Windows Server 2008 Default Group Changes

With the introduction of Microsoft Windows Server 2008, ALL users are required to be a member of the Domain Users group (this includes domain admin accounts). If an account does not include the Domain Users membership, you may still get authenticated, however you will NOT receive a desktop when logging into the server. Altering the default user profile to allow the EVERYONE group full control and the the EVERONE group full control of the default registry hive makes no difference. I have confirmed this with a Microsoft Support Representative today. This implies that if security rules exist that Deny Domain Users access to an object, but you still wish the Domain Administrators to have access the implementation will need to be altered. In this case, create a new group and explicitly deny access to the object by the group, then add all domain users to the group.