Members of the Users group can perform most common tasks, such as running applications, using local and network printers, and shutting down and locking the workstation. Users can create local groups, but can modify only the local groups that they created. Users cannot share directories or create local printers.
The Users group provides the most secure environment in which to run programs. On a volume formatted with NTFS, the default security settings on a newly installed system (but not on an upgraded system) are designed to prevent members of this group from compromising the integrity of the operating system and installed programs. Users cannot modify system-wide registry settings, operating system files, or program files. Users can shut down workstations, but not servers. Users can create local groups, but can manage only the local groups that they created. They can run certified Windows 2000 programs that have been installed or deployed by administrators. Users have full control over all of their own data files (%userprofile%) and their own portion of the registry (HKEY_CURRENT_USER).
Users cannot install programs that can be run by other Users (this prevents Trojan horse programs). They also cannot access other Users' private data or desktop settings.
To secure a Windows 2000 system, an administrator should:
- Make sure that end users are members of the Users group only.
- Deploy programs, such as certified Windows 2000 programs, that members of the Users group can run successfully.
Users will not be able to run most programs written for previous versions of Windows because previous versions of Windows either did not support file system and registry security (Windows 95 and Windows 98) or shipped with lax default security settings (Windows NT). If Users have problems running legacy applications on newly installed NTFS systems, then do one of the following:
- Install new versions of the applications that are certified for Windows 2000.
- Move end users from the Users group into the Power Users group.
- Decrease the default security permissions for the Users group. This can be accomplished by using the compatible security template. For more information, see "Predefined security templates" in Related Topics.