Local Security Policy on Server 2019

Anonymous
2024-02-19T12:47:03+00:00

Hi All,

I have these groups (Device Owners and Windows Manager\Windows Manager Group) in the local security policy.

Can someone tell me If, I delete those groups from the server?

What they are used for?

Is there any explanation of what these groups do?

Search in Google and found only the information below:

Device Owners:

This group is not currently used in Windows.

Default User Rights:
Allow log on locally: SeInteractiveLogonRight
Access this computer from the network: SeNetworkLogonRight
Bypass traverse checking: SeChangeNotifyPrivilege
Change the time zone: SeTimeZonePrivilege

Window Manager\Window Manager Group Expand table| Attribute | Value | | :--- | :--- | | Well-known SID/RID | S-1-5-90 | | Object class | Foreign Security Principal | | Default location in Active Directory | CN=WellKnown Security Principals, CN=Configuration, DC=<forestRootDomain> | | Default user rights | Bypass traverse checking: SeChangeNotifyPrivilege<br><br>Increase a process working set: SeIncreaseWorkingSetPrivilege |

Windows for business | Windows Server | Devices and deployment | Set up, install, or upgrade

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Anonymous
    2024-02-20T06:23:41+00:00

    Hello РустамЕрмуканбетов,

    Thank you for posting on the Microsoft Community Forum.

    Device Owners:

    The Device Owners group is one of the default security groups in Active Directory for Windows Server. However, this group is not currently in use in Windows. Its purpose is not clearly defined, and changing its default configuration may affect future scenarios that depend on this group. Refer to this link: Active Directory security groups | Microsoft Learn

    The device owner property shows which user the device has been assigned to. Hybrid Azure AD-joined Windows 10 or later devices don't have an owner. By default, Global Administrators and Device Owners in Azure AD are granted Local Administrator permissions. Azure AD Device Owner - Microsoft Q&A

    Windows Manager\Windows Manager Group:

    Window Manager groups are special identity groups in Windows. The Window Manager group is not a user account group, but rather a system-level group related to graphical user interface (GUI) functionality and window management in Windows.

    1. Window Manager groups are not managed directly through the Local Users and Groups tool.
    2. Members of this group include system-level processes responsible for working with windows, desktop assemblies, and other visual elements.
    3. Regular user accounts are usually not part of the window manager group; It is mainly used for system-level components.

    If you remove the Window Manager\Window Manager Group from the Increase Plan Priority user permission, some applications and computers do not function properly. You can refer to the link: Increase scheduling priority - Windows Security | Microsoft Learn

    Refer to this link for some explanations of user rights assignments: User Rights Assignment - Windows Security | Microsoft Learn

    I hope you the information above is helpful.

    If you have any questions or concerns, please do not hesitate to let us know.

    Best Regards,

    Daisy Zhou

    0 comments No comments
  2. Anonymous
    2024-02-20T10:46:06+00:00

    Hi Daisy Zhou,

    Thank you for your detailed answer!

    Some additional information:

    Our server was on Windows Server 2016 and then we did an in-place upgrade to windows Server 2019 after only upgrade these group appeared on

    Local Security Policy -> Local Policies-> User Rights Assignment under:

    1. Allow log on locally
    2. Increase scheduling priority
    3. Bypass traverse checking
    4. Change the Time zone
    5. Increase a process working set
    0 comments No comments
  3. Anonymous
    2024-02-28T03:50:51+00:00

    Hello Rustam.Y,

    Goo day!

    It is not recommended to remove device owners and Windows Manager\Windows Manager groups from local security policies. "Device Owner" and "Windows Manager\Windows Manager Group" refer to the basic functions and permissions of the operating system, and deletion may cause system failures.

    Based on your description, the assignment of user rights for some on-premises policies has changed since the Windows Server 2016 upgrade. After an in-place upgrade on the Windows Server operating system, some user rights assignments may change. During the upgrade process, some security settings and permissions may be updated based on the new operating system version.

    I hope you the information above is helpful.

    If you have any questions or concerns, please do not hesitate to let us know.

    Best Regards,

    Daisy Zhou

    0 comments No comments