Default Groups and their initial members on Windows 2000 Systems
The tables below list the default groups present on Windows 2000 Systems.
They also indicate which users and/or groups are initially a member of which group.
Built-in domain local groups on Windows 2000 Domain Controllers (Cannot be renamed or deleted)
Predefined domain local groups on Windows 2000 Domain Controllers (Can be renamed or deleted)
Predefined domain global groups on Windows 2000 Domain Controllers (Can be renamed or deleted)
Built-in local groups on Windows 2000 Professional and Windows 2000 Member server (non domain controller)
Implicit groups on all Windows 2000 systems
These accounts have domain local scope and are primarily used to assign permissions to users who
will have some type of administrative privilege in the domain.
| Groupname | Purpose of these Built-in groups | Members |
| Account Operators | Members can administer domain user and group accounts | |
| Administrators | Administrators have complete and unrestricted access to the computer/domain |
Administrator Domain Admins Enterprise Admins |
| Backup Operators | Backup Operators can override security restrictions for the sole purpose of backing up or restoring files | |
| Guests | Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted (*) and the guest account must be enabled ir order for guests to be able to access the system in the first place |
Domain Guests Guest (*) IUSR_<computername> IWAM_<computername> TsInternetUser |
| Print Operators | Members can administer domain printers | |
| Replicator | Supports file replication in a domain | |
| Server Operators | Members can administer domain servers | |
| Users | Users are prevented from making accidental or intentional system-wide changes. Thus, Users can run certified applications, but not most legacy applications |
Domain Users NT AUTHORITY\Authenticated Users NT AUTHORITY\INTERACTIVE |
These accounts are used for some special purposes, like administering certain applications or services, as the account names indicate. Although they can be deleted, it may not be prudent to do so, just for that reason.
| Groupname | Purpose of these Built-in groups | Members |
| DHCP Administrators | Members who have administrative access to DHCP service | |
| DHCP Users | Members who have view-only access to the DHCP service | |
| DnsAdmins | DNS Administrators Group | |
| WINS Users | Members who have view-only access to the WINS Server | |
| RAS and IAS Servers | Servers in this group can access remote access properties of users (Group exists only after installing Routing and Remote Access) |
These accounts are used for "organizing" user accounts in a domain. User accounts you create are automatically added to the "Domain Users" group and Computer accounts you create are automatically added to the "Domain Computers" group.
| Groupname | Purpose of these Built-in groups | Members |
| Cert Publishers | Enterprise certification and renewal agents | |
| DnsUpdateProxy | DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers) | |
| Domain Admins | Designated administrators of the domain | Administrator |
| Domain Computers | All workstations and servers joined to the domain | |
| Domain Controllers | All domain controllers in the domain | <1st Domain Controller> |
| Domain Guests | All domain guests | Guest |
| Domain Users | All domain users |
Administrator Guest IUSR_<computername> IWAM_<computername> Krbtgt TsInternetUser |
| Enterprise Admins | Designated administrators of the enterprise | Administrator |
| Group Policy Creator Owners | Members in this group can modify group policy for the domain | Administrator |
| Pre–Windows 2000 Compatible Access | A backward compatibility group which allows read access on all users and groups in the domain (When the domain is in Mixed Mode) | Everyone |
| Schema Admins | Designated administrators of the schema | Administrator |
These are the built-in accounts on any Windows 2000 Professional and any Windows 2000 Server
| Groupname | Purpose | Members |
| Administrators | Administrators have complete and unrestricted access to the computer/domain |
Administrator Domain Admins (1) |
| Backup Operators | Backup Operators can override security restrictions for the sole purpose of backing up or restoring files | |
| Guests | Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted |
Guest IUSR_<computername> IWAM_<computername> Domain Guests (1) TsInternetUser(2) |
| Power Users | Power Users possess most administrative powers with some restrictions. Thus, Power Users can run legacy applications in addition to certified applications | |
| Replicator | Supports file replication in a domain | |
| Users | Users are prevented from making accidental or intentional system-wide changes. Thus, Users can run certified applications, but not most legacy applications |
NT AUTHORITY\Authenticated Users NT AUTHORITY\INTERACTIVE Domain Users (1) |
(2) (on server systems only)
Additionally the following groups exists implicitly on all Windows 2000 systems, be it a domain controller, a non-domain controller member server in a domain or a Professional workstation. Membership in those groups cannot be defined explicitely, but is implicit and depends on tha manner in which a user accesses a network resource. They are not visible in AD Users and Computers and only show up in pick lists when setting permissions through eg. Windows Explorer.
| Groupname | Purpose | Members |
| Authenticated Users | Manage the majority of the users of the system | Anyone who has been properly authenticated by the system |
| BATCH | Used for running in batch mode | |
|
CREATOR OWNER CREATOR GROUP |
Automatically grant permissions to creators of directories, files and/or print jobs | Anyone who creates an object |
| DIALUP | Manage Dial-Up users | All users who log on through a Dial–Up connection |
| EVERYONE | Manage "The World" (Everyone = INTERACTIVE + NETWORK) |
Need I say: Everyone??
 |
| INTERACTIVE | Manage the users who are "interactively" working with the system | Anyone logged on locally |
| NETWORK | Manage the users who are accessing the system through the network | Anyone logged in through the network |
| SYSTEM | To grant permissions to the operating system | Windows 2000 operating system |