1

What is a difference between a member of "Users" group and not a member of any group on Windows Domain? I searched and just didn't find anything relevant at all.

Joe Schmoe
  • 315
  • 7
  • 15

1 Answers1

4

There's no such thing as a user who is not a member of any groups at all in AD.

Users [SID S-1-5-32-545, Domain Local]

Members of this group can perform most common tasks, such as running applications, using local and network printers, and locking the server. By default, the Domain Users group, Authenticated Users, and Interactive are members of this group. Therefore, any user account created in the domain becomes a member of this group.

Domain Users [SID S-1-5-21-Domain-513, Global]

This group contains all domain users. By default, any user account created in the domain becomes a member of this group automatically. This group can be used to represent all users in the domain. For example, if you want all domain users to have access to a printer, you can assign permissions for the printer to this group (or add the Domain Users group to a local group, on the print server, that has permissions for the printer).

Here's pretty much the full list: http://support.microsoft.com/kb/243330/en-us

As for the local Users group, here's a test I did on a non domain joined Server 2012 machine:

C:\Users\Administrator>net user Andy Pass.1234 /add
C:\Users\Administrator>runas /user:Andy Cmd.exe

New Cmd window appears, I am now Andy.

C:\Users\Andy>whoami /groups
...
Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
...

Kill that window, go back to my Administrator window.

C:\Users\Administrator>net localgroup users Andy /delete
The command completed successfully.

C:\Users\Administrator>runas /user:Andy cmd

Back to Andy:

C:\Users\Andy>whoami /groups
...
Everyone
BUILTIN\Users (Still there)
NT AUTHORITY\INTERACTIVE
...

Now back to Administrator.

C:\Users\Administrator>net localgroup users andy /delete
System error 1377 has occurred.
The specified account name is not a member of the group.

Interesting!

C:\Users\Administrator>net localgroup Users

Members
-------
NT AUTHORITY\Authenticated Users
NT AUTHORITY\INTERACTIVE

But no Andy.

I can still launch processes as Andy, but if I log off the machine, I am not able to log on as Andy. I'm not even shown Andy's account as a possible account to log on to at the logon screen. Only Administrator.

So let's take a closer look at the local Users group:

PS C:\Scripts> Get-WmiObject Win32_Group | ? { $_.Name -EQ 'Users' } | Select *

Status           : OK
Name             : Users
Caption          : SRV01\Users
Description      : Users are prevented from making accidental or intentional system-wide changes and can run most applications
Domain           : SRV01
InstallDate      :
LocalAccount     : True
SID              : S-1-5-32-545
SIDType          : 4
Scope            : System.Management.ManagementScope
....

SIDType of 4? That means it's an alias SID. (SidTypeAlias)

Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
  • I don't have access to domain environment right now, just to non-domain Windows Server 2008 R2. Newly created users are members of local group "Users" (that I guess would be similar to "Domain Users" in domain environment) but I can remove membership in this group from them. Members of local "Users" group can, for instance, log on locally to the computer and run applications. What if the membership in local "Users" group is revoked? Would they still be able to log on locally? – Joe Schmoe Jun 13 '13 at 12:53
  • Note, you can take users out of the default users group, if you add another group and make that the users primary group. I've had to do that before on shoddy setups where the default user account had too many permissions to allow for low permission users. – Satanicpuppy Jun 13 '13 at 12:59
  • I just tried on Windows XP Pro (don't want to mess with the server): created new user, removed membership in "Users" group (so yes, you can log on locally while not being a member of any local group). Successfully logged on locally as this user. Logged off. Checked user properties - it is still not a member of "Users" group. – Joe Schmoe Jun 13 '13 at 13:23
  • @JoeSchmoe Sorry, was a little inaccurate in what I told you - I have revised a little. – Ryan Ries Jun 13 '13 at 13:57