Users, Groups and Permissions

A+ Core 2 — 220-1102  |  Domain 1.6 & 4.6
Users, Groups
& Permissions
Local accounts, built-in groups, NTFS permission inheritance, and UAC — the access control foundation every A+ technician must master.
19 Slides Domain 1.6 & 4.6 Accounts • NTFS • UAC • Least Privilege Exam 220-1102
Slide 2 of 19
Local User Accounts
Accounts stored in the local Security Account Manager (SAM) database.
Administrator
Built-in account with unrestricted access to the system. Disabled by default in Windows 10/11. Elevated tasks use a standard account + UAC elevation or a named local admin account instead.
Standard User
Default for new accounts. Can run applications and change personal settings. Cannot install software system-wide, modify system files, or change network configuration without elevation. Correct default for daily use.
Guest
Disabled by default. Provides minimal access for temporary users. No password required. Cannot install software, change settings, or view other users' files. Enabling Guest is a security risk on most systems.
Management Paths
GUI: Control Panel > User Accounts, or Settings > Accounts. Command line: net user, net localgroup. Advanced: lusrmgr.msc (Local Users and Groups MMC snap-in — Pro and above only).
Slide 3 of 19
Built-In Local Groups
Windows ships with predefined groups that grant specific capabilities by membership.
GroupCapabilitiesExam Note
AdministratorsFull system control, install/remove software, manage all users and groupsMost powerful local group
UsersRun applications, use network resources, save files in personal foldersDefault group for new accounts
Power UsersLegacy group; limited admin rights (legacy compatibility only)Largely deprecated in Win 10+
Backup OperatorsBack up and restore files regardless of permissions, log on locallyBypass NTFS perms for backup
Remote Desktop UsersLog on via RDP without being a local adminDelegate RDP without elevation
Network Configuration OperatorsModify TCP/IP settings, rename connectionsNo full admin needed for net config
A help desk tech needs to connect via RDP to a workstation without being a local admin. The correct fix: add their account to the Remote Desktop Users group. Do not add them to Administrators — that violates least privilege.
Slide 4 of 19
User → Group → Permission Flow
Users inherit permissions from every group they belong to. Groups are assigned permissions.
USERS GROUPS PERMISSIONS alice bob carol dave Administrators Users Remote Desktop Users Full Control Read & Execute Modify RDP Connect Group membership Permission assignment
Slide 5 of 19
NTFS Permissions
File system-level access control enforced by Windows on NTFS volumes.
PermissionFiles: What It AllowsFolders: What It Allows
Full ControlRead, write, execute, delete, change permissions, take ownershipAll file permissions + delete subfolders and files
ModifyRead, write, execute, delete fileCreate and delete files and subfolders
Read & ExecuteView and run the fileList folder contents, navigate subfolders
List Folder ContentsN/A (folders only)View file and folder names only
ReadView and copy the fileView files and folder names
WriteWrite to the file, create new filesCreate files and subfolders, write folder attributes
Cumulative Permissions Rule
When a user belongs to multiple groups, their effective permissions are the cumulative union (most permissive combination) of all group permissions — except Deny, which always overrides Allow regardless of other assignments.
Slide 6 of 19
NTFS Permission Inheritance
Child objects inherit permissions from parent folders. Propagation can be blocked.
C:\Projects Full Control: Admins | Read: Users Alpha\ Inherited: Full Control + Read Beta\ (blocked) Explicit: Modify: Devs only X Gamma\ Inherited: Full Control + Read report.txt Inherits from Alpha\ Inheritance flows Inheritance blocked Blocking inheritance: Security tab > Advanced > Disable inheritance. Converts inherited to explicit or removes.
Slide 7 of 19
Deny Overrides Allow
A single Deny entry beats all Allow entries for the same permission regardless of group membership.
How Deny Works
If alice is in both "Users" (Allow Read) and "Blocked" (Deny Read), the Deny wins. Alice cannot read the file. Effective permissions are cumulative, but Deny entries always take precedence over Allow.
Why Use Deny Sparingly
Explicit Deny is a powerful tool but makes troubleshooting complex. Best practice: use Deny only when you cannot achieve the required restriction by removing Allow entries. Misconfigured Deny entries are a common source of access issues.
UserGroup AGroup BEffective Permission
aliceAllow: ReadAllow: ModifyModify (cumulative, most permissive)
bobAllow: ReadDeny: ReadNo access (Deny wins)
carolAllow: Full ControlDeny: WriteRead & Execute only (Deny Write overrides)
A user reports they cannot open a file even though their manager can. Check: is the user in a group with an explicit Deny? Use the Effective Access tab in Advanced Security Settings to compute the actual effective permissions and identify the source Deny entry.
Slide 8 of 19
Share vs. NTFS Permissions
Two permission layers apply when accessing files over the network. The more restrictive wins.
Share Permissions
Apply only over the network. Three levels: Full Control, Change, Read. Set via folder Properties > Sharing tab > Advanced Sharing > Permissions. Do not apply to local access.
NTFS Permissions
Apply both locally and over the network. Six standard levels (Full Control through Read). More granular. When both Share and NTFS permissions apply to a network access, the effective permission is the more restrictive of the two.
The Intersection Rule
Example: Share permission = Full Control for Everyone. NTFS permission = Read for the user. Effective network access = Read. The more restrictive wins. This is the most tested interaction between these two permission systems on the A+ exam.
Best Practice
Set Share permissions to Full Control for Authenticated Users, then restrict access via NTFS permissions alone. This simplifies the permission model — one layer to manage rather than two compounding layers.
Slide 9 of 19
User Account Control (UAC)
Prevents unauthorized or accidental system changes by requiring elevation confirmation.
What UAC Does
Even administrators run with standard user tokens by default. When an action requires elevation, Windows prompts to confirm. Standard users must provide admin credentials. Admins see a simple Yes/No prompt (consent).
UAC Prompt Types
Consent prompt (admin): blue/gray title bar, confirm. Credential prompt (standard user): enter admin credentials. Blocked: red title bar, action cannot be allowed. Color coding indicates trust level of the requesting program.
UAC Levels
Four settings in User Account Control Settings (Control Panel). Always notify (most secure). Notify only when apps try to make changes (default). Notify only when apps try to make changes without dimming desktop. Never notify (least secure).
User Action Needs elevation Admin token? YES Consent Prompt Blue bar — Allow / Deny NO Credential Prompt Enter admin creds Elevated Process Runs with admin token
Exam Focus
UAC was introduced in Windows Vista. It is enabled by default and should not be disabled. Disabling UAC removes a key defense layer. The exam may present a scenario where UAC prompts are excessive — correct answer is to tune the UAC level, not disable it entirely.
Slide 10 of 19
Principle of Least Privilege
Grant only the minimum permissions required to perform a specific task.
Why It Matters
If a standard user account is compromised, the attacker is limited to that user's permissions. If an admin account is compromised, the attacker has unrestricted access to the entire system. Reduce risk by reducing privilege.
Implementation
Daily work: standard user account. Administrative tasks: separate named admin account, or elevation via UAC. Service accounts: grant only the specific rights the service requires, not Local System or Domain Admin by default.
1 Accounts: Use standard user accounts for daily operations. Reserve admin accounts for administrative tasks only.
2 Groups: Add users only to groups that grant the permissions their job role requires. Remove from groups when roles change.
3 Files: Grant Read where Read is sufficient. Grant Modify only when editing is required. Reserve Full Control for administrators.
4 Services: Run services under dedicated service accounts with only the rights required. Never "Local System" if a restricted account will work.
Slide 11 of 19
Managing Accounts: Command Line
net user and net localgroup are the primary CLI tools for local account management.
CommandPurpose
net userList all local user accounts
net user username *Change password for username (prompts securely)
net user username /addCreate new local account
net user username /deleteDelete a local account
net user username /active:noDisable the account
net localgroup Administrators username /addAdd user to local Administrators group
net localgroup groupnameList members of a specific group
PowerShell Equivalents
New-LocalUser, Set-LocalUser, Remove-LocalUser, Add-LocalGroupMember, Get-LocalGroupMember. PowerShell cmdlets are preferred in modern scripted deployments. The net commands remain valid for A+ exam scenarios.
Slide 12 of 19
Password Policies
Account lockout and password complexity configured via Local Security Policy or Group Policy.
Password Policy Settings
Minimum length (8+ recommended). Complexity requirements (uppercase, lowercase, number, symbol). Maximum age (90 days common). Minimum age prevents immediate re-use cycling. Password history prevents recycling last N passwords.
Account Lockout Policy
Threshold: number of failed attempts before lockout (5 is common). Lockout duration: minutes before auto-unlock (0 = requires admin reset). Observation window: failed attempt counter reset interval. Protects against brute force.
Access Path
secpol.msc (Local Security Policy) > Account Policies. Or gpedit.msc > Computer Configuration > Windows Settings > Security Settings > Account Policies. Applies locally; domain policies override.
A user is locked out after entering the wrong PIN three times. You check Account Lockout Policy: threshold is 3, duration is 0 (admin must unlock). Run: net user username /active:yes to re-enable, or unlock in lusrmgr.msc by unchecking "Account is locked out."
Slide 13 of 19
Encrypting File System (EFS)
Per-file, per-user encryption tied to the user's certificate. Pro and above only.
How EFS Works
Right-click file/folder > Properties > Advanced > "Encrypt contents." File is encrypted with a symmetric key; that key is encrypted with the user's EFS certificate private key. Only that user (or a designated EFS Recovery Agent) can decrypt.
Recovery Agent
The local Administrator is the default EFS Data Recovery Agent on standalone machines. If the user's account is deleted or the certificate is lost and no recovery agent is configured, the encrypted data is permanently inaccessible.
EFS vs. BitLocker
EFS encrypts individual files per user. BitLocker encrypts the entire volume. EFS survives reboots for the owning user; other users (even admins) cannot read EFS-encrypted files without the key. BitLocker protects against offline attacks on the drive. They can be used simultaneously.
Command Line
cipher /e file.txt — encrypt. cipher /d file.txt — decrypt. cipher /u — update EFS certificates on files. cipher /r:filename — generate a recovery key (.pfx and .cer pair).
Slide 14 of 19
Domain vs. Local Accounts
Domain accounts authenticate against AD DS; local accounts authenticate against the local SAM.
Local Accounts
Stored in the local SAM (C:\Windows\System32\config\SAM). Authenticating via NTLM. Valid only on the local machine. Managed with lusrmgr.msc, net user, or Settings > Accounts. No network SSO.
Domain Accounts
Stored in Active Directory on domain controllers. Authentication via Kerberos. Log on as DOMAIN\username or username@domain.com. SSO to network resources. Managed via Active Directory Users and Computers (dsa.msc) on DCs.
LOCAL ACCOUNT PATH User Local SAM NTLM hash check NTLM Auth protocol OK Scope: this machine only. No SSO to network. Managed: lusrmgr.msc Format: .\username or HOSTNAME\username DOMAIN ACCOUNT PATH User Domain Ctrlr Kerberos KDC / AD TGT Kerberos ticket OK Scope: entire domain. SSO to resources. Managed: dsa.msc on domain controller Format: DOMAIN\username or user@domain.com
CharacteristicLocal AccountDomain Account
StorageLocal SAMActive Directory NTDS.dit
AuthenticationNTLMKerberos (primary)
ScopeOne machineEntire domain
Managed byLocal adminDomain admin
Slide 15 of 19
Run As & Elevation
Execute a process under a different user context without switching sessions.
Right-Click Run As Administrator
Right-click an executable or shortcut > "Run as administrator." Launches the process with elevated token. UAC prompts for confirmation. The process runs as the local Administrator or the current user's admin token.
runas Command
runas /user:DOMAIN\adminname "notepad.exe" — launches notepad as a specified user. Prompts for that user's password. Useful for running management tools as a different admin account without logging off. /savecred saves the password for future use (security risk on shared machines).
Scheduled Tasks as Admin
Task Scheduler can run tasks as a service account or admin with "Run with highest privileges." Allows automation requiring elevation without interactive UAC prompts. Common for maintenance scripts, backup jobs, and patch management.
A standard user needs to run a legacy installer that requires admin rights. The correct A+ answer: right-click the installer > Run as administrator > provide admin credentials at the UAC prompt. The user does not need to be added to Administrators permanently.
Slide 16 of 19
Audit Policy & Event Logs
Track account logon events, privilege use, and object access for security monitoring.
Configuring Audit Policy
secpol.msc > Local Policies > Audit Policy. Categories: Account Logon Events, Account Management, Logon Events, Object Access, Privilege Use, Policy Change, System Events. Each can audit Success, Failure, or both.
Reading Security Events
Event Viewer > Windows Logs > Security. Key Event IDs: 4624 (successful logon), 4625 (failed logon), 4648 (explicit credential use), 4720 (user account created), 4740 (account locked out). Filter by Event ID for targeted investigation.
Exam Scenario
A manager suspects someone is attempting to brute-force an account. You enable auditing for Logon Events (Failure). Check Event Viewer Security log for repeated 4625 events against the same username within a short time window. The source workstation is recorded in the event details.
Slide 17 of 19
Privilege Escalation Threats
Attackers target misconfigured permissions to gain elevated access.
Weak Permissions on System Files
If standard users have Write access to files executed as SYSTEM or Admin (e.g., service binaries), an attacker can replace the binary and execute arbitrary code at a higher privilege level on next service restart.
Cached Credentials
Windows caches domain credentials locally for offline use (default 10 cached logons). These hashed credentials can be extracted from the SAM/registry using tools like Mimikatz if an attacker has admin access. Reduce cache count via Group Policy for high-security environments.
Pass-the-Hash (PtH)
NTLM authentication accepts the hash directly. An attacker who extracts an NTLM hash can authenticate to other machines using that hash without cracking it first. Mitigated by Credential Guard (Enterprise), protected users security group, and LAPS for local admin accounts.
Defensive Posture
Apply least privilege. Use LAPS (Local Administrator Password Solution) for unique local admin passwords per machine. Enable Credential Guard on Enterprise. Audit local admin group membership regularly. Disable the built-in Administrator account.
Slide 18 of 19
Exam Scenario Drills
Apply the permission model to common A+ scenario question patterns.
1 User cannot open a shared folder over the network, but can access it locally. Check Share permissions — likely set too restrictively. NTFS is correct; Share permission is the bottleneck.
2 A file in a shared folder is inaccessible even though Share = Full Control. NTFS permission is restricting access. Effective = most restrictive of the two. Check NTFS tab, not Sharing.
3 User is in Administrators group but cannot read a specific file. Explicit Deny entry on the file or parent folder overrides even Administrator Allow permissions.
4 A new file created inside a folder has different permissions than the folder. Inheritance may be blocked on the parent, or the app creating the file sets explicit permissions. Check "Apply to: this folder, subfolders, and files" in Advanced Security Settings.
5 gpedit.msc fails with "not found" on a technician's laptop. The laptop is running Windows Home. gpedit.msc is a Pro-and-above tool. Edition, not missing file.
Slide 19 of 19
Users & Permissions Summary
Key retention points for Domain 1.6 and 4.6.
Permission Priority Order
1. Explicit Deny beats all. 2. Network access = most restrictive of Share vs. NTFS. 3. Cumulative Allow = union of all group permissions. 4. Inherited permissions can be blocked or overridden.
Access Control Tools
lusrmgr.msc — local users and groups. secpol.msc — password and lockout policy. cipher — EFS management. net user / net localgroup — CLI account management. Event Viewer Security log — audit trail.
The Five Rules
1. Deny overrides Allow. 2. Network access: Share AND NTFS intersect (restrictive wins). 3. Permissions are cumulative across groups. 4. Inheritance flows down unless explicitly blocked. 5. Least privilege: grant minimum necessary, audit regularly.
The A+ permission scenario pattern: identify whether the access is local or network, identify all groups the user belongs to, calculate cumulative Allow, apply any Deny, then intersect with Share if network access. That sequence resolves virtually every scenario question in Domain 1.6.