What Is Local Users and Groups in Operating Systems?
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
Quick Definition
Local Users and Groups is a tool built into Windows (except Home editions) that helps you control who can use a computer and what they are allowed to do. You can add new users, reset passwords, and put users into groups like Administrators or Users. Groups make it easier to give the same permissions to many people at once, rather than setting up each person individually.
Commonly Confused With
Active Directory Users and Computers (ADUC) is a tool for managing user accounts, groups, and computers across an entire domain network. It stores data in a central database on domain controllers, while Local Users and Groups only manages accounts on one specific machine. ADUC requires a domain environment, whereas Local Users and Groups works on any Windows Professional or higher edition.
If you need to create a user account that can log into any computer in the company, you use Active Directory. If you need a backup admin account only for a single laptop, you use Local Users and Groups.
Group Policy Management Console (GPMC) is used to create and manage Group Policy Objects (GPOs) that apply settings to many computers and users in a domain. Local Users and Groups only manages accounts and group memberships on one machine. GPMC can enforce password policies, desktop restrictions, and software installations across an organization, while Local Users and Groups is for direct, local changes.
To make all users in the sales department have a custom desktop wallpaper, you use Group Policy. To add a single emergency local admin account to one computer, you use Local Users and Groups.
Computer Management is a larger console that includes many tools, one of which is Local Users and Groups. Other tools inside Computer Management include Disk Management, Device Manager, Event Viewer, and Services. Local Users and Groups is a subset of Computer Management, focused specifically on user and group administration.
If you want to check disk partitions, you open Computer Management and select Disk Management. If you only want to manage user accounts, you can launch Local Users and Groups directly with lusrmgr.msc.
The User Accounts Control Panel (accessible via Control Panel or Settings) provides a simplified interface for basic user management, like creating new users, changing account types (Admin vs. Standard), and managing passwords. It does not show all built-in groups, nor does it allow fine-grained group membership control like adding a user to Backup Operators. Local Users and Groups is more powerful and detailed.
To quickly create a new standard user for a family member, the Control Panel is sufficient. To add a user to the 'Remote Desktop Users' group so they can connect remotely, you must use Local Users and Groups.
Must Know for Exams
For general IT certification exams like CompTIA A+, CompTIA Network+, and CompTIA Security+, as well as Microsoft role-based certifications (such as MD-100: Windows Client), Local Users and Groups is a recurring objective. In CompTIA A+ (Core 2), exam objective 2.1 covers "Identify common features and tools of the Windows operating system," which specifically mentions Local Users and Groups (lusrmgr.msc). Similarly, Security+ (SY0-601) objective 3.2 discusses user account controls and the principle of least privilege, which is directly implemented through proper group membership in Local Users and Groups.
Exam questions about Local Users and Groups typically fall into three categories. The first category is identification: you might be asked which tool is used to manage local user accounts in Windows, or what the correct MMC snap-in name is. The second category is configuration: given a scenario where a user needs certain permissions (e.g., ability to install printers but not change system time), you must decide which local group to add them to. The third category is troubleshooting: for example, if a user cannot log on because their account is disabled or locked out, you need to know how to fix it using this tool.
In Microsoft exams, such as MD-100, you may encounter questions about the difference between local users and domain users, or about how to configure password policies that affect local accounts. You might also be asked about the default permissions of built-in groups like Backup Operators, which can bypass file permissions for backup purposes. Understanding the relationship between local groups and user rights assignments (like "Log on locally" or "Shut down the system") is also tested.
For Security+, exam questions often present a scenario where an IT administrator needs to enforce the principle of least privilege. You might be asked which group a help desk employee should belong to (usually not Administrators, but perhaps a custom group or Power Users if available). You might need to know that the Guest account is disabled by default for security reasons, and that the Administrator account cannot be deleted but should be renamed and disabled in high-security environments.
Overall, exam-takers should memorize the names of built-in groups and their core privileges, understand that membership in the Administrators group grants full system control, and be comfortable navigating the Local Users and Groups interface or using the related command-line tools (net user, net localgroup).
Simple Meaning
Imagine you have a shared family computer at home. Instead of letting everyone use the same account, you can create a separate account for each person: one for you, one for your partner, one for each child. Now you want to make sure the kids cannot install new software or change important settings. You could try to set restrictions for each child one by one, but that would take a long time and you might miss something.
Local Users and Groups is like having a control panel that lets you create those accounts quickly and then put them into groups. Think of groups as labeled bins. One bin is called "Administrators." Anyone inside that bin can do anything on the computer, like install programs, change system settings, and access all files. Another bin is called "Users." People in that bin can only do basic things like run already-installed programs and use their own files. A third bin might be "Guests," which gives very limited access, like allowing a visitor to browse the internet but not save anything.
Once you put a child account into the "Users" bin, that child automatically gets all the restrictions that come with being a standard user. You do not have to set each permission manually. If you later need to give a child more freedom, you just move them to a different group, or you can create a custom group with exactly the permissions you want. This makes managing many users on one computer very efficient and much less error prone than doing everything by hand.
In IT, this same idea is used for office computers, lab machines, or kiosks. Instead of managing each account alone, administrators use Local Users and Groups to set up accounts and assign group memberships, so the right people have the right access without extra effort.
Full Technical Definition
Local Users and Groups (lusrmgr.msc) is a Microsoft Management Console (MMC) snap-in available in Windows Professional, Enterprise, and Education editions. It provides a graphical interface for managing security principals (user accounts and groups) stored in the local Security Accounts Manager (SAM) database on a standalone or domain-joined computer. The SAM database is a registry hive located at HKLM\SAM and contains hashed passwords (LM hash, NTLM hash) and security identifiers (SIDs) for each local account.
User accounts in Local Users and Groups are represented by a unique SID, a username, a full name, a description, and password attributes such as "Password never expires" or "User must change password at next logon." The tool allows creation of three built-in user accounts: Administrator (the default elevated account), Guest (disabled by default), and the DefaultAccount (used internally). Administrators can also create custom local users for service accounts or temporary staff. Each user account can be enabled, disabled, locked out, or have its password reset without knowing the old password.
Local groups are collections of user accounts or other groups (nesting) that simplify permission assignment. Built-in local groups include Administrators (full system control), Users (standard rights), Guests (limited rights), Backup Operators (can override file permissions for backup), Remote Desktop Users (allowed to connect via RDP), and Performance Log Users (can manage performance counters). When a local user is added to a group, that user inherits all the privileges and permissions assigned to that group via security policies and file system access control lists (ACLs).
In domain environments, Local Users and Groups still manage local accounts, but administrators often rely on Group Policy or domain accounts instead. However, local accounts remain important for break-glass scenarios (emergency local admin access), service accounts, or computers not joined to a domain, such as in workgroup settings. The tool also exposes account lockout policies (after failed logon attempts) and password policies through the local security policy (secpol.msc), which is separate but closely related.
For IT professionals, understanding Local Users and Groups is fundamental for security auditing, incident response, and compliance. Misconfigurations here can lead to privilege escalation (e.g., accidentally adding a standard user to the Administrators group) or denial of service (e.g., disabling the only admin account). The tool is often used in combination with the command-line utilities "net user" and "net localgroup" for scripting and remote administration.
Real-Life Example
Think of a co-working space that has one shared printer, a conference room, and a kitchen. The co-working space manager wants to make sure members can print documents, book the conference room, and use the microwave, but they should not be able to reprogram the printer's network settings or change the lock code on the conference room door.
In this real-world scenario, the manager could give each member a keycard. But if every member had the same master keycard, anyone could accidentally (or intentionally) mess with the printer settings or change the door lock code. So the manager decides to issue different levels of keycards. A "member" keycard only opens the front door and the kitchen. A "power user" keycard also opens the printer room and allows basic use of the printer. An "admin" keycard opens everything, including the utility closet where the router and printer control panel are kept.
Now, if the manager wanted to give a new member access, they would not have to go and reprogram every door and device individually. They would just issue a standard member keycard, which is pre-programmed to work with only certain locks. This is exactly how Local Users and Groups works on a computer. The computer is like the co-working space. The local user accounts are like keycards for each person. The local groups (Users, Administrators, etc.) are like the predefined access levels. When you add a person to the "Users" group, they automatically get the permissions that come with that group, just like issuing a member keycard grants access to the front door and kitchen only. If you later move that person to the "Administrators" group, they suddenly get full access to everything, including system settings and all files, similar to giving them the master keycard that opens the utility closet.
Why This Term Matters
In an IT environment, controlling who can access a computer and what they can do is a fundamental security requirement. Local Users and Groups gives administrators a straightforward, built-in way to enforce the principle of least privilege, meaning each user gets only the minimum permissions they need to do their job. Without this tool, every user might run as an administrator, which is a major security risk because malware or a careless action could damage the entire system.
For help desk technicians, knowing how to use Local Users and Groups is essential for everyday tasks like resetting a forgotten password, unlocking a locked-out account, or creating a new account for a temporary contractor. It is faster than using command-line alternatives for simple tasks, and it provides a clear visual overview of all accounts and group memberships on a machine.
From a compliance standpoint, regulations like HIPAA, PCI-DSS, or GDPR often require organizations to log and control access to sensitive systems. Local Users and Groups is part of the solution because it allows admins to set up separate accounts for each user, making it possible to audit who did what. When combined with audit policies, you can track exactly which user account was used to install software or access a protected file.
Even in larger networks with Active Directory, local accounts remain important. If a domain controller fails or a computer loses network connectivity, local administrator accounts are the only way to log in and fix issues. Also, service accounts that run background processes are often set up as local users to limit their privileges. Therefore, understanding Local Users and Groups is not just a beginner topic; it is a recurring concept that appears in troubleshooting, security hardening, and system configuration throughout an IT career.
How It Appears in Exam Questions
Exam questions often present a scenario where a user reports a problem, and you must identify the cause and solution using Local Users and Groups. For example, a user named Sarah cannot log into her Windows 10 computer because she typed the wrong password too many times. The question might ask: "Which tool would you use to unlock her account?" The correct answer is Local Users and Groups (lusrmgr.msc), where you would find her account, uncheck "Account is locked out," and click OK.
Another common pattern involves group membership. A question might say: "A junior IT staff member needs to install printer drivers and manage local user accounts, but should not be able to modify system files or change network settings. Which group should you add them to?" The answer would be the Administrators group? No, that gives too much power. Instead, the correct group might be Power Users (if available) or a custom group with specific permissions. However, many modern exams focus on the fact that Power Users is deprecated, so you might need to consider using the standard Users group with additional rights or a custom group.
Configuration questions also appear. For instance: "You are setting up a computer in a school library. Students should only be able to run pre-installed applications and save files to their own folders. Which group should student accounts belong to?" The answer is the Users group. If a question adds that a student needs to be able to change the system time, you would know that the Users group cannot do that, so you might need to assign specific user rights via local policy instead of changing group membership.
Troubleshooting questions often involve the Administrator account. A classic exam trap is: "A user reports they cannot run a legacy application as a standard user. The IT admin gave them the local Administrator password. Why is this a bad idea?" The correct answer relates to security and the principle of least privilege. A better solution would be to use Run as Administrator or to configure the application's shortcut to run with elevated privileges, rather than giving the user full admin rights.
Finally, some questions test your knowledge of default settings. For example: "Which local user account is disabled by default in Windows?" The answer is Guest. Or: "What happens if you delete the Administrator account?" You cannot delete it; you can only disable it. Knowing these details is critical for multiple-choice questions that try to trick you with plausible-sounding wrong answers.
Practise Local Users and Groups Questions
Test your understanding with exam-style practice questions.
Example Scenario
A small company called "Bright Ideas Design" has five employees sharing one Windows 10 workstation in the office. The computer is used for graphic design software, accounting spreadsheets, and web browsing. The manager, Lisa, wants to give each employee their own login so that their files and settings stay separate, and she does not want anyone to accidentally install unauthorized software or delete important system files.
Lisa opens the Local Users and Groups tool by typing lusrmgr.msc in the Run dialog. She creates five new local user accounts: Lisa, Mark, Jenna, Tom, and Priya. She sets a temporary password for each and checks the box "User must change password at next logon" so each person chooses their own password later. She also sets each account to never expire.
Now Lisa needs to decide permissions. She is the manager and also handles software updates, so she adds her own account to the Administrators group. For Mark and Jenna (designers), she wants them to be able to install certain plugins but not change system settings, so she adds them to the Users group only. For Tom (intern) and Priya (accountant), she adds them to the Users group as well, but she restricts them further by using the local security policy to prevent them from accessing the Control Panel or running specific executables.
A few weeks later, Tom forgets his password and gets locked out after multiple failed attempts. Lisa opens lusrmgr.msc, locates Tom's account, clears the "Account is locked out" checkbox, and resets his password. Everything works again without needing to reinstall or call for external help.
This scenario shows how Local Users and Groups provides a central place to manage all user accounts on a single computer, enforce security, and quickly fix common login issues. It also illustrates how proper group membership (Users vs. Administrators) prevents accidental damage while still allowing productive work.
Common Mistakes
Adding every user to the Administrators group to avoid permission errors.
This violates the principle of least privilege and exposes the system to malware, accidental deletions, and unauthorized changes. Any user in the Administrators group can modify system files, install software, and access all data, which is unnecessary for most workers.
Add users only to the Users group unless they explicitly need administrative privileges. If a specific task requires elevation, teach them to use Run as administrator or configure the application accordingly.
Assuming that deleting a user account also removes all their files and registry settings.
When you delete a user account in Local Users and Groups, Windows asks if you want to delete the user's files as well. If you choose not to, leftover files in C:\Users\<username> and orphaned registry keys remain, which can clutter the system and cause security issues.
Before deleting a user, decide whether to preserve or remove their data. Use the option to delete files if appropriate, or manually back up important data first. Afterwards, check for any leftover profiles in System Properties > Advanced > User Profiles.
Thinking that the Guest account is safe to enable because only guests will use it.
The Guest account has very limited privileges, but it is well-known and often targeted by attackers because it has a blank password by default. Enabling it without strong restrictions can allow unauthorized access to the system.
Instead of enabling the Guest account, create a separate local user account for each temporary worker with a strong password and appropriate group membership. Disable the Guest account and do not set a blank password.
Confusing local users with domain users and assuming local groups apply across the network.
Local users and groups exist only on the specific computer where they are created. They cannot be used to log into other computers on the network or access shared resources that require domain authentication.
Remember that local accounts are machine-specific. For network-wide user management, use Active Directory or Azure AD. Use local accounts only for individual workstation administration, emergency access, or computers not joined to a domain.
Resetting a user's password without the 'User must change password at next logon' option and causing confusion.
When an administrator resets a user's password, the user may not know the new password or may want to set their own. If you do not force a password change at next logon, the user is stuck with the password you assigned, which may be weak or hard to remember.
After resetting a password, always check the box 'User must change password at next logon' so the user can choose a new, private password during their next login attempt.
Exam Trap — Don't Get Fooled
{"trap":"You find that a user is a member of the Administrators group, but they still cannot perform a specific administrative task, such as installing a printer driver. The question asks: Why is the user still unable to perform the task?","why_learners_choose_it":"Many learners assume that membership in the Administrators group grants unrestricted access to all system operations immediately.
They forget that Windows User Account Control (UAC) requires explicit elevation, even for administrators. The user might be running with a filtered token if the admin account has UAC enabled, or the specific printer driver might require additional permissions that are only available when running as SYSTEM.","how_to_avoid_it":"Remember that in modern Windows, administrators run with two tokens: a filtered token (standard user) for day-to-day tasks and an elevated token (full admin) only when they approve a UAC prompt.
If the user is not clicking 'Yes' on the UAC prompt, or if the application is not designed to request elevation, the task will fail. Also, some operations, like installing certain kernel-mode drivers, require the TrustedInstaller or SYSTEM account, not just admin rights. Always verify whether the user is running with an elevated token."
Step-by-Step Breakdown
Open Local Users and Groups
Press Win + R, type lusrmgr.msc, and press Enter. On systems without the MMC snap-in, you can use Computer Management (compmgmt.msc) and navigate to System Tools > Local Users and Groups. This step launches the console where all local account management happens.
Create a new user account
In the left pane, click on 'Users.' Then right-click an empty area in the middle pane and select 'New User.' Fill in the username, full name, description, and set a password. You can also set options like 'User must change password at next logon' or 'Password never expires.' Click 'Create' to add the account to the SAM database.
Configure user account properties
Double-click the newly created user to open properties. Here you can add the user to groups via the 'Member Of' tab. You can also set account options (like disabling the account, setting account expiry, or enabling dial-in permissions). These properties define the user's behavior and access rights on the machine.
Add the user to a local group
In the user properties, go to the 'Member Of' tab, click 'Add,' type the group name (e.g., Administrators, Users, Remote Desktop Users), and click 'Check Names' to verify. Click OK. The user now inherits all permissions and privileges assigned to that group. This is the core mechanism for granting permissions efficiently.
Manage group memberships via the Groups folder
Alternatively, click on 'Groups' in the left pane. Double-click a group (e.g., Administrators). Click 'Add' to add users or other groups. This view shows all current members of that group. This method is useful when you want to see at a glance who has access to a specific privilege set, such as who can back up files.
Verify and test the account
Log off or use 'Run as different user' to test the new account. Confirm that the user can log in, that password change works (if required), and that group-based permissions (e.g., ability to install software or access certain folders) behave as expected. If something is wrong, go back to the user or group properties to adjust.
Practical Mini-Lesson
Local Users and Groups is not just a tool for creating accounts; it is the foundation of local access control on Windows. In practice, IT professionals use it to enforce security policies, set up service accounts for applications, and provide emergency access paths. Understanding the SAM database and how accounts are stored is useful, but for day-to-day administration, the graphical interface is sufficient.
One key practical scenario is setting up a computer for a kiosk or public-facing role. You would create a local user account with minimal privileges, add it only to the Users group, and then configure the machine to auto-logon with that account. This ensures that even if the kiosk is compromised, the attacker has very limited power. You would also create a separate, hidden local administrator account with a strong, documented password that only the IT team knows. That admin account is only used for maintenance, not for daily operations.
Another common task is resetting the local administrator password on a machine that has lost connectivity to the domain. If a domain controller is unreachable, you cannot log in with domain credentials. Having a known local admin password (or using tools like the built-in Windows recovery environment) is critical. Many organizations use Local Users and Groups to maintain a 'break glass' account that is disabled normally, but can be enabled in emergencies.
What can go wrong? The most frequent issue is accidentally locking out the only admin account. If you disable or lock out all administrator-level accounts, you might not be able to log into the machine at all. In that case, you would need to use a password reset disk, boot from a recovery drive, or use safe mode with command prompt to reset the password. Another problem is creating a user with the same name as a domain user, which can cause confusion when logging in (you might accidentally log into the local account instead of the domain account). Always prefix local accounts with the computer name or label them clearly.
For automation, IT professionals use the 'net user' and 'net localgroup' commands. For example, 'net user jdoe P@ssw0rd /add' creates a local user, and 'net localgroup Administrators jdoe /add' adds them to the admin group. These commands are useful in scripts that set up many machines identically, or in remote PowerShell sessions. Understanding both the GUI and CLI approaches makes you versatile.
Finally, security best practices say to rename the default Administrator account, disable it, and create a new custom admin account with a non-obvious name. This prevents attackers from easily guessing the admin username. You should also enforce password complexity and lockout policies for local accounts via the local security policy (secpol.msc). Regularly audit group memberships to ensure no unauthorized users have been added to the Administrators or Backup Operators groups.
Memory Tip
Remember LUSRMGR: Local Users and Snap-in for Rights Management via the Microsoft Management Console. For built-in groups, think AUBG: Administrators (full), Users (basic), Backup Operators (file override), Guests (limited).
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
220-1102CompTIA A+ Core 2 →XK0-006CompTIA Linux+ →Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
SY0-601SY0-701(current version)Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
Frequently Asked Questions
Can I use Local Users and Groups on Windows 10 Home edition?
No, the Local Users and Groups MMC snap-in (lusrmgr.msc) is not available on Windows Home editions. You can still manage users through the Settings app or command-line tools like net user, but the full functionality is limited.
How do I reset a local administrator password if I am locked out?
You can boot into Windows Recovery Environment, open Command Prompt from Troubleshoot options, and use net user command to set a new password. Alternatively, use a third-party password reset disk or a bootable recovery tool.
What is the difference between a local user and a domain user?
A local user account exists only on one computer and is stored in that computer's SAM database. A domain user account is stored on a domain controller and can be used to log into any computer joined to that domain (with proper permissions).
What happens if I delete the built-in Administrator account?
You cannot delete the built-in Administrator account. You can only disable it. Windows protects this account because it is needed for recovery scenarios even when no other admin accounts exist.
How do I add a user to the Remote Desktop Users group?
Open Local Users and Groups, click on Groups, double-click 'Remote Desktop Users,' click Add, enter the username, click Check Names, then OK. The user can now connect via Remote Desktop if the service is enabled.
Why is the Guest account disabled by default?
For security reasons. The Guest account has a blank password and limited permissions, but enabling it can provide an entry point for unauthorized users. Microsoft disables it by default to reduce the attack surface.
Can I use Local Users and Groups to manage accounts on a remote computer?
Directly, no. However, you can connect to a remote computer's Computer Management console (compmgmt.msc) and navigate to Local Users and Groups on that remote machine if you have administrative credentials and the necessary firewall ports are open (RPC).
Summary
Local Users and Groups is an essential Windows administration tool that provides centralized management of user accounts and security groups on a single computer. It allows IT professionals to create, modify, disable, and delete local accounts, as well as assign them to built-in groups like Administrators, Users, Backup Operators, and Remote Desktop Users. This group-based approach streamlines permission management and enforces the principle of least privilege, which is a cornerstone of system security.
In practice, this tool is used for everything from setting up a shared workstation in a small office to creating emergency admin accounts for enterprise laptops. For IT certification exams such as CompTIA A+, Security+, and Microsoft MD-100, understanding how to navigate lusrmgr.msc and knowing the default permissions of built-in groups is frequently tested. Common exam traps include confusing local accounts with domain accounts, overprivileging users by adding them to Administrators, and misunderstanding the role of UAC.
Mastering Local Users and Groups is not just about passing exams. It directly translates to real-world skills in system administration, security auditing, and troubleshooting. Whether you are resetting a locked-out user's password, setting up a kiosk, or ensuring compliance with security policies, this tool is your go-to solution for local identity and access management on Windows.