locked
What is a primary Group? What are its functoins? RRS feed

  • Question

  • Why do we need a primary group? I know it is only for Mac OS clients. But what is its exact functionality?

    What happens when the default primary group of a user "Domain Users" is changed to another group? 


    Thanks and Regards, Radhakrishnan

    Monday, June 25, 2012 6:36 AM

Answers

  • You can change users primary group in the AD using ADUC. But, there is no reason to change until you are using some Macintosh machine or POSIX-compliant applications. I wouldn't recommend to change because by default being part of the domain user group, user enjoy read access to the AD which is required for accessing the GPO inside the sysvol & other services. If you change or plan to chane then i would expect nothing but an inconsistencies.

    http://blogs.technet.com/b/heyscriptingguy/archive/2005/08/31/how-can-i-change-a-user-s-primary-group.aspx



    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, June 25, 2012 11:44 AM

All replies

  • Hello,

    there is no need to change this:

    "The user's primary group applies only to users who log on to the network through Services for Macintosh or to who run POSIX-compliant applications. Unless you are using these services, there is no need to change the primary group from Domain Users, which is the default value."


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Monday, June 25, 2012 6:50 AM
  • What will happen if I change the primary group from "Domain Users" to some Global Group that I have created?

    Thanks and Regards, Radhakrishnan

    Monday, June 25, 2012 6:53 AM
  • Hello,

    "Setting the user's primary group membership to a value other than Domain Users may adversely impact performance as all users in the domain are members of Domain Users. If the user's primary group is set to another group, it may cause the group membership to exceed the supported maximum number of members."

    There is no need to change the group, except you use one of the above mentioned options. So don't change it.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.


    Monday, June 25, 2012 7:52 AM
  • You can change users primary group in the AD using ADUC. But, there is no reason to change until you are using some Macintosh machine or POSIX-compliant applications. I wouldn't recommend to change because by default being part of the domain user group, user enjoy read access to the AD which is required for accessing the GPO inside the sysvol & other services. If you change or plan to chane then i would expect nothing but an inconsistencies.

    http://blogs.technet.com/b/heyscriptingguy/archive/2005/08/31/how-can-i-change-a-user-s-primary-group.aspx



    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, June 25, 2012 11:44 AM
  • Hi Weber

    I m new to active directory...I m looking for the purpose of a primary group? can a user exist without a primary group ?if yes, then how? if not, then why does he have to belong to primary group except that he enjoys the permissions of that group?what is the difference between having domain users as primary group and having another empty group as primary group? Please reply asap :)

    Thanks :)

    Deborah Arputham

    Friday, July 6, 2012 6:45 AM
  • Hi Awinish :) Do you mean other groups do not have the permissions to access the GPO inside sysvol?and also can you elaborate on the "inconsistencies" one can expect when they change the primary group of the user? P.S. I m trying to learn the purpose of primary group, it's functionalities, the advantage of having domain users as primary group etc Thanks Deborah Arputham
    Friday, July 6, 2012 6:55 AM
  • Changing primary group doesn't change membership, therefore you won't lose the access you've described.   
    Friday, September 21, 2018 10:03 PM
  • If a user is removed from the Domain User group, does that user still get GPO that's apply to the OU where the user account is located? 

    Thursday, October 4, 2018 5:02 PM
  • First, a user must have a primary group, so you must first assign a different group as the primary, then remove the user from "Domain Users".

    Second, GPO's are applied to all users whose object resides in an OU, site, domain, or security group. Group membership, including primary group, is not a factor unless the GPO has been applied to the group (Domain Users in your case). Any GPO linked to the OU where the user is located is not affected.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)



    Thursday, October 4, 2018 5:25 PM
  • What about inheriting NTFS permissions from "CREATOR GROUP" permissions of the parent directory?  According to https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/special-identities#bkmk-creatorgroup this gives permissions to the owner's primary group in the same manner "CREATOR OWNER" permissions are inherited as permissions for the owner themselves.
    Tuesday, January 1, 2019 11:34 AM
  • Probably best to ask a new question. This thread is old, and the original question was answered long ago. Most people don't look at answered threads.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Tuesday, January 1, 2019 4:23 PM