Simple questions: What is a user group in Windows and what does it do?

Security is essential in any digital environment, so to make it easier for users to manage permissions and other user accounts, Windows offers a useful feature called user groups. Although it may seem a bit intimidating at first, this feature is not that hard to understand and use, and it might just save you a lot of time and energy when managing multiple accounts. Let's get into some more detail and see what user groups are and how you can use them to your advantage, on any computer with Windows:

What is a user group in Windows?

To understand what a user group from Windows is, you must first know what a user account is. The (very) short definition is this: a user account is a collection of settings used by Windows to understand your preferences. It’s also used to control the files and folders you access, the tasks you are allowed to perform, the devices and resources you are allowed to use, and so on. User accounts are also the only way of authenticating and receiving the authorization to use your Windows device. This brief definition should be a good start for understanding what user groups are in Windows. However, if you want more information about user accounts, what they are and what are they useful for, first read this guide: Simple questions: What is a user account or a username in Windows?.

To expand on this knowledge, in Windows operating systems, a user group is a collection of multiple user accounts that share the same access rights to the computer and/or network resources and share common security rights. This is why you will often hear IT professionals refer to user groups as security groups. User groups can be categorized into three different types:

  • Local groups - are the user groups that exist on your Windows computer or device. They are defined locally and can be managed from the Local Users And Groups tool. These are the user groups that home users work with and the ones that we’re going to talk about in this article.
  • Security groups - have security descriptors associated with them. Security groups are used in Windows domains with Active Directory.
  • Distribution groups - are useful for distributing e-mails for users that belong to domains with Active Directory.

The Security groups and the Distribution groups are user groups that are used in business environments and company networks. For instance, you can encounter security user groups at your workplace, especially if you're working in a big company that has multiple departments with lots of computers, both mobile and workstations. System administrators utilize groups to limit user access to features of the operating system which they shouldn't modify or set different levels of access for the applications that are available on the company's network.

Although the correct term for the user groups that we’ll be covering in this article is local user groups, we’ll use the simple form of user groups so that the information shared below will be easier to understand.

Why does Windows have user groups?

Let’s say that, for example, you want to give your relatives the option to use your computer when they drop by for the holidays. You may want to create an account for your 5-year-old cousin, so he can play some games, one for your aunt and one for your uncle. However, you don't want to give them administrative rights, so that they don't change important settings in your operating system or gain access to your sensitive personal information.

To handle the situation in an elegant fashion, you can group all their accounts in a user group and grant them the same security privileges without having to set each account's rights individually.

User groups are an important security feature that is aimed primarily at simplifying the management of a large number of users.

The strength of user groups resides in the fact that they offer a centralized way of managing multiple user permissions without having the need to configure each account separately. When a user group receives access to a certain resource, all the user accounts that are part of that group receive access to the resource in question. Note that although you can and must use a user account to log in to a Windows computer or device, you cannot use a user group to log in.

What types of user groups are found in Windows by default?

There are many types of user groups that exist, by default, on all Windows computers. Here are the most important and useful of them:

  • Administrators: the users from this group have full control of the Windows computer and everything on it, including other user accounts.
  • Backup Operators: user accounts from this group can backup and restore files on the Windows computer, regardless of the permissions of those files.
  • Guests: users from this group have temporary profiles set when they log on, which are automatically deleted when they log out.
  • Power Users: can do almost everything administrators can, including creating other user accounts or even deleting them. However, they cannot change the settings for the Administrators group.
  • Users: are the standard user accounts. They are the users who can do all the common things people do on their computers, like browsing the internet, using the apps installed, access the files on the computer or printing. However, standard users cannot do things like creating other user accounts, they cannot install applications on the computer, and they cannot install a printer on the computer.

There are other types of user groups found by default in Windows operating systems. If you want to know more about all of them, check this article: The geek's way of managing user accounts and groups in Windows.

Who can manage user groups?

By default, the only users who are allowed to make changes to user groups are the ones who belong to the Administrators or the Power Users groups.

In the image above, you can see that the only members of the Administrators group are the users Administrator and Codrut.

If you try to make changes to a user group while logged in with a user account that's not part of the Administrators or Power Users group, you will get the following error: “Access is denied.”

How to view the user groups that exist on your computer

You can manage existing users and user groups only from an administrator account. In other words, if you want to view and modify user groups, you must log in with a user account that is part of the Administrators user group.

Once logged in with the right account, open the Computer Management tool and use the Local Users and Groups snap-in. However, take notice of the fact that this snap-in is available only in some Windows editions: Windows 7 Professional, Ultimate and Enterprise, Windows 8.1 Pro and Enterprise, and Windows 10 Pro and Enterprise. For detailed information about this topic, read this article: The geek's way of managing user accounts and groups in Windows.

How to find the groups to which your user account belongs to

The easiest way to learn which user groups your user account belongs to is through the use of the gpresult tool. First, start the Command Prompt. Then, type in gpresult /r and press Enter.

This tool displays various security details about the operating system and your user account. At the end of the list, it displays the list of the groups your user account is registered to.

To find out what user groups a user account is part of, you must run gpresult while logged in with that specific user account.

Conclusion

User groups are a powerful feature that can be very useful when you have computers that are used by a two or more people. It saves you a lot of time and effort when managing multiple user accounts and provides a centralized way of doing it. Have you worked with user groups in Windows? How useful did you find them? We would like to hear more in the comments section below.