Before creating an Access Control Entry (ACE) on an object, you need an account, group or other Security Identifier (SID) to ascertain to which security principle the ACE will apply. There have been some important changes to the built-in accounts and groups. The Administrator account is disabled by default in Windows Vista. It was often the case that the Administrator account password was the same on every workstation, which constituted a security risk. A disabled Administrator account will relieve administrators of the need to manage the account’s password on every workstation. If you get into trouble, the built-in Administrator account can still be used in Safe Mode and in the Recovery Console. In Windows Server 2008 and Vista, UAC does not apply to the built-in Administrator account. However unless configured otherwise, UAC applies to all new accounts that are members of the Administrators group.

The Power Users group still exists for the purposes of backwards compatibility, but has been depreciated. The rights which were granted to this group in previous versions of Windows have been removed. Remote Assistance has been redesigned so that the HelpAssistant account is no longer required. The Support_ account, which was used to execute Support Center scripts, has also gone.

New groups include: IIS_IUSRS, which performs the same function as the IUSR_ account on XP. Removing the component of the account name makes it easier to control this account using automated mechanisms such as Group Policy, as the name is the same across all machines; Event Log Readers, which can alleviate the need to modify Security Description Definition Language (SDDL) strings on event logs; Performance Log Users can schedule performance counter logging, enable trace providers, enumerate event traces locally and remotely, but monitoring system processes is still granted using the Profile system performance (SeSystemProfilePrivilege) privilege; Performance Monitor Users can access performance counter data; the Distributed COM Users group was originally added to Windows Server 2003 SP1 to provide an easy way to apply DCOM computer restriction settings to users; In Vista SP1 and Server 2008, the Cryptographic Operators group enables Cryptography API: Next Generation (CNG) support, giving access to features such as crypto settings in the IPSec policy of the Windows Firewall.