You implement Azure Active Directory (Azure AD) Connect to synchronize your on premises Active Directory objects to Azure AD. You discover that the Domain Users group is not available for assigning permissions to applications in Azure.
You need to resolve the issue using the least administrative effort.
What should you do?
The Domain Users group has a property called IsCriticalSystemObject and any user or group with this property does not sync to Azure AD by design. Therefore, you should create a new group in Active Directory and add all the users from the domain to that group. This can then be used to grant permission to applications in Azure AD after that group is synchronized.
You should not move the Domain Users group to an Organizational Unit that is configured for synchronization. Doing this will not synchronize the account because the well-known groups do not synchronize by default.
You should not modify the IsCriticalSystemObject property of the group. This property is set by design to prevent replication of well-known objects to Azure AD. Such well-known objects are the default Active Directory groups and accounts such as the Domain Administrator account.
You should not set a value on the RepsTo property in Active Directory. This property stores the server names that the directory will replicate to for the object. It has no bearing on replication to Azure AD.