Description of Default Security Settings in Windows 2000

ID: Q217050

The information in this article applies to:
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Advanced Server

SUMMARY

This article describes some of the default security settings in Windows 2000.


MORE INFORMATION

Some of the default security settings in Windows 2000 include:

Clean Installation

Windows 2000 Professional and Windows 2000 Server (Configured as a Member Server)

  • Users (members of the Everyone and Users groups) do not have broad write access to the system as in Microsoft Windows NT 4.0 and earlier. Such users have read access to most parts of the system and write access only under their own profile folders.


  • Power Users (members of the Power Users group) have all the access that normal users and power users have in Windows NT 4.0 and earlier. Such users have write access to parts of the system besides their own profile folders. This enables them to install programs, and more.


  • Administrators have all the access they have always had.


Windows 2000 Server (Configured as a Domain Controller)

  • Users do not have broad write access to the system. Such users have read access to most parts of the system and write access only under their own profile folders. Such users can only access domain controllers over the network. Local logon to domain controllers is denied.


  • Server Operators, Account Operators, and other built-in groups have the same access as in Windows NT 4.0 and earlier.


  • Administrators have all the access they have always had.


Upgrades

Computers upgraded from Windows NT 4.0 do not use the new default security settings described above. Instead, all existing security settings are maintained.

Backwards Compatibility for Programs in Windows 2000 Professional

Access granted to the Power Users group provides the best avenue of compatibility with programs. New users are added to the Power Users group by default, so security-conscious administrators may want to examine the option of removing users from this group. By default, the "Authenticated Users" special identity is also added to the Power Users group, to ensure that domain users have the same level of access as they have had in the past. Users created by programmatic means are not added to the Power Users group by default.

Additional query words: compatguidesetup

Keywords : kbenv ntsecurity kbWinOS2000
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbinfo


Last Reviewed: December 29, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.