3.1.4.2 Default Accounts

The following accounts MUST be present in a server's database.<41>

Non-DC configuration, user accounts.

Name

Domain

Rid

userAccountControl

Administrator

Account

500

UF_NORMAL_ACCOUNT |

UF_DONT_EXPIRE_PASSWORD

Guest

Account

501

UF_NORMAL_ACCOUNT |

UF_ACCOUNTDISABLE |

UF_DONT_EXPIRE_PASSWORD

Non-DC configuration, alias accounts.

Name

Domain

Rid

Member

Administrators

Built-in

544

Administrator

Users

Built-in

545

Guests

Built-in

546

Guest

Power Users

Built-in

547

Print Operators

Built-in

550

Backup Operators

Built-in

551

Replicator

Built-in

552

Remote Desktop Users

Built-in

555

Network Configuration Operators

Built-in

556

Performance Monitor Users

Built-in

558

Performance Log Users

Built-in

559

Distributed COM Users

Built-in

562

IIS_IUSRS

Built-in

568

IUSR

Cryptographic Operators

Built-in

569

Event Log Readers

Built-in

573

DC configuration, user accounts.

Name

Domain

Rid

userAccountControl

Administrator

Account

500

UF_NORMAL_ACCOUNT |

UF_DONT_EXPIRE_PASSWORD

Guest

Account

501

UF_NORMAL_ACCOUNT |

UF_ACCOUNTDISABLE |

UF_DONT_EXPIRE_PASSWORD

krbtgt

Account

502

UF_NORMAL_ACCOUNT |

UF_ACCOUNTDISABLE

DC configuration, universal group accounts (only on root domain).

Name

Domain

Rid

Member

Schema Admins

Account

518

Administrator

Enterprise Admins

Account

519

Administrator

Enterprise Read-only Domain Controllers

Account

498

DC configuration, group accounts.

Name

Domain

Rid

Member

Domain Admins

Account

512

Administrator

Domain Users

Account

513

Domain Guests

Account

514

Guest

Domain Computers

Account

515

Domain Controllers

Account

516

Group Policy Creator Owners

Account

520

 Administrator

 Read-only Domain Controllers

Account

 521

DC configuration, alias accounts.

Name

Domain

Rid

Member

Administrators

Built-in

544

Domain Admins,

Administrator,

Enterprise Admins

Users

Built-in

545

Domain Users

Guests

Built-in

546

Domain Guests,

Guest

Account Operators

Built-in

548

System Operators

Built-in

549

Print Operators

Built-in

550

Backup Operators

Built-in

551

Replicator

Built-in

552

Cert Publishers

Account

517

RAS and IAS Servers

Account

553

* Pre-Windows 2000 operating system Compatible Access

Built-in

554

Everyone,

Anonymous Logon,

Authenticated Users

Remote Desktop Users

Built-in

555

Network Configuration Operators

Built-in

556

Incoming Forest Trust Builders

Built-in

557

Performance Monitor Users

Built-in

558

Performance Log Users

Built-in

559

Windows Authorization Access Group

Built-in

560

 Enterprise Domain Controllers

Terminal Server License Servers

Built-in

561

Distributed COM Users

Built-in

562

IIS_IUSRS

Built-in

568

IUSR

Cryptographic Operators

Built-in

569

Allowed RODC Password Replication Group

Account

571

Denied RODC Password Replication Group

Account

572

Group Policy Creator Owners,

Domain Admins,

Cert Publishers,

Domain Controllers,

Krbtgt,

Enterprise Admins,

Schema Admins,

Read-only Domain Controllers

Event Log Readers

Built-in

573

Certificate Service DCOM Access

Built-in

574

* The information about Pre-Windows 2000 Compatible Access is qualified by the following product behavior note.<42>