From 7044abeed904b35d670678a53ad9eb086de01118 Mon Sep 17 00:00:00 2001 From: Thomas Garrity <31856350+poortom1004@users.noreply.github.com> Date: Thu, 15 Oct 2020 13:56:19 -0500 Subject: [PATCH] Case sensitivity, re-ordering and other small corrections -Normalized the casing from BuiltIn Local to Builtin Local for group types -Corrected some other group types -Corrected typo for references of Group Policy Creators Owners to Group Policy Creator Owners -Re-ordered the Read-Only Domain Controllers group to be higher in the list to be correctly alphabetized so that it matches the order in the first table -Corrected Guests group membership details -Added missing SID info on a few groups -Changed group types from Domain Global to Global -Replaced "No" with "None" for default membership to be consistent with other groups -RDS Endpoint Servers had an incorrect reference to the domain SID -Users group incorrectly said it's a member of Domain users via primary group membership. This is incorrect because groups do not have primary groups, only users have primary groups. --- .../active-directory-security-groups.md | 235 +++++++++--------- 1 file changed, 117 insertions(+), 118 deletions(-) diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md index 61198672fc..6522607d9d 100644 --- a/windows/security/identity-protection/access-control/active-directory-security-groups.md +++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md @@ -576,7 +576,7 @@ This security group has not changed since Windows Server 2008.

Type

-

BuiltIn Local

+

Builtin Local

Default container

@@ -645,7 +645,7 @@ This security group has not changed since Windows Server 2008.

Type

-

BuiltIn Local

+

Builtin Local

Default container

@@ -717,7 +717,7 @@ This security group includes the following changes since Windows Server 2008:

Type

-

BuiltIn Local

+

Builtin Local

Default container

@@ -865,7 +865,7 @@ This security group has not changed since Windows Server 2008.

Type

-

Builtin local

+

Builtin Local

Default container

@@ -987,7 +987,7 @@ This security group has not changed since Windows Server 2008.

Well-Known SID/RID

-

S-1-5-<domain>-517

+

S-1-5-21-<domain>-517

Type

@@ -1113,7 +1113,7 @@ This security group was introduced in Windows Vista Service Pack 1, and it h

Type

-

Builtin local

+

Builtin Local

Default container

@@ -1241,7 +1241,7 @@ The Device Owners group applies to versions of the Windows Server operating syst

Type

-

BuiltIn Local

+

Builtin Local

Default container

@@ -1430,7 +1430,7 @@ This security group has not changed since Windows Server 2008.

Type

-

Domain local

+

Builtin Local

Default container

@@ -1493,7 +1493,7 @@ This security group has not changed since Windows Server 2008.

Type

-

Domain Global

+

Global

Default container

@@ -1552,7 +1552,7 @@ This security group has not changed since Windows Server 2008.

Well-Known SID/RID

-

S-1-5-<domain>-515

+

S-1-5-21-<domain>-515

Type

@@ -1613,7 +1613,7 @@ This security group has not changed since Windows Server 2008.

Well-Known SID/RID

-

S-1-5-<domain>-516

+

S-1-5-21-<domain>-516

Type

@@ -1674,7 +1674,7 @@ This security group has not changed since Windows Server 2008.

Well-Known SID/RID

-

S-1-5-<domain>-514

+

S-1-5-21-<domain>-514

Type

@@ -1737,11 +1737,11 @@ This security group has not changed since Windows Server 2008.

Well-Known SID/RID

-

S-1-5-<domain>-513

+

S-1-5-21-<domain>-513

Type

-

Domain Global

+

Global

Default container

@@ -1950,7 +1950,7 @@ This security group has not changed since Windows Server 2008.

Type

-

Builtin local

+

Domain local

Default container

@@ -1985,13 +1985,13 @@ This security group has not changed since Windows Server 2008. -### Group Policy Creators Owners +### Group Policy Creator Owners This group is authorized to create, edit, or delete Group Policy Objects in the domain. By default, the only member of the group is Administrator. For information about other features you can use with this security group, see [Group Policy Overview](https://technet.microsoft.com/library/hh831791.aspx). -The Group Policy Creators Owners group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). +The Group Policy Creator Owners group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). This security group has not changed since Windows Server 2008. @@ -2009,7 +2009,7 @@ This security group has not changed since Windows Server 2008.

Well-Known SID/RID

-

S-1-5-<domain>-520

+

S-1-5-21-<domain>-520

Type

@@ -2093,12 +2093,11 @@ This security group has not changed since Windows Server 2008.

Default members

-

Guest

+

Domain Guests

Guest

Default member of

-

Domain Guests

-

Guest

+

None

Protected by ADMINSDHOLDER?

@@ -2150,7 +2149,7 @@ This security group was introduced in Windows Server 2012, and it has not chang

Type

-

Builtin local

+

Builtin Local

Default container

@@ -2162,7 +2161,7 @@ This security group was introduced in Windows Server 2012, and it has not chang

Default member of

-

No

+

None

Protected by ADMINSDHOLDER?

@@ -2211,7 +2210,7 @@ This security group has not changed since Windows Server 2008.

Type

-

BuiltIn Local

+

Builtin Local

Default container

@@ -2286,7 +2285,7 @@ This security group has not changed since Windows Server 2008.

Type

-

BuiltIn local

+

Builtin Local

Default container

@@ -2389,7 +2388,7 @@ This security group has not changed since Windows Server 2008.

Type

-

BuiltIn local

+

Builtin Local

Default container

@@ -2470,7 +2469,7 @@ This security group has not changed since Windows Server 2008.

Type

-

Builtin local

+

Builtin Local

Default container

@@ -2551,7 +2550,7 @@ This security group has not changed since Windows Server 2008.

Type

-

Builtin local

+

Builtin Local

Default container

@@ -2615,7 +2614,7 @@ This security group has not changed since Windows Server 2008.

Type

-

Builtin local

+

Builtin Local

Default container

@@ -2679,7 +2678,7 @@ This security group has not changed since Windows Server 2008. However, in Windo

Type

-

Builtin local

+

Builtin Local

Default container

@@ -2758,7 +2757,7 @@ The following table specifies the properties of the Protected Users group.

Type

-

Domain Global

+

Global

Default container

@@ -2819,7 +2818,7 @@ This security group has not changed since Windows Server 2008.

Type

-

Domain local

+

Builtin Local

Default container

@@ -2876,11 +2875,11 @@ This security group was introduced in Windows Server 2012, and it has not chang

Well-Known SID/RID

-

S-1-5-32-<domain>-576

+

S-1-5-32-576

Type

-

Builtin local

+

Builtin Local

Default container

@@ -2939,7 +2938,7 @@ This security group was introduced in Windows Server 2012, and it has not chang

Type

-

Builtin local

+

Builtin Local

Default container

@@ -3000,7 +2999,7 @@ This security group was introduced in Windows Server 2012, and it has not chang

Type

-

Builtin local

+

Builtin Local

Default container

@@ -3035,6 +3034,78 @@ This security group was introduced in Windows Server 2012, and it has not chang +### Read-Only Domain Controllers + +This group is comprised of the Read-only domain controllers in the domain. A Read-only domain controller makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role. + +Because administration of a Read-only domain controller can be delegated to a domain user or security group, an Read-only domain controller is well suited for a site that should not have a user who is a member of the Domain Admins group. A Read-only domain controller encompasses the following functionality: + +- Read-only AD DS database + +- Unidirectional replication + +- Credential caching + +- Administrator role separation + +- Read-only Domain Name System (DNS) + +For information about deploying a Read-only domain controller, see [Understanding Planning and Deployment for Read-Only Domain Controllers](https://technet.microsoft.com/library/cc754719(v=ws.10).aspx). + +This security group was introduced in Windows Server 2008, and it has not changed in subsequent versions. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
AttributeValue

Well-Known SID/RID

S-1-5-21-<domain>-521

Type

Global

Default container

CN=Users, DC=<domain>, DC=

Default members

None

Default member of

Denied RODC Password Replication Group

Protected by ADMINSDHOLDER?

Yes

Safe to move out of default container?

Yes

Safe to delegate management of this group to non-Service admins?

Default User Rights

See Denied RODC Password Replication Group

+ + ### Remote Desktop Users The Remote Desktop Users group on an RD Session Host server is used to grant users and groups permissions to remotely connect to an RD Session Host server. This group cannot be renamed, deleted, or moved. It appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). @@ -3094,78 +3165,6 @@ This security group has not changed since Windows Server 2008. - - -### Read-Only Domain Controllers - -This group is comprised of the Read-only domain controllers in the domain. A Read-only domain controller makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role. - -Because administration of a Read-only domain controller can be delegated to a domain user or security group, an Read-only domain controller is well suited for a site that should not have a user who is a member of the Domain Admins group. A Read-only domain controller encompasses the following functionality: - -- Read-only AD DS database - -- Unidirectional replication - -- Credential caching - -- Administrator role separation - -- Read-only Domain Name System (DNS) - -For information about deploying a Read-only domain controller, see [Understanding Planning and Deployment for Read-Only Domain Controllers](https://technet.microsoft.com/library/cc754719(v=ws.10).aspx). - -This security group was introduced in Windows Server 2008, and it has not changed in subsequent versions. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
AttributeValue

Well-Known SID/RID

S-1-5-21-<domain>-521

Type

Default container

CN=Users, DC=<domain>, DC=

Default members

None

Default member of

Denied RODC Password Replication Group

Protected by ADMINSDHOLDER?

Yes

Safe to move out of default container?

Yes

Safe to delegate management of this group to non-Service admins?

Default User Rights

See Denied RODC Password Replication Group

@@ -3197,7 +3196,7 @@ This security group was introduced in Windows Server 2012, and it has not chang

Type

-

Builtin local

+

Builtin Local

Default container

@@ -3264,7 +3263,7 @@ This security group has not changed since Windows Server 2008.

Type

-

Builtin local

+

Builtin Local

Default container

@@ -3327,7 +3326,7 @@ This security group has not changed since Windows Server 2008.

Well-Known SID/RID

-

S-1-5-<root domain>-518

+

S-1-5-21-<root domain>-518

Type

@@ -3394,7 +3393,7 @@ This security group has not changed since Windows Server 2008.

Type

-

Builtin local

+

Builtin Local

Default container

@@ -3442,7 +3441,7 @@ The Storage Replica Administrators group applies to versions of the Windows Serv | Attribute | Value | |-----------|-------| | Well-Known SID/RID | S-1-5-32-582 | -| Type | BuiltIn Local | +| Type | Builtin Local | | Default container | CN=BuiltIn, DC=<domain>, DC= | | Default members | None | | Default member of | None | @@ -3463,7 +3462,7 @@ The System Managed Accounts group applies to versions of the Windows Server oper | Attribute | Value | |-----------|-------| | Well-Known SID/RID | S-1-5-32-581 | -| Type | BuiltIn Local | +| Type | Builtin Local | | Default container | CN=BuiltIn, DC=<domain>, DC= | | Default members | Users | | Default member of | None | @@ -3507,7 +3506,7 @@ This security group only applies to Windows Server 2003 and Windows Server 200

Type

-

Builtin local

+

Builtin Local

Default container

@@ -3574,7 +3573,7 @@ This security group includes the following changes since Windows Server 2008:

Type

-

Builtin local

+

Builtin Local

Default container

@@ -3588,7 +3587,7 @@ This security group includes the following changes since Windows Server 2008:

Default member of

-

Domain Users (this membership is due to the fact that the Primary Group ID of all user accounts is Domain Users.)

+

None

Protected by ADMINSDHOLDER?

@@ -3641,7 +3640,7 @@ This security group has not changed since Windows Server 2008.

Type

-

Builtin local

+

Builtin Local

Default container