domain users in local users group on servers

lsysamc used Ask the Experts™
Looking for some opinions here.  When a server is joined to the domain, the domain users group is automatically added to the local users group on that server.  Has anyone noticed anything harmful or anything to watch for in removing this?

We disabled log on locally a while ago but that wasn't the issue we encountered.  This gave all users the ability to create folders and files and have read access on all the shares by default unless this was implicitly removed.  We had a user get infected with a ransom-ware virus and it was able to browse, server by server, every share on every server and try to encrypt these files.  (shares were not mapped)  We found it was able to read the files and create an encrypted version but not able delete the old copy so we didn't lose any data.  This did, however, imply to me that this default action on a server is a security risk.

Should domain users be removed from the local users group on servers?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You can remove the Domain Users group without any problem.
But please keep in mind that by default "Authenticated Users" is also a member.
This well known group includes all users that can authenticate and this includes all Domain Users.
So by only removing "Domain Users" you won't gain much.
You could try to remove "Authenticated Users" also but this might give problems when administrating the server, especially when User Account Control (UAC) is enabled. Also certain services may depend on it.
This as the Users group is used on the C-drive in many directories.
I would at least leave the INTERACTIVE in there.
You could maybe try it first on a test server.


When I create a share I normally remove security inheritance.  All the shares affected were old and did not have this removed so I was going to go ahead and remove it.  Is disabling inheritance along with disabling local login then the best practice?
Can you tell if you are using "Advanced sharing" when creating shares or do you use the sharing wizard.
And is it correct that you want to remove the "Users" group ?
It's fine that you remove the group but you probably have to make sure that other groups are there/added which contain users that need to access the data.

Removing security inheritance is fine but to keep it managable this should only be done on the top directory level and maybe on a second level but not within the shared data.

What I use as a best practice is separate data disks (not the C-drive) for sharing data.
After creation you can remove and set the correct groups that need access to the data on the root of the disk. E.g. only "Administrators" and "SYSTEM.
The "Users" group can be removed or if User Account Control is enabled you could leave the "Users" group in, but only with "List folder contents" for "This folder only".
In this way the "Users" group is not propagated to the subdirectories.
If you would then create a share with "Advanced sharing" on a directory then you only have to add the addtional groups (which contain users) that need access to the data.
Normally I only assign "Read" and "Modify" permissions and no Full control.
Share permissions can normally be set to "Authenticated Users" with Change permissions.


Yes I'm using advanced sharing.  That's pretty close to how we set them up now.  It's just the older shares I still need to fix.  Thanks.  appreciate the help.
You're welcome and thanks too.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial