Primary Group for a user
Hi guys hope you are all well and can assist.
We have a situation where a lot of our users have different primary groups.
From my understanding, a new user has a default primary group of Domain Users.
What we need to understand is this.
If you have a user, that was once a member of Domain admins, but has now been removed from domain admins, and their primary group is still Domain admins, does this mean they still have rights of a domain admin, even though they are not listed as a member of the Domain Admins group?
I hope this makes sense.
Basically, to put it another way.
User Bob was a member of Domain Admins.
His PRIMARY GROUP is Domain Admins
Now, Bob has been removed from Domain Admins due to a role change.
His PRIMARY GROUP has not changed, and is still Domain Admins.
Does this mean he still has user rights of a Domain Admin?
Should his primary group change back to the default of Domain Users?
Any help greatly appreciated.
We have a situation where a lot of our users have different primary groups.
From my understanding, a new user has a default primary group of Domain Users.
What we need to understand is this.
If you have a user, that was once a member of Domain admins, but has now been removed from domain admins, and their primary group is still Domain admins, does this mean they still have rights of a domain admin, even though they are not listed as a member of the Domain Admins group?
I hope this makes sense.
Basically, to put it another way.
User Bob was a member of Domain Admins.
His PRIMARY GROUP is Domain Admins
Now, Bob has been removed from Domain Admins due to a role change.
His PRIMARY GROUP has not changed, and is still Domain Admins.
Does this mean he still has user rights of a Domain Admin?
Should his primary group change back to the default of Domain Users?
Any help greatly appreciated.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Agreed. Its there and that's fine lets ignore the primary groups and get one with life ;)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OBdA,
You are brilliant.
The scenario you paint is EXACTLY what we are seeing and baffling as to why there is a difference between what we see in AD Users and Computers for the group Domsin Admins as opposed to what we see for the same group when querying AD with a tool like dsquery.
OBdA,
If in our situation, a user:
- was previously a member of Domain Admins,
- has now need removed from the group Domsin Admins
- but STILL has Domaon Admins as their PRIMARY GROUP,
Are you saying that this is a security risk?
You are brilliant.
The scenario you paint is EXACTLY what we are seeing and baffling as to why there is a difference between what we see in AD Users and Computers for the group Domsin Admins as opposed to what we see for the same group when querying AD with a tool like dsquery.
OBdA,
If in our situation, a user:
- was previously a member of Domain Admins,
- has now need removed from the group Domsin Admins
- but STILL has Domaon Admins as their PRIMARY GROUP,
Are you saying that this is a security risk?
ASKER
OBdA,
I think in our organization, there are a lot of users who don't have domain users as their primary group.
Would you recommend:
1) Auditing all users to identify all users whose primary group is NOT domain users
2) From the list obtained from step 1), change their primary group back to domain users.
Would the rationale for doing this be to reduce risk since the wrong primary group can assign the users rights above what they should be entitled to?
What I am getting confused about is this:
If user Bob is a valid member of domain admins, so he is seen in ADUC, but his primary group is domain users, then when you say that the primary group has an effect on users from a security standpoint, then why can Bob still perform domain admin tasks if his primary group is domain users?
Thanks so much your help.
I think in our organization, there are a lot of users who don't have domain users as their primary group.
Would you recommend:
1) Auditing all users to identify all users whose primary group is NOT domain users
2) From the list obtained from step 1), change their primary group back to domain users.
Would the rationale for doing this be to reduce risk since the wrong primary group can assign the users rights above what they should be entitled to?
What I am getting confused about is this:
If user Bob is a valid member of domain admins, so he is seen in ADUC, but his primary group is domain users, then when you say that the primary group has an effect on users from a security standpoint, then why can Bob still perform domain admin tasks if his primary group is domain users?
Thanks so much your help.
The Primary Group field contains the SID for the owner’s primary group. This information is used only by the POSIX subsystem, and it is ignored by the rest of Windows Server 2003."
so shouldn't be a direct security risk.
If I were you I would script everybody back to domain users as default group.
and be done with it.
ofcourse first make sure your account isn't there so what ever happens you have admin rights.
and stay away from changing primary group.
the only reason you would need to change the primary group might be for guests.. where domain admins have too much rights.. and you want a person to be member of domain guests... but in that case you've broken another security rule and that's don't give any rights to domain users .. use different groups.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Does a user's primary group affect what they can do?