This series of posts focuses on key Active Directory (AD) components that need to be secured in order to ensure AD security is leveled up. In this post, we focus on the often-misunderstood group called “Pre-Windows Compatible”.
This domain-scoped group is created automatically in the Built-in root OU and is part of any Active Directory forest controlling anonymous access to AD. Its original intent was to provide a migration path from using a Windows NT domain to Active Directory, thus the compatible word in the name. Members of this group have read access to all users and groups in the domain.
Depending on the Windows operating system version when the Active Directory environment was instantiated, the Pre-Windows 2000 Compatible group may contain Everyone, Anonymous, and/or Authenticated Users. For example, Windows 2003 AD would have Everyone and Anonymous as members.
In a new install of Windows Server 2025, this group only includes the Authenticated Users group.
If you have either Anonymous or Everyone (or both!) as members of the Pre-Windows 2000 Compatible group, they should be removed (after testing). we have heard of potential issues when both are removed and Authenticated Users is not a member. This will need to be done for each domain in the AD forest. As always test to identify potential issues.
Also, note that Active Directory Certificate Services servers {i.e. CAs) will be added automatically to the Pre-Windows 2000 Compatible group and ADCS computer objects as members are expected. If the restricted certificate manager feature is not in use, then the ADCS servers can be removed from this group.
References:
- 6.1.1.4.12.14 Pre-Windows 2000 Compatible Access Group Object
- The Anonymous Logon and Everyone groups must not be members of the Pre-Windows 2000 Compatible Access group.
- Configure certificate manager restrictions
- Why Active Directory integrated certificate authorities are members of the “Pre-Windows 2000 Compatible Access” security group
Recent Comments