Default security groups

Deciding which security groups to use is the most important decision you make about your site and content security.

With security groups, you control access for sets of users instead of individual users.

Security groups can be composed of many individual users, can hold a single Windows security group, or can be some combination of the two.

For information about working with the security and distribution groups that are included in Active Directory Domain Services, seeChoose security groups (TechNet).

Security groups confer no specific rights to the site; they are merely a way to contain a set of users. You can organize users into any number of groups, depending on the size and complexity of your organization or Web site.

Three security groups are provided by default, as shown in the following table. Note that you can customize them by assigning any permission level to them that you want, and you can also create new security groups with the permission levels that you want.

Security Group Name

Default permission level

Use for

Site name Owners

Full Control

People who need to be able to manage site permissions, settings, and appearance. Use sparingly.

Site name Members


People who need to be able to edit site content.

Site name Visitors


People who need to be able to see site content, but not edit it.

In addition, the following special users and groups are available for higher-level administration tasks:

Site collection administrators    You can designate one or more users as primary and secondary site collection administrators.

These users are recorded in the database as the contacts for the site collection. They have full control of all sites within the site collection, can audit all site content, and receive any administrative alerts (such as verifying whether the site is still being used).

Generally, you designate site collection administrators when you create the site, but you can change them as needed by using the Central Administration site or Site Settings pages.

Farm administrators    The Farm Administrators group is used in Central Administration only, and is not available for any sites, so unless you are an IT professional, you are unlikely to encounter this group.

This group controls which users can manage server and server farm settings. The Farm Administrators group replaces the need for adding users to the Administrators group for the server. Farm administrators have no access to site content by default; they must take ownership of the site to view any content. They do this by adding themselves as site collection administrators, which action is recorded in the audit logs.

Administrators    Members of the Administrators group on the local server can perform all farm administrator actions and more, including the following:

  1. Installing new products or applications.

  2. Deploying Web Parts and new features to the global assembly cache.

  3. Creating new Web applications and new IIS Web sites.

  4. Starting services.

Like the Farm Administrators group, members of the Administrators group on the local server have no access to site content, by default.

After you determine the groups you need, determine the permission levels to assign to each group on your site.

Top of Page

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!