Managing local groups
In the previous section, you learned that there are built-in local user accounts. There are also a few built-in local groups in Windows 10 that provide users with an easier way to delegate the same permissions and rights as other group members. Assigning permissions to groups is much more efficient than applying these rights to individual user accounts.
If you open the Users group or the Administrators group, then you should see members that you recognize. Administrators have complete and unrestricted access to the computer. Users are unable to make system-wide changes, but they can run most applications that have already been installed on the computer.
Default local groups
In the Groups folder, which you can find in the Computer Management console, you can create local groups, change group memberships, rename groups, and delete groups. Microsoft's best practice is to use the default local groups wherever possible. The built-in groups already have the appropriate permissions.
While Windows 10 is being installed, these built-in groups are created, just like the default local user accounts. In the following screenshot, you can see the built-in local groups in the Name column:
Figure 4.5 - The built-in local groups
You can create additional local groups and give these groups any name you want, but keep in mind that the group name should have the following properties:
- It can be up to 256 characters in length.
- It must be unique among all the other accounts and group names.
- It cannot contain the following characters: \, /, ", [, ], :, |, <, >, +, =, ;, ,, ?, *, @.
The default local groups are also stored in the SAM database in the registry.
Creating local groups
If you want to create an additional local group on a computer, follow these steps:
- Right-click the Start menu or press Win + X and click on Computer Management.
- The Computer Management console will open.
- Expand System Tools.
- Expand Local Users and Groups.
- Click on Groups:
Figure 4.6 - Computer Management console window
- Right-click somewhere in the middle pane.
- Click on New Group….
- The New Group window will open:
Figure 4.7 - New Group window
- Fill in the empty fields for the new group.
- Click the Add… button to add existing local users to this group.
- Click Create and then Close. The new local group will be created.
Important Note
Only members of the Administrators group can manage users and groups.
After you have created the new local group, you can add or remove users from the group by double-clicking the local group.
Using Windows PowerShell
You can use Windows PowerShell to view, add, modify, or delete a local user account. In order to do this, you need to run the cmdlets with elevated rights.
To manage local users with PowerShell, you can use the following cmdlets:
- Get-LocalGroup
- New-LocalGroup
- Remove-LocalGroup
- Rename-LocalGroup
- Set-LocalGroup
- Add-LocalGroupMember
- Get-LocalGroupMember
- Remove-LocalGroupMember
For example, to create a new local group and add an existing local user to this group, run the following cmdlets:
New-LocalGroup -Name W10NewLocalGroup
Add-LocalGroupMember -Member Jeroen -Name W10NewLocalGroup
Now, you know that there are built-in local groups that are created while Windows 10 is being installed. You also know how to create a local group with the Computer Management console and how to create a local group with PowerShell.
Now, let's look at how we can manage devices.