Most people edit Windows 10 user accounts from the Settings app or the User Accounts section found in the Control Panel. However, there’s another way that gives you access to much more detailed information about the users and groups on your PC and the permissions they have. We’re talking about managing Local Users and Groups using the snap-in console that bears the same name. You can access it from Computer Management or by running its lusrmgr.msc file directly. Here’s how to see and manage all the local users and groups on your Windows 10 PC:
IMPORTANT: Local Users and Groups (lusrmgr.msc) is available only in Windows 10 Pro and Enterprise. It’s not found in Windows 10 Home.
In Windows 10, the Local Users and Groups snap-in, also known as lusrmgr.msc, offers the best way to see all the users and groups configured on the system. This tool shows you the “visible” user accounts, as well as all the hidden user accounts and groups that are available on the system but are disabled by default, such as the Administrator account. Here’s how:
Open Computer Management - a quick way to do it is to simultaneously press Win + X on your keyboard and select Computer Management from the menu.
In Computer Management, select “Local Users and Groups” on the left panel.
An alternative way to open Local Users and Groups is to run the lusrmgr.msc command. You can do it from the Run window (Win + R), Command Prompt, or PowerShell.
Running the lusrmgr.msc command opens the Local Users and Groups console directly, without loading it in Computer Management.
Regardless of how you chose to open Local Users and Groups (lusrmgr.msc), this is where you find all the user accounts and groups that are configured on your Windows 10 computer or device, split into two folders: Users and Groups.
In the Users folder, you see all the user accounts available on your Windows 10 PC, including accounts that are hidden or disabled.
What are the user accounts found on every Windows 10 computer? There are not as many as you might think. You have:
- All the user accounts you have created on your Windows 10 PC
- Administrator - a built-in account created by Windows 10 even if you use it or not, made by the operating system for administration purposes
- DefaultAccount - a user account that’s managed by Windows 10
- Guest - another built-in account that can be used for guest access on the computer or domain
- WDAGUtilityAccount - managed and used by the Windows Defender antivirus in Windows 10 for running certain processes (like the Microsoft Edge browser) in sandboxed/virtualized environments.
TIP: You can also view a list of all user accounts with PowerShell or Command Prompt. Find out how to do that by reading this tutorial: How to see all the user accounts that exist on your Windows PC or device.
As you might have noticed, some of the user accounts shown by Local Users and Groups have a small arrow on their icons. The little arrow signals that a user account is disabled and thus can’t be used, even if it is available on your Windows 10 computer.
Double-clicking or double-tapping on a user account opens a Properties window that displays more information about it and different customization options. For instance, you can set its password to expire, disable the account, or change the user groups to which it belongs. If you want detailed information about every option available, we covered them in the second part of this tutorial: Create new Windows user accounts and groups, like an IT Pro.
Going back to the Local Users and Groups console (lusrmgr.msc), in the Groups folder, you get to see all the user groups available on your Windows 10 computer. The list is long and includes user groups that were created both by Windows 10 and third parties, such as drivers or virtualization software, which need hidden users and groups to function correctly.
On most Windows 10 PCs, you should have at least the following groups:
- Access Control Assistance Operators - members of this group can run remote queries for authorization attributes and permissions on your Windows 10 computer. This group is used on computers that are part of domains, so it’s mainly useful for network administrators in large companies.
- Administrators – it includes all the user accounts with administrative permissions on your computer. The Administrators group can’t be deleted or renamed.
- Backup Operators – user accounts with permissions to perform backup and restore operations, using tools like Backup and Restore.
- Cryptographic Operators – user accounts with permissions to encrypt or decrypt data, using tools such as BitLocker.
- Device Owners - Windows 10 says that the members of this group can change system-wide settings. However, as far as we know, this group is not currently used in Windows 10.
- Distributed COM Objects – this user group is harder to explain. It is used mostly for user accounts that need to participate in more complex scenarios, such as distributed computing across computers on a network. Therefore it is used in business environments.
- Event Log Readers – this group gives permissions to its members to read Windows 10 event logs that show what is happening on the system.
- Guests – are regular user accounts that cannot perform any administrative tasks on your computer. They can be used only for light computing activities such as browsing the internet or running the installed applications. They are not able to perform any modifications to the system’s configuration, to access or modify another user’s data, etc.
- Hyper-V Administrators - gives its members unrestricted access to all the features available in Hyper-V.
- IIS_IUSRS – this group is used only by the Internet Information Services you may choose to install using the Windows Features panel.
- Network Configuration Operators – this group gives its users permission to configure networking features in Windows 10.
- Performance Log Users & Performance Monitor Users – members are given permissions to perform advanced logging in Windows 10 and collect performance data.
- Power Users – this user group was used in older versions of Windows to provide limited administrative permissions to specific user accounts. It is still present in Windows 10 but only to provide backward compatibility for old legacy applications.
- Remote Desktop Users – this user group provides its members with permissions to logon remotely to the computer via the Remote Desktop.
- Replicator – this user group is used in network domains, and it gives its members the permissions required to do file replication across the domains.
- System Managed Accounts Group - the Windows 10 operating system manages the members of this group.
- Users – it includes the standard user accounts defined on your Windows 10 computer or device. Its members do not have administrative permissions. They can only run installed applications and cannot make system changes that affect other users.
On your computer, you might find other groups installed by Windows 10 features, drivers, or third-party applications.
Double-clicking or double-tapping on a user group opens a properties window that displays more information about it and several options. For step-by-step guidance on how to work with the available options, read the last part of this tutorial: Create new Windows user accounts and groups like an IT Pro.
What’s great about user groups is that you can use them to give additional permissions to standard user accounts. For example, if you create a user account that is a member of Users but not Administrators, that user can’t connect remotely to the computer. If you make that user account a member of Remote Desktop Users, it can connect remotely. This principle applies to all user groups. Add a user account as a member, and it receives both the permissions and restrictions of that user group.
NOTE: If you look at all the user groups listed on your Windows 10 computer or device, you will likely notice that the user accounts defined as administrators are not also listed as members of the other groups. That’s because administrators already have permission to do everything on your Windows 10 computer, so they don’t need to be part of a special group to inherit its permissions.
You may feel the urge to delete some of the standard user accounts and groups found on your Windows 10 PC. If you try to do something like that, you should get a warning from Windows 10 about the likely issues that will arise. For example, this is what you see if you try to delete the Administrator account:
Deleting or changing standard user accounts and groups from Windows 10 can make apps and system features to malfunction. Understanding all the connections between standard user accounts, user groups, and Windows 10 features is difficult. One minor change can have unexpected effects on many features and may deteriorate your computing experience, so our strong recommendation is “Don’t touch the standard users and groups from Windows 10!”
We hope you have enjoyed this tutorial. If you have anything to add to our guide, or if you have questions about managing user accounts and groups with lusrmgr.msc, let us know in the comments below.