Hi,
The default permission for the domain users you can refer to the following link:
https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-domainusers
https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-users
Actually, i tried to remove a user from the Domain Users group, and then sign-into the machine.
The user can run the normal program such ms edge, cmd, powershell , but not sure other special programs .
You may try the operation for a test user in your environment and check if can run all the programs you want it to use.
Best Regards,