none
Domain Users Profiles Coexisting With Built in Privileges

    Question

  • In: Active Directory Users and Computers:

    The Domain Users Profiles Coexist with Built in Security Groups. As Per Picture attached. We have about 50 users in the same container as the built in Security Groups indicated in the screen shot that installed by default when we installed server 2008. I am able to move all the users to another container exclusively for them, but I am not sure which of the default security groups or items should go with. What I do know is that "Domain Users" and "Remote Desktop Users" should accompany them. Could you assist me in what other items should go with?

    Currently all the users have their own work stations but their My Docs profiles are mapped and synced to the server.Because Standard users profiles coexist with Admin security groups the normal users have elevated privileges that allow them to access parts of the server they by default should not be able to.

    Image: http://s14.postimg.org/aph8ymnoh/users.png


    • Edited by Pegasus007 Wednesday, January 07, 2015 11:28 PM
    Wednesday, January 07, 2015 11:20 PM

Answers

  • In: Active Directory Users and Computers:

    The Domain Users Profiles Coexist with Built in Security Groups. As Per Picture attached.

    Judging by the picture you've shown us, you have the "Users" container selected, showing the objects (user objects, and group objects) contained there.
    The user objects, are not actually "profiles" these are the user "account" objects.
    By default, there are several user objects, and group objects, created into this container when you first promote a server into a Domain Controller.


    We have about 50 users in the same container as the built in Security Groups indicated in the screen shot that installed by default when we installed server 2008. I am able to move all the users to another container exclusively for them, but I am not sure which of the default security groups or items should go with. What I do know is that "Domain Users" and "Remote Desktop Users" should accompany them. Could you assist me in what other items should go with?

    Currently all the users have their own work stations but their My Docs profiles are mapped and synced to the server.Because Standard users profiles coexist with Admin security groups the normal users have elevated privileges that allow them to access parts of the server they by default should not be able to.

    Image: http://s14.postimg.org/aph8ymnoh/users.png

    There is no need to relocate the group objects at all, if you don't wish to do so.
    The co-location of user objects, and group objects, is not relevant to any functionality at all. (that is, a group member may be a valid member of a group in the domain regardless of the container/OU where each entity resides).
    Placement of user objects, computer objects, group objects, is usually totally up to your sense of organizational logic, or more commonly, due to administrative security delegation borders/permissions. e.g., who should, and who should not, have the ability to administer those users/groups?

    If you are finding that some users do have excessive/undesirable privileges to some computer/server resources - it is not related to the proximity/colocation to domain groups - you must look elsewhere for the cause of the excessive permissions.

    What type of resources are you seeing which have the excessive permissions?
    Is it a share/folder/directory/file resource?
    Is it an Active Directory privilege?

    [also, note that this topic is not really related to Group Policy, it seems more related to Directory Services, at this stage of the discussion. I mention this only to alert you, that the forum which best matches the topic of your question will attract greater expertise on the correct topic :) ]


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Thursday, January 08, 2015 8:19 AM

All replies

  • Domain users is a built in security group in AD which has default permissions for every user part of AD, this group allows/provide necessary permission to user to login to AD directory, i am still trying to figure it out what exactly your need is, could you provide more info pls, to understand what permissions a domain user group does have pls look at this article:

    http://technet.microsoft.com/en-in/library/cc756898(v=ws.10).aspx

    http://networkadminkb.com/KB/a41/differences-between-authenticated-users-domain-users.aspx

    http://ss64.com/nt/syntax-security_groups.html

    Pls explain what is the need more on this issue to assist you further.


    Inderjit

    Thursday, January 08, 2015 7:37 AM
  • In: Active Directory Users and Computers:

    The Domain Users Profiles Coexist with Built in Security Groups. As Per Picture attached.

    Judging by the picture you've shown us, you have the "Users" container selected, showing the objects (user objects, and group objects) contained there.
    The user objects, are not actually "profiles" these are the user "account" objects.
    By default, there are several user objects, and group objects, created into this container when you first promote a server into a Domain Controller.


    We have about 50 users in the same container as the built in Security Groups indicated in the screen shot that installed by default when we installed server 2008. I am able to move all the users to another container exclusively for them, but I am not sure which of the default security groups or items should go with. What I do know is that "Domain Users" and "Remote Desktop Users" should accompany them. Could you assist me in what other items should go with?

    Currently all the users have their own work stations but their My Docs profiles are mapped and synced to the server.Because Standard users profiles coexist with Admin security groups the normal users have elevated privileges that allow them to access parts of the server they by default should not be able to.

    Image: http://s14.postimg.org/aph8ymnoh/users.png

    There is no need to relocate the group objects at all, if you don't wish to do so.
    The co-location of user objects, and group objects, is not relevant to any functionality at all. (that is, a group member may be a valid member of a group in the domain regardless of the container/OU where each entity resides).
    Placement of user objects, computer objects, group objects, is usually totally up to your sense of organizational logic, or more commonly, due to administrative security delegation borders/permissions. e.g., who should, and who should not, have the ability to administer those users/groups?

    If you are finding that some users do have excessive/undesirable privileges to some computer/server resources - it is not related to the proximity/colocation to domain groups - you must look elsewhere for the cause of the excessive permissions.

    What type of resources are you seeing which have the excessive permissions?
    Is it a share/folder/directory/file resource?
    Is it an Active Directory privilege?

    [also, note that this topic is not really related to Group Policy, it seems more related to Directory Services, at this stage of the discussion. I mention this only to alert you, that the forum which best matches the topic of your question will attract greater expertise on the correct topic :) ]


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Thursday, January 08, 2015 8:19 AM