Network Administration: Windows Server Default Groups

Windows Server 2008 comes with a number of predefined groups that you can use. Although you shouldn’t be afraid to create your own groups when you need them, there’s no reason to create your own group if you find a default group that meets your needs.

Some of these groups are listed in the Builtin container in the Active Directory Users and Computers management console. Others are found in the Users container.

Default Groups Located in the Builtin Container
Group Description
Account Operators This group is for users who should be allowed to create, edit,
or delete user accounts but shouldn’t be granted full
administrator status.
Administrators These are the system administrators who have full control over
the domain. The Administrator account is a default member of this
group. You should create only a limited number of accounts that
belong to this group.
Backup Operators This group is for users who need to perform backup operations.
Because this group must have access to the files that are backed
up, it presents a security risk. So you should limit the number of
users that you add to this group.
Guests This group allows members to log on, but little else. The
default Guest account is a member of this group.
Network Configuration This group is allowed to twiddle with network configuration
settings, including releasing and renewing DHCP leases.
Print Operators This group grants users access to printers, including the
ability to create and share new printers and manage print
queues.
Remote Desktop Users This group can remotely log on to domain controllers in the
domain.
Replicator This group is required to support directory replication.
Don’t add users to this group.
Server Operators These users can log on locally to a domain controller.
Users These users can perform common tasks, such as running
applications and using local and network printers.
Default Groups Located in the Users Container
Group Description
Cert Publishers These users can publish security certificates for users and
computers.
DnsAdmins This group is installed if you install DNS. It grants
administrative access to the DNS Server service.
DnsUpdateProxy This group is installed if you install DNS. It allows DNS
clients to perform dynamic updates on behalf of other clients, such
as DHCP servers.
Domain Admins These users have complete control of the domain. By default,
this group is a member of the Administrators group on all domain
controllers, and the Administrator account is a member of this
group.
Domain Computers This group contains all computers that belong to the domain.
Any computer account created becomes a member of this group
automatically.
Domain Controllers This group contains all domain controllers in the domain.
Domain Guests This group contains all domain guests.
Domain Users This group contains all domain users. Any user account created
in the domain is added to this group automatically.
Group Policy These users can modify Group Policy for the domain.
IIS_WPG This group is created if you install IIS. It’s required
for IIS to operate properly.
RAS and IAS Servers This group is required for RAS and IAS servers to work
properly.