Default security settings

Default security settings

Before modifying any security settings, it is important to take into consideration the default settings.

There are three fundamental levels of security granted to users. These are granted to users through membership in the Users, Power Users, or Administrators groups. For example, you may want to have all the clerks in your store in the Users group, add your department heads to the Power Users group, and have only the store manager and assistant manager in the Administrators group.


Adding users to the Users group is the most secure option, because the default permissions allotted to this group do not allow members to modify operating system settings or another user's data. Users cannot modify systemwide registry settings, operating system files, or program files. Users can shut down workstations, but not servers.


Ideally, administrative access should only be used to:

  • Install the operating system and components (such as hardware drivers, system services, and so on).
  • Install Service Packs and Windows Packs.
  • Upgrade the operating system.
  • Repair the operating system.
  • Configure critical operating system parameters (such as password policy, access control, audit policy, kernel mode driver configuration, and so on).
  • Take ownership of files that have become inaccessible.
  • Manage the security and auditing logs.
  • Back up and restore the system.

Power Users

The Power Users group primarily provides backward compatibility for running non-certified applications. The default permissions that are allotted to this group allow this group's members to modify computer settings. If non-certified applications must be supported, then end users will need to be part of the Power Users group.

Members of the Power Users group have more permissions than members of the Users group and fewer than members of the Administrators group. Power Users can perform any operating system task except tasks reserved for the Administrators group. The default Windows 2000 and Windows XP Professional security settings for Power Users are very similar to the default security settings for Users in Windows NT 4.0. Any program that a user can run in Windows NT 4.0, a Power User can run in Windows 2000 or Windows XP Professional.

Power Users can:

  • Run legacy applications, in addition to Windows 2000 or Windows XP Professional certified applications.
  • Install programs that do not modify operating system files or install system services.
  • Customize system wide resources including printers, date, time, power options, and other Control Panel resources.
  • Create and manage local user accounts and groups.
  • Stop and start system services which are not started by default.

Power Users do not have permission to add themselves to the Administrators group. Power Users do not have access to the data of other users, unless those users grant them permission.

Note: Since Power Users can install or modify programs, running as a Power User when connected to the Internet could make the system vulnerable to Trojan horse programs and other security risks.

© 2005 Microsoft Corporation. All rights reserved.