locked
Are there any issues with removing the "Domain Users" group from the Local Users group on Windows Servers in a domain? RRS feed

  • Question

  • I've done some searching and the best I can find is that for Windows NT 4.0 this was required because logged on users were not added to the Authenticated Users group. 

    I have removed the Domain Users group before on a couple of select servers without any apparent issues. But, I was wondering what the experience of others was.

    I can see that the group may be needed for file/print servers, but I don't see the need make every user in the domain a local user on application servers, etc.

    Thanks,
    Brian
    Thursday, August 21, 2008 2:04 PM

Answers

  •  

    Hi,

     

    We do not suggest removing "Domain Users" group from the Local Users group. For the reason, please see the following analysis:


    Every application that a user starts runs in the security context of that user. When a user logs on, an access token is created. The access token contains key security-related information, including the user’s SID, the SIDs of the groups to which the user belongs, and other information about the user’s security context. This access token is then attached to every process that the user runs during that logon session.

    An application runs as a process with threads of execution. When an application performs an operation on a user’s behalf, one of the threads performs the operation. For example, when a user opens a Word document, Microsoft Word, and not himself, actually opens the file. More precisely, one of the threads of execution performs the operation.

    For a thread to gain access to an object such as a file, it must identify itself to the operating system’s security subsystem. Threads and applications do not have a security identity, so they must borrow one from a security principal, such as Alice. When Alice starts an application, it runs as a process within her logon session. When one of the application’s threads needs to open a file, the thread identifies itself as Alice’s agent by presenting her access token. Alice is therefore ultimately responsible for anything that the thread does to the file or system on her behalf. If for some resources we only grand domain users to access and we remove "Domain Users" group from the Local Users group, he will fail to access it.

    So far, the reason your applications haven't occurred any problem is that the security context of these applications running have enough permissions to operate necessary resource. However, we couldn't exclude some situations that only domain users have been granted operation permission. If we remove "Domain Users" group from the Local Users group, applications running under local user may fail to execute.

    Hope this helps.   

    • Marked as answer by David Shen Wednesday, August 27, 2008 4:57 AM
    Friday, August 22, 2008 4:03 AM