default User Rights: None

Utilisateurs par défaut ou propriétaire de session (Default User or Session owner)

Default User or Session owner

Description

Administrator

A user account for the system administrator. This account is the first account created during operating system installation.

The account cannot be deleted or locked out. It is a member of the Administrators group and cannot be removed from that group.

Guest

A user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled.

KRBTGT

A service account that is used by the Key Distribution Center (KDC) service.


Identités spéciales (Special Identity)

Special Identity

Description

Anonymous Logon​

A user who has logged on anonymously. This identity allows anonymous access to resources, such as a web page that is published on corporate servers.

Default User Rights: None

Authenticated Users

group that includes all users whose identities were authenticated when they logged on. Membership is controlled by the operating system. This identity allows access to shared resources within the domain, such as files in a shared folder that should be accessible to all the workers in the organization.

Default User Rights:

Access this computer from the network: SeNetworkLogonRight

Add workstations to domain: SeMachineAccountPrivilege (Often removed in environments that have an IT administrator.)

Bypass traverse checking: SeChangeNotifyPrivilege

Batch

Any user or process that accesses the system as a batch job (or through the batch queue) has the Batch identity. This identity allows batch jobs to run scheduled tasks, such as a nightly cleanup jobMembership is controlled by the operating system.

Default User Rights: None

Creator Group

The person who created the file or the directory is a member of this special identity group. Windows Server operating systems use this identity to automatically grant access permissions to the creator of a file or directory. A placeholder security identifier (SID) is created in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces this SID with the SID for the primary group of the object’s current owner.

The primary group is used only by the Portable Operating System Interface for UNIX (POSIX) subsystem.

Default User Rights: None

Creator Owner

The person who created the file or the directory is a member of this special identity group. Windows Server operating systems use this identity to automatically grant access permissions to the creator of a file or directory. A placeholder SID is created in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the object’s current owner.

Dialup

Any user who accesses the system through a dial-up connection has the Dial-Up identity. This identity distinguishes dial-up users from other types of authenticated users.

Digest Authentication

Default User Rights: None

Enterprise Domain Controllers

A group that includes all domain controllers an Active Directory directory service forest of domains. Membership is controlled by the operating system.

Default User Rights:

Access this computer from the network: SeNetworkLogonRight

Allow log on locally: SeInteractiveLogonRight

Everyone

All interactive, network, dial-up, and authenticated users are members of the Everyone group. This special identity group gives wide access to system resources. Whenever a user logs on to the network, the user is automatically added to the Everyone group. On computers running Windows 2000 and earlier, the Everyone group included the Anonymous Logon group as a default member, but as of Windows Server 2003, the Everyone group contains only Authenticated Users and Guest; and it no longer includes Anonymous Logon by default (although this can be changed). Membership is controlled by the operating system.

Default User Rights:

Access this computer from the network: SeNetworkLogonRight

Act as part of the operating system: SeTcbPrivilege

Bypass traverse checking: SeChangeNotifyPrivilege

Interactive

Any user who is logged on to the local system has the Interactive identity. This identity allows only local users to access a resource. Whenever a user accesses a given resource on the computer to which they are currently logged on, the user is automatically added to the Interactive group. Membership is controlled by the operating system.

Default User Rights: None

Local Service

The Local Service account is similar to an Authenticated User account. The Local Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session with anonymous credentials. The name of the account is NT AUTHORITY\LocalService. This account does not have a password.

Default User Rights:

Adjust memory quotas for a process: SeIncreaseQuotaPrivilege

Bypass traverse checking: SeChangeNotifyPrivilege

Change the system time: SeSystemtimePrivilege

Change the time zone: SeTimeZonePrivilege

Create global objects: SeCreateGlobalPrivilege

Generate security audits: SeAuditPrivilege

Impersonate a client after authentication: SeImpersonatePrivilege

Replace a process level token: SeAssignPrimaryTokenPrivilege

Local System

This is a service account that is used by the operating system. The LocalSystem account is a powerful account that has full access to the system and acts as the computer on the network. If a service logs on to the LocalSystem account on a domain controller, that service has access to the entire domain. Some services are configured by default to log on to the LocalSystem account. Do not change the default service setting. The name of the account is LocalSystem. This account does not have a password.

Default User Rights: None

Network

This group implicitly includes all users who are logged on through a network connection. Any user who accesses the system through a network has the Network identity. This identity allows only remote users to access a resource. Whenever a user accesses a given resource over the network, the user is automatically added to the Network group. Membership is controlled by the operating system.

Default User Rights: None

Network Service

The Network Service account is similar to an Authenticated User account. The Network Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Network Service account access network resources by using the credentials of the computer account. The name of the account is NT AUTHORITY\NetworkService. This account does not have a password.

Default User Rights:

Adjust memory quotas for a process: SeIncreaseQuotaPrivilege

Bypass traverse checking: SeChangeNotifyPrivilege

Create global objects: SeCreateGlobalPrivilege

Generate security audits: SeAuditPrivilege

Impersonate a client after authentication: SeImpersonatePrivilege

Restore files and directories: SeRestorePrivilege

Replace a process level token: SeAssignPrimaryTokenPrivilege

NTLM Authentication

Default User Rights: None

Other Organization

This group implicitly includes all users who are logged on to the system through a dial-up connection. Membership is controlled by the operating system. Default User Rights: None

Principal Self

or

Self

This identity is a placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal that is represented by the object.

Default User Rights: None

Remote Interactive Logon

This identity represents all users who are currently logged on to a computer by using a Remote Desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.

Default User Rights: None

Restricted

Users and computers with restricted capabilities have the Restricted identity. This identity group is used by a process that is running in a restricted security context, such as running an application with the RunAs service. When code runs at the Restricted security level, the Restricted SID is added to the user’s access token.

Default User Rights: None

SChannel Authentication

Default User Rights: None

Service

Any service that accesses the system has the Service identity. This identity group includes all security principals that are signed in as a service. This identity grants access to processes that are being run by Windows Server services. Membership is controlled by the operating system.

Default User Rights:

Create global objects: SeCreateGlobalPrivilege

Impersonate a client after authentication: SeImpersonatePrivilege

Terminal Server Users

Any user accessing the system through Terminal Services has the Terminal Server User identity. This identity allows users to access Terminal Server applications and to perform other necessary tasks with Terminal Server services. Membership is controlled by the operating system.

Default User Rights: None

This Organization

Default User Rights: None

Window Manager\Window Manager Group

Default User Rights:

Bypass traverse checking: SeChangeNotifyPrivilege

Increase a process working set: SeIncreaseWorkingSetPrivilege



Tu as atteint la fin des 3 tableaux. Félicitations ! 😎






96 vues
bottom of page