Windows Local Groups are collections of Windows user accounts, local groups, or other global groups that are created and managed on an individual Windows computer or device. These groups allow for efficient management of user permissions, making it easier to assign access rights to various resources on the local computer. Local groups are specific to a single computer and do not have the same level of centralized management and security features as domain groups, which are managed by a domain controller in an Active Directory domain.
Here are some key details about Windows Local Groups and the relationship with the Security Accounts Manager (SAM):
1. Security Accounts Manager (SAM): The Security Accounts Manager (SAM) is a Windows database that stores information about local user accounts, local group memberships, and their corresponding security information. SAM is a critical component for managing user authentication and security on a local computer.
2. Usage: Local groups are typically used in standalone computers, workgroup environments, or on computers that are not part of an Active Directory domain. They provide a way to organize users into groups with similar access rights or permissions on a local computer. Local groups simplify the process of assigning permissions and access controls to files, folders, and other resources on the computer.
3. Working Examples:
Let’s walk through some working examples of creating and managing local groups in Windows using PowerShell. As with local users, you can use PowerShell or the graphical interface:
Creating a Local Group:
powershell
New-LocalGroup -Name "MyLocalGroup" -Description "A custom local group for access control"
In this example, we create a new local group called “MyLocalGroup” with a description.
Adding a Local User to a Local Group:
powershell
Add-LocalGroupMember -Group "MyLocalGroup" -Member "JohnDoe"
This command adds the user “JohnDoe” to the “MyLocalGroup” local group.
Listing Local Groups:
powershell
Get-LocalGroup
This command lists all local groups on the current computer.
Modifying a Local Group:
powershell
Set-LocalGroup -Name "MyLocalGroup" -Description "Updated description for MyLocalGroup"
Here, we modify the description for the “MyLocalGroup” local group.
Deleting a Local Group:
powershell
Remove-LocalGroup -Name "MyLocalGroup"
This command deletes the “MyLocalGroup” local group.
Built-In Local Groups:
Windows comes with several built-in local groups that have predefined purposes. Here are some common built-in local groups:
- Administrators: Members of this group have full control over the computer and can make system-wide changes.
- Users: Standard users who can run applications and use the computer but cannot make system-wide changes.
- Guests: Limited access to the computer. Typically used for users who do not have an account on the computer.
- Power Users: A legacy group with elevated privileges but not full administrative access. Deprecated in newer Windows versions.
- Backup Operators: Members of this group can back up and restore files on the computer.
- Remote Desktop Users: Members of this group can access the computer via Remote Desktop.
- Replicator: Used for replication services, such as in a Windows domain.
Remember that local groups are specific to the computer on which they are created. They are primarily used for local access control. For centralized management and access control in a domain, you would typically use domain groups in Active Directory.
