We help IT Professionals succeed at work.

Domain Users rights

rww833 asked
Last Modified: 2010-03-17
I'm using Active Dir. on Win 2003 Server.  When I add a new user to the domain, the new user is automatically added to group Domain Users.  I've discovered that any users in Domain Users have access to the C: drive on every domain PC.  If the user is removed from Domain Users (after adding Domain Guest as the primary), he/she no longer can access the shared hard drives.  It seems to me that Domain Users have rights similar to Administrators.  Is this true?  Can Domain Users rights be changed?  Thanks!
Watch Question

Domain Users having nothing close to Administrator rights. The use of Drive C on the local machine does not give them full rights at all.
Heres a link to what each Group can do by default:
Brian PiercePhotographer
Awarded 2007
Top Expert 2008

Domain users is an automatic group whose membership cannot be controlled. When a user is authenticated against active directory they automatically become a member of domain users, when the log off then they are removed.

Users have few privilages by being a member of domain users - though they my have permissions and rights are a result of memberships of other groups.

If you want to restrict domain users further, then just remove Domain Users from the ACLs
whatever you do DONT DENY Domain users - all users are domain users.

By using certain settings in the Active Directories GPO's you can do a lot of things to change rights. You can apply them to Groups of your own making in whats called an Organizational Unit "OU".
Top Expert 2006

hmmm post 2.....i would assume you are not saying to remove domain users (the group) from the ACL....you will wreak havoc if you misstep even slightly

if you really want to do this properly and efficiently, then create a security template, import your security settings, and then import if into a GPO and apply it accross the board....


I admit I overstated it when I said Domain Users have comparable rights to Administrators.  I knew that can't be true.  However, my question still is:  Why do Domain Users have access to every local C: drive on the domain.   I can understand Administrators having access, but why Domain Users?  Thanks
Unlock this solution and get a sample of our free trial.
(No credit card required)

What it probably is, is that someone has added "domain users" as a member of the "local administrators" on each computer.  It is not uncommon, but equally, not very bright.

That sounds very plausible... rww833 look into that as well, if your saying that the Domain Users are able to see other computers "C" drives from the network.


Thanks for the follow-up.  "Domain Users" is not a member of local administrator, but "Authenticated Users" is a member.  If I remove Authenicated Users as a member, the ability to access other C: drives on the domain goes away.  However, the consultant I hired to perform the Novell to Win 2003 Server AD upgrade made it clear that Authenticad Users had to be on each local PC.  I'm guessing Authenticated Users and Domain Users are pretty much the same.

Your novell consultant was defective.

Remove that, and add the domain user who will be using that machine as a local administrator

Authenticated Users is worse than Domain Users - it is as good as "Everyone" - Get rid of that, now, and never use that consultant again.

I second that...
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.