Each user that logs in to NT-based versions of Microsoft Windows, does so with a set of system privileges. Privileges differ from permissions in that they give users the ability to perform an action, whereas permissions allow access to an object such as a file or registry key. There are many privileges used to control access to various system functions, ranging from the ability to change the system time to restoring files and directories. Rather than assigning each user account with privileges individually, a set of built-in groups are provided with pre-assigned privileges. Users are then added to groups, in a form of role-based access control, as the following table describing built-in groups in Windows 7 illustrates:
Group |
Description |
---|---|
Administrators |
Administrators have almost complete and unrestricted access to the computer domain. |
Guests |
Guests have the same access as members of the Users group by default, except that the Guest account is further restricted. |
Network Configuration Operators |
Members in this group have some administrative privileges to manage configuration of networking features. |
Power Users |
Power Users is included for backwards compatibility, but has been deprecated and has no administrative privileges. |
Remote Desktop Users |
Members in this group are granted the right to log on remotely. |
Users |
Users are prevented from making accidental or intentional system-wide changes and can run most applications. |
The two most frequently used built-in groups are Users and Administrators. If your user account is assigned to the Administrators group, you have a high level of privilege on the system and can perform almost any task that isn't specially protected by the operating system.
Note
While members of the administrators group in Windows aren't completely unrestricted, it is possible to override operating system protections and make any desired changes.
In contrast, if your user account is assigned to the Users Group, you can run installed programs and change settings that won't affect system stability, but you can't install software to the restricted Program Files
directory, or modify protected areas of the registry
or Windows
directory. The Power Users group was often used in Windows NT, 2000, and XP, but was essentially an administrator with a few less privileges. Microsoft decided to deprecate this group in Windows Vista, preferring system administrators to assign users to either the users or administrators group, as it was easy for power users to escalate to administrative privilege. You should, however, note that the Power Users group still exists in Vista and Windows 7 for compatibility reasons, but isn't assigned any privileges.