Não existe um usuário que não seja membro de nenhum grupo no AD.
Usuários [SID S-1-5-32-545, domínio local]
Members of this group can perform most common tasks, such as running applications, using local and network printers, and locking the server. By default, the Domain Users group, Authenticated Users, and Interactive are members of this group. Therefore, any user account created in the domain becomes a member of this group.
Usuários do domínio [SID S-1-5-21-Domain-513, Global]
This group contains all domain users. By default, any user account created in the domain becomes a member of this group automatically. This group can be used to represent all users in the domain. For example, if you want all domain users to have access to a printer, you can assign permissions for the printer to this group (or add the Domain Users group to a local group, on the print server, that has permissions for the printer).
Veja basicamente a lista completa: link
Quanto ao grupo Usuários locais, aqui está um teste que fiz em uma máquina Server 2012 não associada ao domínio:
C:\Users\Administrator>net user Andy Pass.1234 /add
C:\Users\Administrator>runas /user:Andy Cmd.exe
Nova janela do Cmd aparece, agora sou o Andy.
C:\Users\Andy>whoami /groups
...
Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
...
Mate essa janela, volte para a janela do meu Administrador.
C:\Users\Administrator>net localgroup users Andy /delete
The command completed successfully.
C:\Users\Administrator>runas /user:Andy cmd
Voltar para Andy:
C:\Users\Andy>whoami /groups
...
Everyone
BUILTIN\Users (Still there)
NT AUTHORITY\INTERACTIVE
...
Agora, de volta ao administrador.
C:\Users\Administrator>net localgroup users andy /delete
System error 1377 has occurred.
The specified account name is not a member of the group.
Interessante!
C:\Users\Administrator>net localgroup Users
Members
-------
NT AUTHORITY\Authenticated Users
NT AUTHORITY\INTERACTIVE
Mas não, Andy.
Ainda posso iniciar processos como Andy, mas se eu fizer logoff da máquina, não consigo fazer logon como Andy. Eu nem sequer mostrei a conta de Andy como uma conta possível para fazer logon na tela de logon. Apenas administrador.
Então, vamos dar uma olhada mais de perto no grupo Usuários locais:
PS C:\Scripts> Get-WmiObject Win32_Group | ? { $_.Name -EQ 'Users' } | Select *
Status : OK
Name : Users
Caption : SRV01\Users
Description : Users are prevented from making accidental or intentional system-wide changes and can run most applications
Domain : SRV01
InstallDate :
LocalAccount : True
SID : S-1-5-32-545
SIDType : 4
Scope : System.Management.ManagementScope
....
SIDType de 4? Isso significa que é um alias SID. (SidTypeAlias)