Join Log in
Score:0
friendly joe avatar Server

Why are some groups in “groups” and some in “builtin”?

in flag
friendly joe

can I move all of the default groups (and users) to → builtin? what’s the reason to have some of them in the groups/users folder. for example: “Allowed RODC Password Replication Group”.

44
0 + 0
Score:1
avatar Server
cn flag
Greg Askew

The Builtin container is the default container for security groups that are prefixed with the builtin Domain SID S-1-5-32. The SIDs for a given builtin security principal are the same on every Windows system and does not contain the domain SID.

The Users container is the default container for users and groups that aren't builtin.

There's no reason to move any objects into or out of the Builtin container.

https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers

"SIDs for built-in accounts and groups always have the same domain identifier value: 32. This value identifies the domain Builtin, which exists on every computer that is running a version of the Windows Server operating system. It is never necessary to distinguish one computer's built-in accounts and groups from another computer's built-in accounts and groups because they are local in scope."

0 + 0
friendly joe avatar
in flag
friendly joe
but is there a reason the group "Allowed RODC Password Replication Group" is not in this "builtin"-Container? and is it possible to move it from "groups" -> "builtin" without an issue?
0
Reply
cn flag
Greg Askew
@friendlyjoe: check the SID, it isn't a builtin SID (32), it's a domain SID (21). I don't believe there would be an issue, but there isn't much information because no-one does this.
0
Reply
friendly joe avatar
in flag
friendly joe
I know that there is not much information.. otherwise I wouldn't ask. that the SID is different on buitlin and domain users is also alright.. but doesn't really answer the question. I need soem way to make multi-tenancy possible in my IAM-System.. but I'm not able to disallow read-access to users/groups because then it will stop working..
0
Reply
cn flag
Greg Askew
@friendlyjoe: this is something that would take 10 minutes to test.
0
Reply
friendly joe avatar
in flag
friendly joe
I'm testing it rn, and it seems to work (I created an additional container for them). but I fear that there might be an issue in the future because of it.
0
Reply
Score:0
Semicolon avatar Server
jo flag
Semicolon

BUILTIN Groups are the original local groups of the first domain controller in the forest (which is why the "32" is in the SID). While all groups are in a sense local to the domain controllers, you'll find that these groups are essentially the "shared" local groups of the domain controllers. Over the years, more of these Domain Controller specific groups have been added (like the "Allowed RODC Password Replication Group")

Examples:

  • adding a user to the BUILTIN\Remote Desktop Users group grants RDP access to the Domain Controllers
  • adding a user to the Remote management user group confers WinRM access to domain controllers
  • Print Operators?  That's printer management on domain controllers (which you should never ever be doing).

That's the easiest way for me to understand.best way to think of them - generally, you should not be using these groups for anything else.

As for whether or not they can be moved?  I generally leave the BUILTIN groups alone, but if you're really keen on cleaning up, consult this document which details for you which can, cannot be moved.  Heed this reference:

https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-director...

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.