• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 246
  • Last Modified:

Domain Users rights

I'm using Active Dir. on Win 2003 Server.  When I add a new user to the domain, the new user is automatically added to group Domain Users.  I've discovered that any users in Domain Users have access to the C: drive on every domain PC.  If the user is removed from Domain Users (after adding Domain Guest as the primary), he/she no longer can access the shared hard drives.  It seems to me that Domain Users have rights similar to Administrators.  Is this true?  Can Domain Users rights be changed?  Thanks!
0
rww833
Asked:
rww833
  • 5
  • 2
  • 2
  • +2
1 Solution
 
LazarusCommented:
Domain Users having nothing close to Administrator rights. The use of Drive C on the local machine does not give them full rights at all.
Heres a link to what each Group can do by default:
http://technet2.microsoft.com/WindowsServer/en/library/1631acad-ef34-4f77-9c2e-94a62f8846cf1033.mspx?mfr=true
0
 
KCTSCommented:
Domain users is an automatic group whose membership cannot be controlled. When a user is authenticated against active directory they automatically become a member of domain users, when the log off then they are removed.

Users have few privilages by being a member of domain users - though they my have permissions and rights are a result of memberships of other groups.

If you want to restrict domain users further, then just remove Domain Users from the ACLs
whatever you do DONT DENY Domain users - all users are domain users.
0
 
LazarusCommented:
By using certain settings in the Active Directories GPO's you can do a lot of things to change rights. You can apply them to Groups of your own making in whats called an Organizational Unit "OU".
0
Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

 
Jay_Jay70Commented:
hmmm post 2.....i would assume you are not saying to remove domain users (the group) from the ACL....you will wreak havoc if you misstep even slightly

if you really want to do this properly and efficiently, then create a security template, import your security settings, and then import if into a GPO and apply it accross the board....
0
 
rww833Author Commented:
I admit I overstated it when I said Domain Users have comparable rights to Administrators.  I knew that can't be true.  However, my question still is:  Why do Domain Users have access to every local C: drive on the domain.   I can understand Administrators having access, but why Domain Users?  Thanks
0
 
LazarusCommented:
A domain user only has access to the local computers Drives not the entire domains unless something is totally hosed. The Domain User would need rights to be able to save and work on his computer. If you want them to not have those rights but only to be able to use a Network Resource you will have to either use Group Policies (GPO's) or remove the Domain Users ACL from the Drive.
0
 
redseatechnologiesCommented:
What it probably is, is that someone has added "domain users" as a member of the "local administrators" on each computer.  It is not uncommon, but equally, not very bright.
0
 
LazarusCommented:
That sounds very plausible... rww833 look into that as well, if your saying that the Domain Users are able to see other computers "C" drives from the network.
0
 
rww833Author Commented:
Thanks for the follow-up.  "Domain Users" is not a member of local administrator, but "Authenticated Users" is a member.  If I remove Authenicated Users as a member, the ability to access other C: drives on the domain goes away.  However, the consultant I hired to perform the Novell to Win 2003 Server AD upgrade made it clear that Authenticad Users had to be on each local PC.  I'm guessing Authenticated Users and Domain Users are pretty much the same.
0
 
redseatechnologiesCommented:
Your novell consultant was defective.

Remove that, and add the domain user who will be using that machine as a local administrator

Authenticated Users is worse than Domain Users - it is as good as "Everyone" - Get rid of that, now, and never use that consultant again.
0
 
LazarusCommented:
I second that...
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 5
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now