安全性在任何数字环境中都是必不可少的,因此为了让用户更轻松地管理权限和其他用户帐户,Windows 提供了一个有用的功能,称为用户组(user groups)。虽然乍一看可能有点吓人,但这个功能并不难理解和使用,而且在管理多个帐户时可能会为您节省大量时间和精力。让我们更详细地了解一下用户组是什么,以及如何在任何装有 Windows 的计算机上利用它们来发挥自己的优势:
Windows 中的用户组是什么?
要了解Windows中的用户组是什么,您必须首先知道用户帐户是什么。(非常)简短的定义是:用户帐户是Windows用来了解您的偏好的设置的集合。它还用于控制您访问的文件和文件夹、您被允许执行的任务、您被允许使用的设备和资源等等。用户(User)帐户也是验证和接收使用Windows设备的授权的唯一方式。这个简短的定义应该是了解Windows中的用户组的良好开端。但是,如果您想了解有关用户帐户、它们是什么以及它们的用途的更多信息,请首先阅读Windows 中的用户帐户或用户名是什么(what a user account or a username is in Windows)。
Windows 10 中的用户帐户列表
为了扩展这方面的知识,在Windows操作系统中,用户组是多个用户帐户的集合,这些用户帐户共享对计算机和/或网络资源的相同访问权限并具有共同的安全权限。这就是为什么您会经常听到 IT 专业人员将用户组称为安全组(security groups)的原因。用户(User)组可以分为三种不同的类型:
- 本地组(Local groups)- 是存在于您的Windows计算机或设备上的用户组。它们是在本地定义的,可以通过本地用户和组 (lusrmgr.msc)(Local Users And Groups (lusrmgr.msc))工具进行管理。这些是家庭用户使用的用户组(user groups),也是我们将在本文中讨论的用户组。
- 安全组(Security groups)- 具有与之关联的安全描述符。安全组在带有Active Directory的(Active Directory)Windows域中使用。
- 通讯组(Distribution groups)- 用于为属于Active Directory域的用户分发电子邮件。
lusrmgr.msc 显示的用户帐户列表
安全组(Security groups)和分发组(Distribution groups)是用于业务环境和公司网络的用户组。例如,您可能会在工作场所遇到安全用户组,特别是如果您在一家拥有多个部门且拥有大量计算机(包括移动设备和工作站)的大公司工作。系统(System)管理员利用组来限制用户对操作系统功能的访问,他们不应修改或为公司网络上可用的应用程序设置不同的访问级别。
尽管我们将在本文中介绍的用户组的正确术语是本地用户组(local user groups),但我们将使用更简单的用户组(user groups)形式来使下面共享的信息更易于理解。
为什么 Windows 有用户组?
假设,例如,您想让您的亲戚在假期来访时选择使用您的计算机。你可能想为你 7 岁的表弟创建一个帐户,这样他就可以玩一些游戏,一个给你阿姨,一个给你叔叔。但是,您不想授予他们管理权限,以免他们更改操作系统中的基本设置或访问您的敏感个人信息。
为了以优雅的方式处理这种情况,您可以将他们的所有帐户分组到一个用户组中并授予他们相同的安全权限,而无需单独设置每个帐户的权限。
用户(User)组是一项重要的安全功能,主要旨在简化对大量用户的管理。阅读如何在 Windows 10 上创建新用户以及如何将用户添加到组(how to create a new user on Windows 10 and how to add a user to a group)以了解更多信息。
Windows 10 本地用户和组
用户组的优势在于它们提供了一种集中管理多个用户权限的方式,而无需单独配置每个帐户。当用户组获得对特定资源的访问权时,属于该组的所有用户帐户都会获得对相关资源的访问权。请注意,虽然您可以并且必须使用用户帐户登录到Windows计算机或设备,但您不能使用用户组登录。
在Windows(Windows)中可以找到哪些类型的用户组?
默认情况下,所有Windows(Windows)计算机上都存在多种类型的用户组。以下是Windows中最重要和最有用的默认用户组:
- 管理员(Administrators):该组的用户可以完全控制Windows计算机及其上的所有内容,包括其他用户帐户。
- 备份操作员(Backup Operators):该组的用户帐户可以备份和恢复Windows计算机上的文件,无论这些文件的权限如何。
- 访客(Guests):该组的用户在登录时设置了临时配置文件,在他们注销时会自动删除。
- 高级用户(Power Users):几乎可以做管理员可以做的所有事情,包括创建其他用户帐户,甚至删除它们。但是,他们不能更改管理员(Administrators)组的设置。这也是我们被一些人问到的一个问题的答案:哪种类型的用户组提供与Windows XP的向后兼容性?
- 用户(Users):是标准用户帐户。他们是可以执行人们在计算机上执行的所有典型操作的用户,例如浏览互联网、使用安装的应用程序、访问计算机上的文件或打印。但是,标准用户不能做诸如创建其他用户帐户之类的事情,他们不能在计算机上安装应用程序,也不能在计算机上安装打印机。
第三方软件和服务也可以创建用于各种服务的用户组。最常见的例子是虚拟化软件。例如,VMware Converter等一些(VMware Converter)VMWare产品会创建__vmware__和___vmware_conv_sa___等用户组,以及用于运行虚拟机和独立服务器作业的___VMware_Conv_SA___帐户。(___VMware_Conv_SA___)
Windows 10 中的 __vmware__ 用户组
默认情况下, Windows(Windows)操作系统中还有其他类型的用户组。如果您想了解更多关于它们的信息,请阅读如何使用 lusrmgr.msc 在 Windows 10 中管理本地用户和组(How to manage local users and groups in Windows 10 using lusrmgr.msc)。
谁可以管理用户组?
默认情况下,唯一允许对用户组进行更改的用户是属于Administrators或Power Users组的用户。在下图中,您可以看到Administrators组的唯一成员是用户Administrator和Digital Citizen。
Windows 10 中的管理员组
如果您在使用不属于Administrators(Administrators)或Power Users组的用户帐户登录时尝试对用户组进行更改,您将收到以下错误:“访问被拒绝。”(“Access is denied.”)
不允许标准用户更改用户组
如何查看计算机上存在的Windows用户组(Windows)
您只能从管理员帐户管理现有用户和用户组。换言之,如果要查看和修改用户组,则必须使用属于Administrators用户组的用户帐户登录。
使用正确的帐户登录后,打开计算机管理(open the Computer Management)工具,然后使用本地用户和组(Local Users and Groups)管理单元查看组(Groups)列表。但是,请注意,此管理单元仅在某些Windows版本中可用:Windows 7 Professional、Ultimate和Enterprise、Windows 8.1 Pro和Enterprise,以及Windows 10 Pro和Enterprise。
Windows 10 中的用户组列表
您还可以通过在PowerShell或命令提示符中运行(Command Prompt)net localgroup命令来获取计算机上所有本地组的列表。
net localgroup 命令显示所有已定义的本地用户组
如何查看您的用户帐户属于哪些Windows用户组(Windows)
了解您的用户帐户属于哪些用户组的最简单方法是使用whoami /groups 命令。打开命令提示符(Command Prompt)或PowerShell,键入whoami /groups,然后按Enter。
whoami /groups命令显示用户所属的组列表
此工具显示您的用户帐户注册到的组列表。要确定用户帐户属于哪些用户组,您必须在使用该特定用户帐户登录时运行whoami /groups
您对Windows(Windows)用户组还有其他问题吗?
用户(User)组是一项强大的功能,当您有两个或更多人使用计算机时,它会非常有用。在管理多个用户帐户时,它可以为您节省大量时间和精力,并提供一种集中的方式来执行此操作。您在Windows中使用过用户组吗?你觉得它们有多大用处?我们想在下面的评论部分听到更多信息。
What is a Windows user group, and what does it do? -
Seсurity is essential in any digital environment, so tо make it easier for users to manage permissions and other user aсcounts, Windows offers a uѕeful feature callеd user groups. Although it may seem a bit intimidating at first, this feature is not that hard to understand and use, and it might just save you a lot of time and energy when managing multiple accounts. Let's get into some more detail and see what user groups are and how you can use them to your advantage on any computer with Windows:
What is a user group in Windows?
To understand what a user group from Windows is, you must first know what a user account is. The (very) short definition is this: a user account is a collection of settings used by Windows to understand your preferences. It’s also used to control the files and folders you access, the tasks you are allowed to perform, the devices and resources you are allowed to use, and so on. User accounts are also the only way of authenticating and receiving the authorization to use your Windows device. This brief definition should be a good start for understanding what user groups are in Windows. However, if you want more information about user accounts, what they are, and what are they useful for, first read about what a user account or a username is in Windows.
List of user accounts in Windows 10
To expand on this knowledge, in Windows operating systems, a user group is a collection of multiple user accounts that share the same access rights to the computer and/or network resources and have common security rights. This is why you will often hear IT professionals refer to user groups as security groups. User groups can be categorized into three different types:
- Local groups - are the user groups that exist on your Windows computer or device. They are defined locally and can be managed from the Local Users And Groups (lusrmgr.msc) tool. These are the user groups that home users work with and the ones that we’re going to talk about in this article.
- Security groups - have security descriptors associated with them. Security groups are used in Windows domains with Active Directory.
- Distribution groups - are useful for distributing emails for users that belong to domains with Active Directory.
List of user accounts shown by lusrmgr.msc
The Security groups and the Distribution groups are user groups that are used in business environments and company networks. For instance, you can encounter security user groups at your workplace, especially if you're working in a big company that has multiple departments with lots of computers, both mobile and workstations. System administrators utilize groups to limit user access to features of the operating system, which they shouldn't modify or set different levels of access for the applications that are available on the company's network.
Although the correct term for the user groups that we’ll be covering in this article is local user groups, we’ll use the simpler form of user groups to make the information shared below easier to understand.
Why does Windows have user groups?
Let’s say that, for example, you want to give your relatives the option to use your computer when they drop by for the holidays. You may want to create an account for your 7-year-old cousin, so he can play some games, one for your aunt, and one for your uncle. However, you don't want to give them administrative rights, so that they don't change essential settings in your operating system or gain access to your sensitive personal information.
To handle the situation in an elegant fashion, you can group all their accounts in a user group and grant them the same security privileges without having to set each account's rights individually.
User groups are an essential security feature that is aimed primarily at simplifying the management of large numbers of users. Read how to create a new user on Windows 10 and how to add a user to a group for further information.
Windows 10 Local Users and Groups
The strength of user groups resides in the fact that they offer a centralized way of managing multiple user permissions without the need to configure each account separately. When a user group receives access to a particular resource, all the user accounts that are part of that group receive access to the resource in question. Note that although you can and must use a user account to log in to a Windows computer or device, you cannot use a user group to log in.
What types of user groups are found in Windows?
There are many types of user groups that exist, by default, on all Windows computers. Here are the most important and useful default user groups in Windows:
- Administrators: the users from this group have full control of the Windows computer and everything on it, including other user accounts.
- Backup Operators: user accounts from this group can back up and restore files on the Windows computer, regardless of those files’ permissions.
- Guests: users from this group have temporary profiles set when they log on, which are automatically deleted when they log out.
- Power Users: can do almost everything administrators can, including creating other user accounts or even deleting them. However, they cannot change the settings for the Administrators group. This is also the answer to a question we were asked by some people: which type of user group provides backward compatibility with Windows XP?
- Users: are the standard user accounts. They are the users who can do all the typical things people do on their computers, like browsing the internet, using the apps installed, accessing the files on the computer, or printing. However, standard users cannot do things like creating other user accounts, they cannot install applications on the computer, and they cannot install a printer on the computer.
Third-party software and services can also create user groups used for various services. The most common example is virtualization software. For example, some VMWare products such as VMware Converter create user groups like __vmware__ and ___vmware_conv_sa___, as well as ___VMware_Conv_SA___ accounts, which are used to run virtual machines and standalone server jobs.
__vmware__ user group in Windows 10
There are other types of user groups found by default in Windows operating systems. If you want to know more about all of them, read How to manage local users and groups in Windows 10 using lusrmgr.msc.
Who can manage user groups?
By default, the only users who are allowed to make changes to user groups are the ones who belong to the Administrators or the Power Users groups. In the image below, you can see that the only members of the Administrators group are the users Administrator and Digital Citizen.
Administrators group in Windows 10
If you try to make changes to a user group while logged in with a user account that's not part of the Administrators or Power Users group, you will get the following error: “Access is denied.”
Standard users aren't allowed to make user group changes
How to see the Windows user groups that exist on your computer
You can manage existing users and user groups only from an administrator account. In other words, if you want to view and modify user groups, you must log in with a user account that is part of the Administrators user group.
Once logged in with the right account, open the Computer Management tool, and use the Local Users and Groups snap-in to see the list of Groups. However, take notice of the fact that this snap-in is available only in some Windows editions: Windows 7 Professional, Ultimate and Enterprise, Windows 8.1 Pro and Enterprise, and Windows 10 Pro and Enterprise.
List of user groups in Windows 10
You can also get a list of all the local groups on your computer by running the net localgroup command in PowerShell or Command Prompt.
The net localgroup command shows all the defined local user groups
How to see which Windows user groups your user account belongs to
The easiest way to learn which user groups your user account belongs to is through the use of the whoami /groups command. Open Command Prompt or PowerShell, type whoami /groups, and press Enter.
The whoami /groups command shows the list of groups a user belongs to
This tool shows the list of the groups your user account is registered to. To determine what user groups a user account is part of, you must run whoami /groups while logged in with that specific user account.
Do you have any other questions about Windows user groups?
User groups are a powerful feature that can be very useful when you have computers used by two or more people. It saves you a lot of time and effort when managing multiple user accounts and provides a centralized way of doing it. Have you worked with user groups in Windows? How useful did you find them? We would like to hear more in the comments section below.
