Score:0

Why are some groups in “groups” and some in “builtin”?

in flag

can I move all of the default groups (and users) to → builtin? what’s the reason to have some of them in the groups/users folder. for example: “Allowed RODC Password Replication Group”.

Score:1
cn flag

The Builtin container is the default container for security groups that are prefixed with the builtin Domain SID S-1-5-32. The SIDs for a given builtin security principal are the same on every Windows system and does not contain the domain SID.

The Users container is the default container for users and groups that aren't builtin.

There's no reason to move any objects into or out of the Builtin container.

https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers

"SIDs for built-in accounts and groups always have the same domain identifier value: 32. This value identifies the domain Builtin, which exists on every computer that is running a version of the Windows Server operating system. It is never necessary to distinguish one computer's built-in accounts and groups from another computer's built-in accounts and groups because they are local in scope."

friendly joe avatar
in flag
but is there a reason the group "Allowed RODC Password Replication Group" is not in this "builtin"-Container? and is it possible to move it from "groups" -> "builtin" without an issue?
cn flag
@friendlyjoe: check the SID, it isn't a builtin SID (32), it's a domain SID (21). I don't believe there would be an issue, but there isn't much information because no-one does this.
friendly joe avatar
in flag
I know that there is not much information.. otherwise I wouldn't ask. that the SID is different on buitlin and domain users is also alright.. but doesn't really answer the question. I need soem way to make multi-tenancy possible in my IAM-System.. but I'm not able to disallow read-access to users/groups because then it will stop working..
cn flag
@friendlyjoe: this is something that would take 10 minutes to test.
friendly joe avatar
in flag
I'm testing it rn, and it seems to work (I created an additional container for them). but I fear that there might be an issue in the future because of it.
Score:0
jo flag

BUILTIN Groups are the original local groups of the first domain controller in the forest (which is why the "32" is in the SID). While all groups are in a sense local to the domain controllers, you'll find that these groups are essentially the "shared" local groups of the domain controllers. Over the years, more of these Domain Controller specific groups have been added (like the "Allowed RODC Password Replication Group")

Examples:

  • adding a user to the BUILTIN\Remote Desktop Users group grants RDP access to the Domain Controllers
  • adding a user to the Remote management user group confers WinRM access to domain controllers
  • Print Operators?  That's printer management on domain controllers (which you should never ever be doing).

That's the easiest way for me to understand.best way to think of them - generally, you should not be using these groups for anything else.

As for whether or not they can be moved?  I generally leave the BUILTIN groups alone, but if you're really keen on cleaning up, consult this document which details for you which can, cannot be moved.  Heed this reference:

https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-director...

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.