Description of Default Security Settings in Windows 2000

This article describes some of the default security settings in Windows 2000.

Some of the default security settings in Windows 2000 include:

Clean Installation

Windows 2000 Professional and Windows 2000 Server (Configured as a Member Server)

• Users (members of the Everyone and Users groups) do not have broad write access to the system as in Microsoft Windows NT 4.0 and earlier. Such users have read access to most parts of the system and write access only under their own profile folders.
• Power Users (members of the Power Users group) have all the access that normal users and power users have in Windows NT 4.0 and earlier. Such users have write access to parts of the system besides their own profile folders. This enables them to install programs, and more.
• Administrators have all the access they have always had.

Windows 2000 Server (Configured as a Domain Controller)

• Users do not have broad write access to the system. Such users have read access to most parts of the system and write access only under their own profile folders. Such users can only access domain controllers over the network. Local logon to domain controllers is denied.
• Server Operators, Account Operators, and other built-in groups have the same access as in Windows NT 4.0 and earlier.
• Administrators have all the access they have always had.

Upgrades

Computers upgraded from Windows NT 4.0 do not use the new default security settings described above. Instead, all existing security settings are maintained.

For more information, refer to the "Default Access Control Settings in Windows 2000" white paper that is located at the following Microsoft Web site: In the event that the URL for this white paper has moved, you can search the white paper at the following Microsoft Web site: