Local Users and Groups Best practices

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Best practices

  • As a security best practice, it is recommended that you do not log on to your computer with administrative credentials.

    When you are logged on to your computer without administrative credentials, you can use Run as to accomplish administrative tasks.

    For more information, see Using Run as.

  • To further secure your local computer, it is recommended that you implement the following security guidelines:

    • Limit the number of users in the Administrators group since members of the Administrators group on a local computer have Full Control permissions on that computer.

      For more information, see Why you should not run your computer as an administrator.

    • Rename or disable the Administrator account.

      For more information, see Local user accounts.

    • Leave the Guest account disabled. The Guest account is used by people who do not have an actual account on the computer. The Guest account does not require a password, so it is a security risk. The Guest account is disabled by default, and it is recommended that it stay disabled.

      For more information, see Local user accounts.

    • Some default user rights assigned to specific default local groups may allow members of those groups to gain additional rights on your computer, including administrative rights. Therefore, your organization must equally trust all personnel that are members of the Administrators, Power Users, Print Operators, and Backup Operators groups.

      For more information about these groups, see Default local groups.

    • Review important security considerations about local users and groups.

      For more information, see Default security settings for groups.

  • Use passwords no longer than 14 characters if you are on a network with computers running Windows 95 and Windows 98.

    You can create a password containing up to 127 characters. However, computers running Windows 95 and Windows 98 support passwords up to only 14 characters. If your password is longer, you may not be able to log on to the network from those computers.

    For more information, see Create a local user account.