Ping a Specific Port

Question

friendly joe

Asked: 2022-03-04 03:08:49 +0800 CST2022-03-04 03:08:49 +0800 CST 2022-03-04 03:08:49 +0800 CST

Why are some groups in “groups” and some in “builtin”?

772

can I move all of the default groups (and users) to → builtin? what’s the reason to have some of them in the groups/users folder. for example: “Allowed RODC Password Replication Group”.

2 Answers

Voted

Greg Askew · Answer 1 · 2022-03-04T03:37:42+08:00

Greg Askew

2022-03-04T03:37:42+08:002022-03-04T03:37:42+08:00

The Builtin container is the default container for security groups that are prefixed with the builtin Domain SID S-1-5-32. The SIDs for a given builtin security principal are the same on every Windows system and does not contain the domain SID.

The Users container is the default container for users and groups that aren't builtin.

There's no reason to move any objects into or out of the Builtin container.

https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers

"SIDs for built-in accounts and groups always have the same domain identifier value: 32. This value identifies the domain Builtin, which exists on every computer that is running a version of the Windows Server operating system. It is never necessary to distinguish one computer's built-in accounts and groups from another computer's built-in accounts and groups because they are local in scope."

1

Semicolon · Answer 2 · 2022-03-04T14:29:25+08:00

BUILTIN Groups are the original local groups of the first domain controller in the forest (which is why the "32" is in the SID). While all groups are in a sense local to the domain controllers, you'll find that these groups are essentially the "shared" local groups of the domain controllers. Over the years, more of these Domain Controller specific groups have been added (like the "Allowed RODC Password Replication Group")

Examples:

adding a user to the BUILTIN\Remote Desktop Users group grants RDP access to the Domain Controllers
adding a user to the Remote management user group confers WinRM access to domain controllers
Print Operators? That's printer management on domain controllers (which you should never ever be doing).

That's the easiest way for me to understand.best way to think of them - generally, you should not be using these groups for anything else.

As for whether or not they can be moved? I generally leave the BUILTIN groups alone, but if you're really keen on cleaning up, consult this document which details for you which can, cannot be moved. Heed this reference:

https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-director...

Why are some groups in “groups” and some in “builtin”?

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?