An Administrator has unrestricted permissions, he can view/create/change/delete anything in the file system or registry, he can create/delete user accounts, grant group membership and set their permissions, and he can change system security policy. It is possible to create ACEs (access control entries) that prevent an administrator's access to an object (e.g., the System Volume Information folder) however, he has the power to take ownership of any object; doing so allows him to grant access for himself (or any other user or group) to that object.



A Power User [by default] has write access to the Program Files folder, and to the system-wide registry keys needed so he is able to register COM objects. This permits him to install most software so that it's available to all users. Other than that, a Power User is about the same as a regular user, he cannot create new users nor change existing ones, he cannot change object permissions and he cannot change system policy.



A User [by default] has read-only access to Program Files, and to system-wide COM registrations, which prevents him from installing most software packages. However, he has [practically] full control over his profile folder, as well as his user-specific registry hive (accessed via the symbolic link HKEY_CURRENT_USER.) As such he can install software available for his use only -- but only if the installer program was designed to facilitate this (which currently is the exception, not the rule.)



Neither a "normal" User (technically, an account that is a member of the group "Users") nor a Power User (technically, an account that is a member of the group "Power Users") can grant group membership to any account, including their own. Only a member of the group "Administrators" can do that -- otherwise having the less-privileged groups would be pointless.



(That does not count exploitation of system vulnerabilities that make "privilege escalation" possible, via specially constructed attacks. As these vulnerabilities are discovered, they are fixed by patches/service packs, and thus can only be used against systems that have not been updated.)



Note that the things a given user and/or group is permitted to do, can be changed. What's described above is the way it comes "out of the box."

Users = Prevented from making changes to the system. Can therefor only run certified programs.

Powerusers = Have administrative rights with some limitation. Can also run older uncertified programs.

Administrators = Have unrestricted administrative rights, and can whatever they want. (In theory; though some installers and other programs doesn't handle increase in privelige correctly, and must be run as the Administrator *user*.)



You log-in as Administrator -- or as a user belonging to the Administrators group.

You right-click on "My Computer" and select "Manage"

Go to the folder for "Users and Groups"

Select "Users"

Select the name of the user you want to make member of a group, right-click and select "Properties"

Select the "Member of" tab

Press "Add" button, and enter the group-name (e.g. "Powerusers", "Administrators" or "Guests")

hi, except you have locked down the desktops for those widely used customers i think of they could desire to be waiting to get right of entry to the clock interior the notification section interior the taskbar. In case they're unable to realize this. The customers can visit start-->administration panel--> Taskbar and initiate menu and then to the notification section tab and verify Clock under equipment Icons. desire this helps.