2015年3月4日 星期三

Need to know the impact of remoe Domain users group from Local users Groups

When we join a computer to a domain, the Domain Users group will be added to the local users group of the computer automatically. Besides, the local users group also includes the other two groups: Authenticated Users group and INTERACTIVE group.
Even you delete Domain Users group from local users group, Domain Users group still belongs to Authenticated Users group, which means Domain Users group is still a member of local users group due to inheritance. You may also delete Authenticated Users group from local users group, however, when you logon by a domain user interactively, the domain user is a member of INTERACTIVE group, thus it is also a member of local users group. If you even delete the INTERACTIVE group from local users group, the domain users won’t be able to logon to this computer interactively. And I believe to delete these 3 groups from the local users group is a big change, and can probably cause a lot of potential issue. 

Domain Users
===============
This group contains all domain users. By default, any user account created in the domain becomes a member of this group automatically. This group can be used to represent all users in the domain. For example, if you want all domain users to have access to a printer, you can assign permissions for the printer to this group (or add the Domain Users group to a local group, on the print server, that has permissions for the printer).

Users (Local)
===============
Members of this group can perform common tasks, such as running applications, using local and network printers, and locking the server. Users cannot share directories or create local printers. By default, the Domain Users, Authenticated Users, and Interactive groups are members of this group. Therefore, any user account created in the domain becomes a member of this group.

Permission: Access this computer from the network. Allow log on locally; Bypass traverse checking.


Impact of removing the domain users from "Local users and group\Groups\Users"  of a member server.

1: None of the domain users can access that computer until unless you grant permission to the specific user on  the computer. 
2: None of the domain users can access the sharers of that computer, until unless you grant them permission explicitly. 

As the requirement was to remove the domain users group permanently from access list  ( should not get read and execute permission) and not to remove the permission explicitly, while you share a folder, you can go and remove the domain user group from the “local users and groups\groups\users” group. 

NOTE: Please make sure that, you add the specific users and grant permissions explicitly,  who should have access to that computer. Please do not remove the “domain users” from the users group of the local computer if it’s a Domain controller. 


Articles
========
Default Domain Groups: http://technet.microsoft.com/en-us/library/cc756898(WS.10).aspx
Default Local Groups: http://technet.microsoft.com/en-us/library/cc785098(WS.10).aspx 

沒有留言:

張貼留言