Before creating an Access Control Entry (ACE) on an object, you need an account, group or other Security Identifier (SID) to ascertain to which security principle the ACE will apply. There have been some important changes to the built-in accounts and groups. The Administrator account is disabled by default in Windows Vista. It was often the case that the Administrator account password was the same on every workstation, which constituted a security risk. A disabled Administrator account will relieve administrators of the need to manage the account’s password on every workstation. If you get into trouble, the built-in Administrator account can still be used in Safe Mode and in the Recovery Console. In Windows Server 2008 and Vista, UAC does not apply to the built-in Administrator account. However unless configured otherwise, UAC applies to all new accounts that are members of the Administrators group.
The Power Users group still exists for the purposes of backwards compatibility, but has been depreciated. The rights which were granted to this group in previous versions of Windows have been removed. Remote Assistance has been redesigned so that the HelpAssistant account is no longer required. The Support_ account, which was used to execute Support Center scripts, has also gone.
New groups include: IIS_IUSRS, which performs the same function as the IUSR_