Check permissions assigned to "Domain Users" BUILTIN group

Kinga Zorii 21 Reputation points
2021-03-31T08:12:37.183+00:00

Hello,

I can see in the internet that Domain Users can perform the same actions as Users
Users can perform tasks such as running applications, using local and network printers, shutting down the computer, and locking the computer. Users can install applications that only they are allowed to use if the installation program of the application supports per-user installation.

I need to see what kind of privileges Domain Users have in our domain (I assume it is similar to rights delegation ?)
How Can I check that and where?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,857 questions
0 comments
Accepted answer
  1. Fan Fan 15,291 Reputation points Microsoft Vendor
    2021-04-07T06:52:31.137+00:00

    Hi,

    The default permission for the domain users you can refer to the following link:
    https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-domainusers
    https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-users

    Actually, i tried to remove a user from the Domain Users group, and then sign-into the machine.
    The user can run the normal program such ms edge, cmd, powershell , but not sure other special programs .
    You may try the operation for a test user in your environment and check if can run all the programs you want it to use.
    Best Regards,

    0 comments

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Fan Fan 15,291 Reputation points Microsoft Vendor
    2021-04-01T03:23:57.773+00:00

    Hi,

    First , i would suggest if any schedule tasks or user right assignment was deployed to the users through the GPO.
    You can check that by command :gpresult /h report.html

    Then you can check that by the powershell command :
    https://devblogs.microsoft.com/scripting/use-powershell-to-explore-active-directory-security/

    Following scripts also for your reference:
    https://www.netwrix.com/how_to_get_ad_user_permissions_report.html

    This response contains a third-party link. We provide this link for easy reference. Microsoft cannot guarantee the validity of any information and content in this link.
    Best Regards,

    0 comments
  2. Kinga Zorii 21 Reputation points
    2021-04-06T05:52:01.123+00:00

    Thanks. I do not want to check assigned tasks, etc. I would like to see what kind of permissions are exactly granted in my domain.

    0 comments
  3. Fan Fan 15,291 Reputation points Microsoft Vendor
    2021-04-06T08:02:09.167+00:00

    Hi,
    You can check that by right click the domain name (or OUs containing users or computers )from ADUC.

    Select the security lab

    84720-4064.jpg
    Select users you want to check permission , click Advanced , you can check more details .

    Best Regards,

    0 comments
  4. Kinga Zorii 21 Reputation points
    2021-04-06T14:23:13.233+00:00

    I know about that way. The permissions can be assigned on the OU, subOU level, delegated to the group or user.

    If the only way is to get all permissions from every OU, that is OK, but I think there is a better way.

    I need to know e.g. what happens if the new employee will be not added to the Domain Users group? Will he be able to start a program? According to what I found in the internet - probably no.

    0 comments