BUILTIN Groups are the original local groups of the first domain controller in the forest (which is why the "32" is in the SID). While all groups are in a sense local to the domain controllers, you'll find that these groups are essentially the "shared" local groups of the domain controllers. Over the years, more of these Domain Controller specific groups have been added (like the "Allowed RODC Password Replication Group")
Examples:
- adding a user to the BUILTIN\Remote Desktop Users group grants RDP access to the Domain Controllers
- adding a user to the Remote management user group confers WinRM
access to domain controllers
- Print Operators? That's printer management on domain controllers (which you should never ever be doing).
That's the easiest way for me to understand.best way to think of them - generally, you should not be using these groups for anything else.
As for whether or not they can be moved? I generally leave the BUILTIN groups alone, but if you're really keen on cleaning up, consult this document which details for you which can, cannot be moved. Heed this reference:
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-director...