Most people will edit user accounts on a Windows computer using the User Accounts panel found in the Control Panel. However, there’s another way which gives you access to a lot more detailed information about the users defined on your computer and the permissions they have. It is done via a rather hidden panel called Local Users and Groups. This tutorial will show how to find it, what information you can access and how to use it to have better control over user accounts and their permissions.
NOTE: This tutorial doesn't work on Windows 7 Home Premium, as the tool being presented is not available.
How to Access the Local Users and Groups
This panel (or snap-in called in some Windows documentation) is found in the Computer Management tool. You can open it by searching for "computer" in the Start Menu search box and clicking on the Computer Management shortcut. Alternatively, you can go to Control Panel -> System and Security -> Administrative Tools - > Computer Management.
When you open it, click on System Tools -> Local Users and Groups.
There you will find two folders: one named Users and one named Groups.
In the Users folder you will see all the user accounts defined on your computer, including accounts which are disabled and not active or accounts used only by Windows to provide services such as Homegroup network sharing.
In the Groups folder you see all the user groups defined on your computer. The list is long and includes groups created by Windows, by third party software such as drivers for different hardware components (your video card for example) or applications that install special services which need their own users and groups created in order for them to function correctly.
Double clicking on a user account or group, will open a properties window which displays more information about it and different customization options.
The User Accounts Found on Any Windows Computer
What user accounts will you find on any Windows computer? There are not that many. You have the built-in Administrator account, created by Windows even if you use it or not, the user accounts you created, plus the Guest account and user named HomeGroupUser$, used by Windows to manage your Homegroup connections.
As you can see in the screenshot below, some accounts have a small arrow in their icon.
This signals that a user account is disabled and cannot be used even though it is defined on your computer.
The Groups Found on Any Windows Computer
When it comes to user groups defined on your computer, the list is much longer and diverse. On most Windows computers, you should have at least the following groups:
- Administrators - this contains all the user accounts having administrative permissions on your computer.
- Backup Operators - user accounts that have permissions to perform backup and restore operations, using tools like Backup and Restore.
- Cryptographic Operators - user accounts with permissions to encrypt or decrypt data, using tools such as BitLocker.
- Distributed COM Objects - this user group is harder to explain. It is used mostly for user accounts that need to participate in more complex scenarios, such as distributed computing across computers on a network. Therefore it will be used only in business environments.
- Event Log Readers - this groups gives permissions to its members to read Windows event logs that show what is happening with your system.
- Guests - are normal user accounts which cannot perform any administrative tasks on your computer. They can be used only for light computing activities such as browsing the Internet or running the installed applications. They are not able to perform any modifications to the system’s configuration, to access or modify other user’s data, etc.
- IIS_IUSRS - this group is used only by the Internet Information Services you may choose to install using the Programs and Features panel.
- Network Configuration Operators - this groups gives its users permissions to configure networking features in Windows.
- Performance Log Users & Performance Monitor Users - these are other hard to explain user groups. Their members are given permissions to perform advanced logging in Windows and collect performance data. However, I am not aware of how these permissions actually work and of scenarios when these user groups are useful.
- Power Users - this user group was used in older versions of Windows, to provide some limited administrative permissions to certain user accounts. It is present in more modern versions of Windows only to provide backwards compatibility for old legacy applications. Otherwise it is not and should not be used.
- Remote Desktop Users - this user group provides its members with permissions to logon remotely to the computer, via the Remote Desktop.
- Replicator - this user group is used in domains created by a network administrator. It gives its members the permissions required to do file replication across the domain. In home networks it should not be used.
- Users - it contains all the normal user accounts defined on your computer. Its members do not have administrative permissions. They can only run installed applications.
- HomeUsers Security Group - the group’s members are those user accounts using the HomeGroup feature to share files, folders and devices across the network.
This list limits itself to the standard user groups found in Windows. On your computer you might find other groups, installed by some Windows features, drivers (for example AMD/ATI hardware will create an AMD Fuel group) or third party applications.
How to Use the User Groups?
What is cool about these user groups is that you can use them to give additional permissions to standard user accounts.
For example, if you create a user account that is a member of Users but not Administrators, that user cannot connect remotely to the computer. If you make that user account a member of Remote Desktop Users, it will be able to connect remotely. This principle applies for all user groups. Add a user account as a member and it will receive the permissions (and restrictions) of that group.
If you look at all the user groups listed above, you will notice that the user accounts defined as administrators are not listed as members in most of them. This is because they have permissions to do everything on a computer and they don’t need to be part of a special group to inherit its permissions.
Warning: Do Not Mess with the Standard Windows User Accounts and Groups
Some people might feel the urge to delete some of the standard user accounts and groups. If you try to do this, you will be warned by Windows that this causes problems. For example, this is what you see when you try to delete the Administrator account.
I made an experiment and deleted the HomeGroupUser$ user. As I suspected, the Homegroup feature stopped working as a result.
Also, other Windows tools started malfunctioning, including System Restore, which I found strange.
As you can see from this tutorial, the Local Users and Groups panel gives you better insight in how user accounts and groups are defined on your computer. If you have any questions on the topic, don’t hesitate to ask via the comments form below.
The Geek's Way of Creating User Accounts and Groups
How to Create or Delete User Accounts
How to Edit User Accounts (Including Changing or Removing Passwords)
Log on Automatically to Windows 7 Without Typing Your Password