What is a one sentence summary of your feature request?
Exclude Power Users from this rule, or treat it with lower severity than truly privileged groups such as Administrators.
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
Raising it on behalf of a customer. A customer is currently receiving findings for rule A-MembershipEveryone across five GPOs.
In these GPOs, the “Domain Users” object is a member of “Hauptbenutzer” (Power Users).
The stated purpose of this rule is to identify cases where local groups, such as Local Administrators or Terminal Server access groups, grant access to broad principals like Authenticated Users or Everyone through GPOs.
While it is reasonable to flag cases where Domain Users is added to highly privileged groups such as Administrators, the same concern does not apply equally to the Power Users group on modern operating systems. On Windows 10 and Windows 11, membership in Power Users does not provide meaningful elevated privileges.
Because of this, the current behavior appears too broad and may generate findings that are not materially risky. In addition, the default score of 15 points per finding feels disproportionately high compared to other findings, especially for cases involving Power Users.
How do you currently solve the challenges you have by not having this feature?
N/A