question

Sus123 avatar image
0 Votes"
Sus123 asked FanFan-MSFT answered

Check permissions assigned to "Domain Users" BUILTIN group

Hello,

I can see in the internet that Domain Users can perform the same actions as Users
Users can perform tasks such as running applications, using local and network printers, shutting down the computer, and locking the computer. Users can install applications that only they are allowed to use if the installation program of the application supports per-user installation.

I need to see what kind of privileges Domain Users have in our domain (I assume it is similar to rights delegation ?)
How Can I check that and where?

windows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered

Hi,

The default permission for the domain users you can refer to the following link:
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-domainusers
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-users

Actually, i tried to remove a user from the Domain Users group, and then sign-into the machine.
The user can run the normal program such ms edge, cmd, powershell , but not sure other special programs .
You may try the operation for a test user in your environment and check if can run all the programs you want it to use.
Best Regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered

Hi,

First , i would suggest if any schedule tasks or user right assignment was deployed to the users through the GPO.
You can check that by command :gpresult /h report.html

Then you can check that by the powershell command :
https://devblogs.microsoft.com/scripting/use-powershell-to-explore-active-directory-security/

Following scripts also for your reference:
https://www.netwrix.com/how_to_get_ad_user_permissions_report.html

This response contains a third-party link. We provide this link for easy reference. Microsoft cannot guarantee the validity of any information and content in this link.
Best Regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sus123 avatar image
0 Votes"
Sus123 answered FanFan-MSFT converted comment to answer

Thanks. I do not want to check assigned tasks, etc. I would like to see what kind of permissions are exactly granted in my domain.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered

Hi,
You can check that by right click the domain name (or OUs containing users or computers )from ADUC.

Select the security lab

84720-4064.jpg
Select users you want to check permission , click Advanced , you can check more details .

Best Regards,


4064.jpg (94.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sus123 avatar image
0 Votes"
Sus123 answered

I know about that way. The permissions can be assigned on the OU, subOU level, delegated to the group or user.

If the only way is to get all permissions from every OU, that is OK, but I think there is a better way.

I need to know e.g. what happens if the new employee will be not added to the Domain Users group? Will he be able to start a program? According to what I found in the internet - probably no.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.