domain users in local users group on servers

Looking for some opinions here.  When a server is joined to the domain, the domain users group is automatically added to the local users group on that server.  Has anyone noticed anything harmful or anything to watch for in removing this?

We disabled log on locally a while ago but that wasn't the issue we encountered.  This gave all users the ability to create folders and files and have read access on all the shares by default unless this was implicitly removed.  We had a user get infected with a ransom-ware virus and it was able to browse, server by server, every share on every server and try to encrypt these files.  (shares were not mapped)  We found it was able to read the files and create an encrypted version but not able delete the old copy so we didn't lose any data.  This did, however, imply to me that this default action on a server is a security risk.

Should domain users be removed from the local users group on servers?
lsysamcAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

zalazarCommented:
You can remove the Domain Users group without any problem.
But please keep in mind that by default "Authenticated Users" is also a member.
This well known group includes all users that can authenticate and this includes all Domain Users.
So by only removing "Domain Users" you won't gain much.
You could try to remove "Authenticated Users" also but this might give problems when administrating the server, especially when User Account Control (UAC) is enabled. Also certain services may depend on it.
This as the Users group is used on the C-drive in many directories.
I would at least leave the INTERACTIVE in there.
You could maybe try it first on a test server.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lsysamcAuthor Commented:
When I create a share I normally remove security inheritance.  All the shares affected were old and did not have this removed so I was going to go ahead and remove it.  Is disabling inheritance along with disabling local login then the best practice?
zalazarCommented:
Can you tell if you are using "Advanced sharing" when creating shares or do you use the sharing wizard.
And is it correct that you want to remove the "Users" group ?
It's fine that you remove the group but you probably have to make sure that other groups are there/added which contain users that need to access the data.

Removing security inheritance is fine but to keep it managable this should only be done on the top directory level and maybe on a second level but not within the shared data.

What I use as a best practice is separate data disks (not the C-drive) for sharing data.
After creation you can remove and set the correct groups that need access to the data on the root of the disk. E.g. only "Administrators" and "SYSTEM.
The "Users" group can be removed or if User Account Control is enabled you could leave the "Users" group in, but only with "List folder contents" for "This folder only".
In this way the "Users" group is not propagated to the subdirectories.
If you would then create a share with "Advanced sharing" on a directory then you only have to add the addtional groups (which contain users) that need access to the data.
Normally I only assign "Read" and "Modify" permissions and no Full control.
Share permissions can normally be set to "Authenticated Users" with Change permissions.
lsysamcAuthor Commented:
Yes I'm using advanced sharing.  That's pretty close to how we set them up now.  It's just the older shares I still need to fix.  Thanks.  appreciate the help.
zalazarCommented:
You're welcome and thanks too.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.