Re: Why Does WHOAMI /GROUPS Not Show Domain Users Membership?

"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:OI4xcZ$BIHA.3548@xxxxxxxxxxxxxxxxxxxxxxx
DU is exceptionally different from all other groups in AD storage form /
schema type so fetching group type enumerations misses it; and
additionally different as it is the default primary primary group of
account objects.

Thanks Roger. So I guess we could say Microsoft didn't implement showing
membership in Domain Users as part of the result shown by the command WHOAMI
/GROUPS because they didn't get around to it? Probably it makes sense to
see it there, even if it is an implicit membership. That's because the
group could be referenced in an ACL, and someone not as expert as you would
probably not give the group any different semantics than any other group in
the ACL. Experienced admins would probably just say "That's obvious so you
don't need to see it." But for consistency alone it would be good to see
it.

Just as background, I was trying to stop using the BUILTIN Users group on
the domain controller in ACLs for users who need access to file objects. I
would actually like to take Domain Users out of the BUILTIN\Users group, and
by doing that deny Domain Users even read level access to anything on the
domain controller's local file system. SYSVOL is of course the special case
and gets separate permissions that are inclusive of domain users.

Permission to access file system objects that are accessible to any domain
user would be through the Domain Users group, and we would strictly avoid
use of DOMAIN\Users references on such objects.

--
Will


"Will" <westes-usc@xxxxxxxxxxxxxx> wrote in message
news:5_idnUUGiMG4vpranZ2dnUVZ_t-gnZ2d@xxxxxxxxxxxxxxx
When I login to a member server in a domain and issue command line WHOAMI
/GROUPS, why is it I am not shown in the group "Domain Users"?

Is there a best practice or reason that would discourage you from using
Domain Users in ACLs on a file server?

--
Will


.

Relevant Pages

  • Re: Why Does WHOAMI /GROUPS Not Show Domain Users Membership?
    ... Domain Users designated as their "primary", ... decision long ago to not include "primary" group membership in the memberOf ... other group in the ACL. ... Permission to access file system objects that are accessible to any domain ...
    (microsoft.public.windows.server.active_directory)
  • Re: Full Desktop rights
    ... net localgroup administrators "domain users" /add ... Windows Server - File System ... full rights to a system, however they should not have any rights to ...
    (microsoft.public.windows.server.general)
  • Re: checking permissions on specific directories of MANY computers across the network
    ... > You can configure file system under Group Policy/computer configuration to propagate ... > ntfs permissions or you can use a startup script using cacls or xcacls under computer ... Rather than configure file system at the domain level, ... the Domain Users group needs full ...
    (microsoft.public.win2000.security)
  • Granting web access to single users
    ... I set the ACL correctly the IIS behaves as expected :-) ... >has the ACL set to read&execute for Domain Users. ... >to navigate to any of the hyperlinked project content he ... >his credentials are refused, i.e., after three attempts ...
    (microsoft.public.inetserver.iis.security)
  • Re: Send As rights
    ... Domain Users is a member of Users, not Print Operators. ... > question is the ACL of the adminSDHolder container. ...
    (microsoft.public.exchange.admin)