Symptoms
Process rights granted via Domain Users group does not work and following error is being logged:
24408 K2:DOMAINUser from XYZ.XYZ.XYZ.XYZ:NNNXXX does not have rights to Start Process ProcessProcess
Diagnoses
These permissions will work for specific user only if his containers resolved and updated in Identity.Identity cache. The speed with which this will happen depends on your identity cache configuration settings as well as AD DS connectivity which is necessary to obtain this information.
To confirm whether this is an issue with data in K2 identity cache it is sufficient to force identity refresh for one affected user - this will resolve containers for specific user (and it is what you should do instead of fully resolving some huge group like Domain Users).
When user logon to K2, K2 checks his containers and is able to identify whether he is a member of Domain Users group or not - there is no need to have Domain Users group fully resolved, we only need to have containers resolved for this specific user.
If forced identity refresh for specific user does not resolve this issue you have to examine ADUM logs to identify any AD DS related errors preventing getting information about user from AD DS.
In general for the scenario where all users have to have some rights on process it is preferable to use special "Everyone" group in K2. This is a special K2 group (not identical to Windows "Everyone" security principal) developed to indicate that all users should be able to do the configured rights against the process without the overhead of going to the provider or making use of cached data. This group is surfaced when configuring process rights in Workspace. When K2 "Everyone" group is used we do not retrieve details from the provider and it basically works in a similar way as "Authenticated Users" Windows security principal, just in a K2 context.
Resolution
It is strongly recommended to stick with "Everyone" K2 group instead of Domain Users for scenario when all users supposed to have configured rights - it is simply more efficient and does not involve any extra overhead associated with use of large groups where membership have to be resolved and cached.
For non working rights via Domain Users problem procedure is to use Force Identity Refresh utility to resolve containers for specific user - it should fix any errors if connectivity to AD DS is in place an user data can be refreshed. If this not fixing problem for user in question then ADUM logs have to be examined to check specific user resolution errors.
In case you want to stick to Domain Users group as opposed to Everyone for this scenario you may want to increase default cache expiration settings/identity cache referesh interval.
