The Geek's Way of Managing User Accounts and Groups in Windows

user accountsMost people will edit user accounts on a Windows computer using the User Accounts panel found in the Control Panel. However, there's another way which gives you access to a lot more detailed information about the users defined on your computer and the permissions they receive. It is done using the Computer Management tool. Here's how it works:

NOTE: This tutorial works only in the Professional, Ultimate and Enterprise editions of Windows 7 and the Pro and Enterprise editions of Windows 8 and 8.1.

How to View All Users Accounts and User Groups

In the Computer Management tool you will find a panel (snap-in) named "Local Users and Groups". Here's where you see all the user accounts and user groups that exist on your Windows device.

If you don't know how to open this tool, read this tutorial: Reasons Why Computer Management Is My Favorite Administrative Tool. Then, go to "System Tools -> Local Users and Groups".

Local Users and Groups, accounts, Windows

There you will find two folders: one named Users and one named Groups.

In the Users folder you see all the user accounts that exist on your computer, including accounts which are disabled and not active or accounts used only by Windows to provide services like Homegroup network sharing.

Local Users and Groups, accounts, Windows

In the Groups folder you see all the user groups that exist on your computer. The list is long and includes groups created both by Windows and third parties such as drivers or virtualization software, which need hidden users and groups in order to function correctly.

Local Users and Groups, accounts, Windows

Double clicking or double tapping on a user account or group, will open a properties window which displays more information about it and different customization options.

NOTE: You can view a list with all user accounts also by using the Command Prompt. You can learn more here: How to Generate a List with All the User Accounts Found in Windows.

The User Accounts Found on Any Windows Computer

What user accounts will you find on any Windows computer? There are not that many. You have the built-in Administrator account, created by Windows even if you use it or not, the user accounts you have created, the Guest account and user account named HomeGroupUser$, used by Windows to manage your Homegroup connections.

As you can see in the screenshot below, some accounts have a small arrow in their icon.

Local Users and Groups, accounts, Windows

This signals that a user account is disabled and cannot be used even though it exists on your computer.

The Groups Found on Any Windows Computer

When it comes to user groups existing on your computer, the list is much longer. On most Windows computers, you should have at least the following groups:

  • Administrators - it includes all the user accounts with administrative permissions on your computer.
  • Backup Operators - user accounts that have permissions to perform backup and restore operations, using tools like Backup and Restore.
  • Cryptographic Operators - user accounts with permissions to encrypt or decrypt data, using tools like BitLocker.
  • Distributed COM Objects - this user group is harder to explain. It is used mostly for user accounts that need to participate in more complex scenarios, such as distributed computing across computers on a network. Therefore it will be used only in business environments.
  • Event Log Readers - this groups gives permissions to its members to read Windows event logs that show what is happening with your system.
  • Guests - are normal user accounts which cannot perform any administrative tasks on your computer. They can be used only for light computing activities such as browsing the Internet or running the installed applications. They are not able to perform any modifications to the system's configuration, to access or modify another user's data, etc.
  • IIS_IUSRS - this group is used only by the Internet Information Services you may choose to install using the Programs and Features panel.
  • Network Configuration Operators - this groups gives its users permissions to configure networking features in Windows.
  • Performance Log Users & Performance Monitor Users - members are given permissions to perform advanced logging in Windows and collect performance data. However, I am not aware of how these permissions actually work and of any scenarios when this user group is useful.
  • Power Users - this user group was used in older versions of Windows, to provide limited administrative permissions to certain user accounts. It is present in modern versions of Windows only to provide backwards compatibility for old legacy applications. Otherwise it is not usable and should not be used.
  • Remote Desktop Users - this user group provides its members with permissions to logon remotely to the computer, via the Remote Desktop.
  • Replicator - this user group is used in domains created by a network administrator. It gives its members the permissions required to do file replication across the domain. In home networks it should not be used.
  • Users - it includes the standard user accounts defined on your computer. Its members do not have administrative permissions. They can only run installed applications and cannot make system changes that impact other users.
  • HomeUsers - the group's members are those user accounts using the HomeGroup feature to share files, folders and devices across the network.

On your computer you might find other groups, installed by Windows features, drivers (for example AMD/ATI hardware will create an AMD Fuel group) or third party applications.

How to Use the User Groups?

What is great about these user groups is that you can use them to give additional permissions to standard user accounts.

For example, if you create a user account that is a member of Users but not Administrators, that user cannot connect remotely to the computer. If you make that user account a member of Remote Desktop Users, it will be able to connect remotely. This principle applies for all user groups. Add a user account as a member and it will receive both the permissions and restrictions of that group.

If you look at all the user groups listed above, you will notice that the user accounts defined as administrators are not listed as members in most of them. This is because they have permissions to do everything on a computer and they don't need to be part of a special group to inherit its permissions.

Warning: Do Not Mess with the Standard Windows User Accounts and Groups

You may feel the urge to delete some of the standard user accounts and groups existing in Windows. If you try to do this, you will be warned by Windows that this causes problems. For example, this is what you see when you try to delete the Administrator account.

Local Users and Groups, accounts, Windows

To get a taste of what happens when you remove the user accounts created by Windows, I deleted the HomeGroupUser$ user. As I suspected, the Homegroup feature stopped working.

Local Users and Groups, accounts, Windows

Also, other Windows tools started malfunctioning, including System Restore. Understanding all the connections between standard user accounts, user groups and Windows features is very difficult. One apparently minor change can impact many features and may deteriorate your computing experience.

Conclusion

I hope you have enjoyed this tutorial. If you have any questions about managing user accounts and groups, with the help of the Computer Management tool, don't hesitate to ask using the comments form below.