Advanced Windows PowerShell Scripting Video Training

Advanced Windows PowerShell Scripting Video Training
Advanced Windows PowerShell Scripting Video Training

Wednesday, March 10, 2010

What is the difference between Domain Users and Authenticated User?

This question came about from my recommendation that resources are shared utilizing the Authenticate Users group instead of the Everyone group. The issue was why we do not use the Domain Users group. Reading below you will see that the Domain Users group can be used on domain controllers. For resources on non-domain controllers, you will need to use the Authenticated Users group. For simplicity and a consistent configuration throughout your network, I still recommend the use of Authenticated Users for all resource sharing that is open to all authenticate users of your environments.

Microsoft definition of the Authenticated Users group is: Includes all users with a valid user account on the computer or in Active Directory services. Use the Authenticated Users group instead of the Everyone group to prevent anonymous access to a resource.

Domain Users group: This group contains all domain users. By default, any user account created in the domain becomes a member of this group automatically. This group can be used to represent all users in the domain. For example, if you want all domain users to have access to a printer, you can assign permissions for the printer to this group (or add the Domain Users group to a local group, on the print server, that has permissions for the printer).

Everyone Group: Includes all users who access the computer. Windows 2000 will authenticate a user who does not have a valid user account as Guest. The user automatically gets all rights and permissions assigned to the Everyone group. A group that includes all users, even anonymous users and guests. (The anonymous users were removed from this group with Windows Server 2003)  I updated this information on Aug 27, 2012 in another blog posting.

Do not assign resource permissions or user rights to this account. Use Authenticated Users or specific user accounts and groups where necessary

2 comments:

Anonymous said...

You are wrong about the use of the Domain Users group. The group only exists when you have a Domain Controller, and by extension it is hosted there, but you can use it on any member computer (workstation or server). It is the most secure option because (1) its membership is controlled by Administrators and not calculated and (2) because it is a Global Group will only contain users from the local domain. Authenticated Users includes all user and computer accounts from the local domain and any trusted domains.

Jason Yoder, MCT said...

Mr. Anonymous, you are correct. Looking at that I’m wondering what I was thinking when I wrote that. I must of have been having a real long day. I have update the information. Please remember to utilize your real name when posting comments.