Quick answer: Manage Windows Server users in lusrmgr.msc. Create a user, then add them to Remote Desktop Users for RDP access without admin rights, or Administrators only if they truly need it. Keep the number of administrators small and disable rather than delete departed accounts.
Managing user accounts on a Windows VPS lets you give people the access they need without sharing the Administrator password. This guide covers creating users, granting RDP access, and controlling privileges.
Run lusrmgr.msc to open Local Users and Groups (available on most Windows Server editions), or use Server Manager > Tools > Computer Management. Both manage the same accounts.
Under Users, right-click and choose New User. Set a username and a strong password. Decide on the password options - for a service account, "Password never expires" may be appropriate; for a person, require a periodic change. Command-line equivalent:
net user jsmith StrongPass123! /add
A new user cannot log in over RDP until they are in the right group. Add them to Remote Desktop Users:
net localgroup "Remote Desktop Users" jsmith /add
This grants RDP without giving administrative rights - the safer default for most accounts.
If a user genuinely needs to install software or change system settings, add them to Administrators:
net localgroup Administrators jsmith /add
Keep the number of administrators small. Most day-to-day accounts should be standard users.
When someone leaves, disable their account rather than deleting it immediately so you keep an audit trail, then remove it later. Renaming the built-in Administrator account (to something non-obvious) reduces automated attacks that target that exact name.
Periodically check the user list and group membership. An unfamiliar account, especially in Administrators or Remote Desktop Users, can be a sign of compromise and should be investigated.
How do I give a user RDP access without admin rights?
Add them to the Remote Desktop Users group, not Administrators.
Should I delete a departed user's account?
Disable it first to keep an audit trail, then remove it later.
On a SoftSys managed Windows VPS our team can set up role-appropriate accounts and access policies for you, so your team has exactly the access it needs and nothing more.