Skip to content

Update understand-security-groups.md #8047

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+0 −19
Open

Update understand-security-groups.md #8047

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 0 additions & 19 deletions WindowsServerDocs/identity/ad-ds/manage/understand-security-groups.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,7 +112,6 @@ The following list provides descriptions of the default groups that are located
- [Cloneable Domain Controllers](#cloneable-domain-controllers)
- [Cryptographic Operators](#cryptographic-operators)
- [Denied RODC Password Replication](#denied-rodc-password-replication)
- [Device Owners](#device-owners)
- [DHCP Administrators](#dhcp-administrators)
- [DHCP Users](#dhcp-users)
- [Distributed COM Users](#distributed-com-users)
Expand Down Expand Up @@ -364,24 +363,6 @@ This security group includes the following changes since Windows Server 2008:
|Safe to delegate management of this group to non-service admins?||
|Default user rights|None|

### Device Owners

When the Device Owners group has no members, we recommend that you don't change the default configuration for this security group. Changing the default configuration might hinder future scenarios that rely on this group. The Device Owners group currently isn't used in Windows.

The Device Owners group applies to the Windows Server OS in [Default AD security groups](#default-ad-security-groups).

|Attribute|Value|
|--- |--- |
|Well-known SID/RID|S-1-5-32-583|
|Type|Builtin Local|
|Default container|CN=Builtin, DC=\<domain>, DC=|
|Default members|None|
|Default member of|None|
|Protected by AdminSDHolder?|No|
|Safe to move out of default container?|You can move the group, but we don't recommend it|
|Safe to delegate management of this group to non-service admins?|No|
|Default user rights|[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight<p>[Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight<p>[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege<p>[Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege|

### DHCP Administrators

Members of the DHCP Administrators group can create, delete, and manage different areas of the server's scope. This includes the rights to back up and restore the Dynamic Host Configuration Protocol (DHCP) database. Even though this group has administrative rights, it isn't part of the Administrators group because this role is limited to DHCP services.
Expand Down