Local Users and Groups best practices

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

Best practices

  • As a security best practice, it is recommended that you do not log on to your computer with administrative credentials.

    When you are logged on to your computer without administrative credentials, you can use Run as Administrator to accomplish tasks that require a higher level of privilege than a standard user account. For more information, see Using Run as (https://go.microsoft.com/fwlink/?LinkId=28314).

  • To further secure your local computer, it is recommended that you implement the following security guidelines:

    • Limit the number of users in the Administrators group because members of the Administrators group on a local computer have Full Control permissions on that computer.

      For more information, see Why you should not run your computer as an administrator.

    • Leave the Guest account disabled. The Guest account is used by people who do not have an actual account on the computer. The Guest account does not require a password; therefore, it is a security risk. The Guest account is disabled by default, and it is recommended that it stay disabled.

      For more information, see Local user accounts.

    • Leave the Administrator account disabled. The Administrator account is disabled by default, and it is recommended that it stay disabled.

      For more information, see Local user accounts.

    • Some default user rights that are assigned to specific default local groups may allow members of those groups to gain additional rights on your computer, including administrative rights. Therefore, you must trust equally all personnel that are members of the Administrators and Backup Operators groups.

      For more information about these groups, see Default local groups.

    • Review important security considerations about local users and groups.