If you perform a clean install of Windows 2000 Professional or Windows 2000 as a member server, Everyone, and User group members, do not have broad write access to the system, as they had in Windows NT 4.0. Instead, they have write access to their profile folder, and read access to most of the system.
By default, new users are added to the Power Users group. Power Users have enough write access, as in Windows NT 4.0, to allow them to install programs.
The Authenticated users group is also added to the Power Users group.
Members of the Administrators group have the same access that they had in Windows NT 4.0.
Users do not have interactive logon rights to a domain controller. They have write access to their profile and read access to most of the system.
Members of the Server Operators, Account Operators, and other built in groups have the same access that they had in Windows NT 4.0.
If you perform an upgrade from Windows NT 4.0, your previous security setting are maintained. The above defaults do not apply.
NOTE: You may elect to remove Authenticated Users and Users from the Power Users group.