Re: Possible to grant additional rights to a built-in group

From: Joe Richards [MVP] (
Date: 10/03/04

Date: Sun, 03 Oct 2004 12:38:24 -0400

This is off topic but I wanted to post it just the same to clear up terminology
that may hurt you some day.

There is a specific set of groups called "built-in groups".

These are very special in that they have special hard coded SIDs and should be
used very carefully on AD objects to secure them because there is no domain
affinity for them. I.E. Say you want to set the domain1\admnistrators group to
have access to modify things in the configuration container, there is one SID
for administrators group, it is S-1-5-32-544. So when that gets to a DC of
domain2, domain2 will show that permission to be permission to

DHCP Users and Admins are Domain Local Groups. They have full Domain relative
SIDS (i.e. the Domain SID is part of the group SID) so placing these ACLs on AD
objects is safe in terms of only one set of people (the ones in that specific
group) would be granted access to things. You could have other issues where
access isn't granted based on domain scope though for domain local groups.


Joe Richards Microsoft MVP Windows Server Directory Services
Christian wrote:
> Is it possible to grant additional user rights to a built-in group?
> How can I see what the currect access rights are and to what objects they 
> apply?
> I am trying to enhance the capabilities of the DHCP Users built-in group to 
> allow my HelpDesk perform minor adminitrative tasks without adding them to 
> the DHCP Administrators built-in group.
> Any pointers are greatly appreciated!
> Cheers,
> Christian 

Relevant Pages