Local Accounts

Applies to

  • Windows 11
  • Windows 10
  • Windows Server 2019
  • Windows Server 2016

This reference topic for Information technology professionals describes the default local user accounts for servers, including how to manage these congenital-in accounts on a member or standalone server.

About local user accounts

Local user accounts are stored locally on the server. These accounts can be assigned rights and permissions on a particular server, but on that server but. Local user accounts are security principals that are used to secure and manage access to the resource on a standalone or member server for services or users.

This topic describes the following:

  • Default local user accounts

    • Ambassador account

    • Guest Account

    • HelpAssistant account (installed by using a Remote Assist session)

    • DefaultAccount

  • Default local system accounts

  • How to manage local accounts

    • Restrict and protect local accounts with authoritative rights

    • Enforce local account restrictions for remote access

    • Deny network logon to all local Administrator accounts

    • Create unique passwords for local accounts with administrative rights

For information nigh security principals, run into Security Principals.

Default local user accounts

The default local user accounts are built-in accounts that are created automatically when you install Windows.

After Windows is installed, the default local user accounts cannot exist removed or deleted. In addition, default local user accounts do not provide admission to network resources.

Default local user accounts are used to manage access to the local server's resource based on the rights and permissions that are assigned to the account. The default local user accounts, and the local user accounts that you lot create, are located in the Users folder. The Users folder is located in the Local Users and Groups folder in the local Computer Management Microsoft Management Console (MMC). Computer Management is a collection of administrative tools that you tin utilise to manage a single local or remote computer. For more data, run into How to manage local accounts afterward in this topic.

Default local user accounts are described in the following sections.

Administrator business relationship

The default local Administrator account is a user account for the system administrator. Every computer has an Administrator business relationship (SID S-ane-5-domain-500, brandish name Ambassador). The Administrator account is the first account that is created during the Windows installation.

The Administrator account has full control of the files, directories, services, and other resources on the local computer. The Ambassador account can create other local users, assign user rights, and assign permissions. The Administrator account can accept control of local resources at any time simply by changing the user rights and permissions.

The default Administrator account cannot be deleted or locked out, simply information technology can be renamed or disabled.

From Windows 10, Windows xi and Windows Server 2016, Windows setup disables the built-in Administrator account and creates another local account that is a member of the Administrators group. Members of the Administrators groups tin run apps with elevated permissions without using the Run as Ambassador option. Fast User Switching is more than secure than using Runas or different-user elevation.

Account group membership

By default, the Ambassador account is installed as a member of the Administrators group on the server. It is a all-time practice to limit the number of users in the Administrators group considering members of the Administrators grouping on a local server have Full Control permissions on that computer.

The Administrator account cannot be deleted or removed from the Administrators group, but it can exist renamed.

Security considerations

Because the Administrator business relationship is known to exist on many versions of the Windows operating arrangement, it is a best practice to disable the Administrator account when possible to make information technology more difficult for malicious users to gain access to the server or client computer.

You tin can rename the Administrator business relationship. Withal, a renamed Administrator account continues to use the same automatically assigned security identifier (SID), which tin can be discovered by malicious users. For more information about how to rename or disable a user account, run across Disable or actuate a local user account and Rename a local user account.

Equally a security best practice, use your local (non-Administrator) account to sign in and and so use Run as administrator to reach tasks that require a higher level of rights than a standard user account. Do not employ the Administrator account to sign in to your calculator unless information technology is entirely necessary. For more data, see Run a program with administrative credentials.

In comparison, on the Windows client operating arrangement, a user with a local user account that has Administrator rights is considered the system administrator of the client estimator. The first local user account that is created during installation is placed in the local Administrators group. Withal, when multiple users run every bit local administrators, the IT staff has no control over these users or their client computers.

In this instance, Group Policy tin be used to enable secure settings that tin can control the use of the local Administrators group automatically on every server or client computer. For more information about Group Policy, see Group Policy Overview.

Of import

  • Blank passwords are not allowed in the versions designated in the Applies To list at the showtime of this topic.

  • Even when the Administrator account has been disabled, it tin can still exist used to gain access to a computer by using safe way. In the Recovery Panel or in safe mode, the Administrator account is automatically enabled. When normal operations are resumed, information technology is disabled.

Invitee account

The Guest business relationship is disabled past default on installation. The Guest business relationship lets occasional or one-time users, who do not have an account on the estimator, temporarily sign in to the local server or customer calculator with limited user rights. Past default, the Guest business relationship has a blank countersign. Because the Guest account can provide bearding access, it is a security risk. For this reason, information technology is a best practice to go out the Guest account disabled, unless its use is entirely necessary.

Account group membership

Past default, the Guest account is the only member of the default Guests group (SID Southward-i-v-32-546), which lets a user sign in to a server. On occasion, an administrator who is a fellow member of the Administrators group tin ready upwardly a user with a Guest account on one or more than computers.

Security considerations

When enabling the Guest account, only grant express rights and permissions. For security reasons, the Guest business relationship should not be used over the network and made accessible to other computers.

In add-on, the guest user in the Guest account should not exist able to view the event logs. Afterwards the Guest business relationship is enabled, it is a all-time practice to monitor the Invitee account ofttimes to ensure that other users cannot use services and other resources, such equally resources that were unintentionally left available by a previous user.

HelpAssistant business relationship (installed with a Remote Assistance session)

The HelpAssistant business relationship is a default local account that is enabled when a Remote Assist session is run. This business relationship is automatically disabled when no Remote Assist requests are awaiting.

HelpAssistant is the master business relationship that is used to plant a Remote Assistance session. The Remote Assistance session is used to connect to some other computer running the Windows operating system, and information technology is initiated by invitation. For solicited remote help, a user sends an invitation from their computer, through electronic mail or as a file, to a person who can provide assistance. After the user'south invitation for a Remote Assistance session is accustomed, the default HelpAssistant business relationship is automatically created to give the person who provides assistance limited access to the computer. The HelpAssistant business relationship is managed past the Remote Desktop Assistance Session Manager service.

Security considerations

The SIDs that pertain to the default HelpAssistant account include:

  • SID: S-1-5-<domain>-xiii, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note that, in Windows Server 2008, Remote Desktop Services are called Terminal Services.

  • SID: S-1-5-<domain>-14, display proper name Remote Interactive Logon. This group includes all users who connect to the computer by using a remote desktop connectedness. This grouping is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.

For the Windows Server operating system, Remote Assistance is an optional component that is not installed by default. You lot must install Remote Aid before it tin can be used.

For details about the HelpAssistant business relationship attributes, see the following table.

HelpAssistant account attributes

Aspect Value
Well-Known SID/RID S-i-five-<domain>-xiii (Last Server User), Southward-1-5-<domain>-14 (Remote Interactive Logon)
Type User
Default container CN=Users, DC=<domain>, DC=
Default members None
Default member of Domain Guests

Guests

Protected by ADMINSDHOLDER? No
Safe to move out of default container? Can exist moved out, only we do not recommend information technology.
Safe to consul direction of this grouping to non-Service admins? No

DefaultAccount

The DefaultAccount, also known as the Default System Managed Account (DSMA), is a built-in account introduced in Windows 10 version 1607 and Windows Server 2016. The DSMA is a well-known user account type. It is a user neutral account that tin be used to run processes that are either multi-user aware or user-doubter. The DSMA is disabled by default on the desktop SKUs (full windows SKUs) and WS 2016 with the Desktop.

The DSMA has a well-known RID of 503. The security identifier (SID) of the DSMA will thus have a well-known SID in the following format: S-i-5-21-<ComputerIdentifier>-503

The DSMA is a fellow member of the well-known group System Managed Accounts Grouping, which has a well-known SID of S-1-v-32-581.

The DSMA allonym can be granted access to resources during offline staging even earlier the account itself has been created. The account and the group are created during first boot of the automobile within the Security Accounts Managing director (SAM).

How Windows uses the DefaultAccount

From a permission perspective, the DefaultAccount is a standard user business relationship. The DefaultAccount is needed to run multi-user-manifested-apps (MUMA apps). MUMA apps run all the time and react to users signing in and signing out of the devices. Unlike Windows Desktop where apps run in context of the user and get terminated when the user signs off, MUMA apps run by using the DSMA.

MUMA apps are functional in shared session SKUs such as Xbox. For instance, Xbox shell is a MUMA app. Today, Xbox automatically signs in equally Guest account and all apps run in this context. All the apps are multi-user-aware and respond to events fired by user manager. The apps run equally the Guest account.

Similarly, Phone auto logs in as a "DefApps" business relationship which is akin to the standard user account in Windows but with a few extra privileges. Brokers, some services and apps run as this account.

In the converged user model, the multi-user-aware apps and multi-user-aware brokers volition need to run in a context dissimilar from that of the users. For this purpose, the arrangement creates DSMA.

How the DefaultAccount gets created on domain controllers

If the domain was created with domain controllers that run Windows Server 2016, the DefaultAccount will exist on all domain controllers in the domain. If the domain was created with domain controllers that run an earlier version of Windows Server, the DefaultAccount will be created afterwards the PDC Emulator office is transferred to a domain controller that runs Windows Server 2016. The DefaultAccount will then be replicated to all other domain controllers in the domain.

Recommendations for managing the Default Account (DSMA)

Microsoft does not recommend changing the default configuration, where the account is disabled. There is no security take a chance with having the account in the disabled state. Changing the default configuration could hinder time to come scenarios that rely on this business relationship.

Default local system accounts

SYSTEM

The Arrangement account is used by the operating system and by services that run nether Windows. There are many services and processes in the Windows operating system that need the capability to sign in internally, such as during a Windows installation. The SYSTEM account was designed for that purpose, and Windows manages the Arrangement account'due south user rights. It is an internal account that does not show up in User Manager, and it cannot exist added to whatever groups.

On the other hand, the Organisation account does appear on an NTFS file arrangement volume in File Manager in the Permissions portion of the Security menu. Past default, the SYSTEM account is granted Full Control permissions to all files on an NTFS volume. Hither the Arrangement account has the aforementioned functional rights and permissions every bit the Ambassador account.

Notation

To grant the account Administrators group file permissions does not implicitly give permission to the SYSTEM account. The SYSTEM account'due south permissions tin be removed from a file, just nosotros exercise not recommend removing them.

NETWORK SERVICE

The NETWORK SERVICE business relationship is a predefined local account used past the service control manager (SCM). A service that runs in the context of the NETWORK SERVICE account presents the figurer's credentials to remote servers. For more than information, see NetworkService Account.

LOCAL SERVICE

The LOCAL SERVICE business relationship is a predefined local account used by the service command manager. Information technology has minimum privileges on the local computer and presents anonymous credentials on the network. For more than information, see LocalService Account.

How to manage local user accounts

The default local user accounts, and the local user accounts that y'all create, are located in the Users binder. The Users binder is located in Local Users and Groups. For more information about creating and managing local user accounts, see Manage Local Users.

Yous can use Local Users and Groups to assign rights and permissions on the local server, and that server only, to limit the ability of local users and groups to perform certain actions. A right authorizes a user to perform certain actions on a server, such equally bankroll up files and folders or shutting downwards a server. An access permission is a dominion that is associated with an object, usually a file, folder, or printer. Information technology regulates which users tin take access to an object on the server and in what fashion.

Y'all cannot apply Local Users and Groups on a domain controller. However, you can utilize Local Users and Groups on a domain controller to target remote computers that are not domain controllers on the network.

Note

You utilize Active Directory Users and Computers to manage users and groups in Active Directory.

You can likewise manage local users past using Internet.EXE USER and manage local groups by using Internet.EXE LOCALGROUP, or by using a diverseness of PowerShell cmdlets and other scripting technologies.

Restrict and protect local accounts with administrative rights

An administrator tin use a number of approaches to prevent malicious users from using stolen credentials, such as a stolen password or password hash, for a local account on one computer from being used to authenticate on another computer with administrative rights; this is also called "lateral movement".

The simplest approach is to sign in to your calculator with a standard user business relationship, instead of using the Administrator account for tasks, for example, to browse the Internet, ship electronic mail, or utilize a word processor. When y'all want to perform an administrative job, for case, to install a new program or to alter a setting that affects other users, y'all don't have to switch to an Ambassador account. Y'all can use User Account Control (UAC) to prompt you for permission or an administrator password before performing the chore, as described in the next section.

The other approaches that can exist used to restrict and protect user accounts with administrative rights include:

  • Enforce local account restrictions for remote access.

  • Deny network logon to all local Administrator accounts.

  • Create unique passwords for local accounts with authoritative rights.

Each of these approaches is described in the post-obit sections.

Note

These approaches practise not apply if all administrative local accounts are disabled.

Enforce local account restrictions for remote access

The User Business relationship Control (UAC) is a security characteristic in Windows that has been in utilize in Windows Server 2008 and in Windows Vista, and the operating systems to which the Applies To list refers. UAC enables you to stay in control of your computer by informing you when a program makes a modify that requires administrator-level permission. UAC works by adjusting the permission level of your user account. By default, UAC is set to notify you lot when applications try to make changes to your calculator, but you can change how often UAC notifies yous.

UAC makes information technology possible for an account with administrative rights to be treated every bit a standard user non-administrator account until full rights, also called elevation, is requested and approved. For case, UAC lets an ambassador enter credentials during a non-administrator's user session to perform occasional administrative tasks without having to switch users, sign out, or employ the Run equally command.

In addition, UAC can require administrators to specifically corroborate applications that make arrangement-wide changes before those applications are granted permission to run, even in the administrator'southward user session.

For example, a default feature of UAC is shown when a local business relationship signs in from a remote figurer by using Network logon (for case, by using NET.EXE Use). In this instance, it is issued a standard user token with no administrative rights, but without the ability to request or receive tiptop. Consequently, local accounts that sign in by using Network logon cannot access administrative shares such as C$, or ADMIN$, or perform any remote administration.

For more than information about UAC, see User Account Control.

The following table shows the Group Policy and registry settings that are used to enforce local account restrictions for remote access.

No. Setting Detailed Description
Policy location Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
1 Policy name User Account Command: Run all administrators in Admin Approval Mode
Policy setting Enabled
ii Policy location Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
Policy proper name User Account Command: Run all administrators in Admin Approval Manner
Policy setting Enabled
3 Registry cardinal HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Organisation
Registry value name LocalAccountTokenFilterPolicy
Registry value blazon DWORD
Registry value information 0

Note

Y'all can also enforce the default for LocalAccountTokenFilterPolicy by using the custom ADMX in Security Templates.

To enforce local account restrictions for remote access

  1. Commencement the Grouping Policy Direction Console (GPMC).

  2. In the console tree, expand <Forest>\Domains\<Domain>, so Group Policy Objects where forest is the name of the wood, and domain is the name of the domain where you want to ready the Grouping Policy Object (GPO).

  3. In the panel tree, right-click Group Policy Objects, and > New.

    local accounts 1.

  4. In the New GPO dialog box, type <gpo_name>, and > OK where gpo_name is the proper noun of the new GPO. The GPO proper noun indicates that the GPO is used to restrict local ambassador rights from being carried over to another computer.

    local accounts 2.

  5. In the details pane, right-click <gpo_name>, and > Edit.

    local accounts 3.

  6. Ensure that UAC is enabled and that UAC restrictions apply to the default Ambassador account by doing the following:

    1. Navigate to the Computer Configuration\Windows Settings\Security Settings\Local Policies\, and > Security Options.

    2. Double-click User Account Control: Run all administrators in Admin Approval Fashion > Enabled > OK.

    3. Double-click User Business relationship Command: Admin Approval Mode for the Congenital-in Administrator account > Enabled > OK.

  7. Ensure that the local account restrictions are applied to network interfaces by doing the following:

    1. Navigate to Computer Configuration\Preferences and Windows Settings, and > Registry.

    2. Correct-click Registry, and > New > Registry Particular.

      local accounts 4.

    3. In the New Registry Backdrop dialog box, on the Full general tab, change the setting in the Activity box to Supersede.

    4. Ensure that the Hive box is set up to HKEY_LOCAL_MACHINE.

    5. Click (), browse to the following location for Cardinal Path > Select for: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Organization.

    6. In the Value name area, type LocalAccountTokenFilterPolicy.

    7. In the Value type box, from the drop-down list, select REG_DWORD to change the value.

    8. In the Value information box, ensure that the value is fix to 0.

    9. Verify this configuration, and > OK.

      local accounts 5.

  8. Link the GPO to the first Workstations organizational unit (OU) by doing the post-obit:

    1. Navigate to the <Forest>\Domains\<Domain>\OU path.

    2. Right-click the Workstations OU, and > Link an existing GPO.

      local accounts 6.

    3. Select the GPO that you just created, and > OK.

  9. Examination the functionality of enterprise applications on the workstations in that get-go OU and resolve any bug caused by the new policy.

  10. Create links to all other OUs that contain workstations.

  11. Create links to all other OUs that contain servers.

Deny network logon to all local Administrator accounts

Denying local accounts the ability to perform network logons tin help forestall a local account countersign hash from being reused in a malicious attack. This process helps to preclude lateral movement by ensuring that the credentials for local accounts that are stolen from a compromised operating system cannot exist used to compromise additional computers that use the same credentials.

Note

To perform this procedure, you must first identify the proper name of the local, default Ambassador account, which might not be the default user proper name "Administrator", and any other accounts that are members of the local Administrators group.

The following tabular array shows the Group Policy settings that are used to deny network logon for all local Ambassador accounts.

No. Setting Detailed Clarification
Policy location Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
1 Policy proper name Deny access to this computer from the network
Policy setting Local business relationship and member of Administrators grouping
ii Policy location Calculator Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Policy name Deny log on through Remote Desktop Services
Policy setting Local account and member of Administrators group

To deny network logon to all local administrator accounts

  1. Start the Group Policy Management Console (GPMC).

  2. In the console tree, expand <Forest>\Domains\<Domain>, and and so Group Policy Objects, where forest is the name of the forest, and domain is the name of the domain where you want to set the Grouping Policy Object (GPO).

  3. In the panel tree, right-click Group Policy Objects, and > New.

  4. In the New GPO dialog box, type <gpo_name>, and and then > OK where gpo_name is the name of the new GPO indicates that it is beingness used to restrict the local authoritative accounts from interactively signing in to the computer.

    local accounts 7.

  5. In the details pane, correct-click <gpo_name>, and > Edit.

    local accounts 8.

  6. Configure the user rights to deny network logons for authoritative local accounts as follows:

    1. Navigate to the Computer Configuration\Windows Settings\Security Settings\, and > User Rights Assignment.

    2. Double-click Deny access to this computer from the network.

    3. Click Add together User or Group, type Local business relationship and fellow member of Administrators group, and > OK.

  7. Configure the user rights to deny Remote Desktop (Remote Interactive) logons for authoritative local accounts every bit follows:

    1. Navigate to Computer Configuration\Policies\Windows Settings and Local Policies, and so click User Rights Assignment.

    2. Double-click Deny log on through Remote Desktop Services.

    3. Click Add User or Group, type Local account and fellow member of Administrators grouping, and > OK.

  8. Link the GPO to the kickoff Workstations OU as follows:

    1. Navigate to the <Forest>\Domains\<Domain>\OU path.

    2. Right-click the Workstations OU, and > Link an existing GPO.

    3. Select the GPO that you but created, and > OK.

  9. Test the functionality of enterprise applications on the workstations in that first OU and resolve whatsoever problems acquired past the new policy.

  10. Create links to all other OUs that comprise workstations.

  11. Create links to all other OUs that contain servers.

    Note

    You lot might have to create a divide GPO if the user name of the default Administrator account is different on workstations and servers.

Create unique passwords for local accounts with authoritative rights

Passwords should be unique per private account. While this is more often than not true for individual user accounts, many enterprises accept identical passwords for common local accounts, such as the default Administrator account. This also occurs when the same passwords are used for local accounts during operating system deployments.

Passwords that are left unchanged or changed synchronously to keep them identical add a pregnant risk for organizations. Randomizing the passwords mitigates "pass-the-hash" attacks by using different passwords for local accounts, which hampers the ability of malicious users to use countersign hashes of those accounts to compromise other computers.

Passwords can be randomized by:

  • Purchasing and implementing an enterprise tool to accomplish this task. These tools are ordinarily referred to as "privileged countersign management" tools.

  • Configuring Local Administrator Countersign Solution (LAPS) to achieve this task.

  • Creating and implementing a custom script or solution to randomize local account passwords.

Meet also

The post-obit resources provide additional data about technologies that are related to local accounts.

  • Security Principals

  • Security Identifiers

  • Access Control Overview