Default account settings inconsistent

[ckalinwi]

Default account settings reads "Primary Group is always Domain Users with exception of Domain Guests" as OK, but then the check complains if users are in Domain Guests.

Which is correct? Thanks!

[PrzemyslawKlys]

Every single user in Active Directory should have Domain Users as default group. However user named 'Guest' or however it's named in other language domains should be Domain Guests.

Go to your AD and check that Guest user. Which group it has?

[ckalinwi]

The users in question are disabled and in the Domain Guests group (primary group ID 514) as opposed to the Domain Users group (primary group ID 513). That was done so that even if the user was willfully re-enabled they wouldn't have access to anything without them being re-added to the Domain Users group. If that's a finding according to best practices I can do it another way, I was just confused by the wording vs. the actual test.

[PrzemyslawKlys]

It's up to you what you do in your domain. The test does test the default settings and finds things outside of norm, but the recommendations are for you to choose. If you have a purpose in something and you believe it's how you want it - leave it, or tell Testimo to ignore it.