“Authenticated Users” is a special built-in group in Active Directory. It doesn’t exist like a typical group as shown in the Group Scope table below. This group includes all users who have a password in the Active Directory domain or in a trusted domain.
To be clear, Authenticated Users contains all manually created user accounts in all trusted domains regardless of whether they are a member of the Domain Users group or not. Authenticated Users specifically does not contain the built-in Guest account, but will contain other users created and added to Domain Guests.
By design, “Authenticated Users” cannot be added to user-created groups. It can only be added to built-in groups. You must assign the “Authenticated Users” permissions directly to each resource (like a file share, or NTFS permission, or printer). This is because any account with a password is part of “Authenticated Users”, and it’s available when applying permissions directly to an object, or can be placed in Local computer groups.
Scope | Possible members | Scope conversion | Can grant permissions | Possible member of |
---|---|---|---|---|
Universal | Accounts from any domain in the same forestGlobal groups from any domain in the same forestOther Universal groups from any domain in the same forest | Can be converted to Domain Local scope if the group isn’t a member of any other Universal groupCan be converted to Global scope if the group doesn’t contain any other Universal group | On any domain in the same forest or trusting forests | Other Universal groups in the same forestDomain Local groups in the same forest or trusting forestsLocal groups on computers in the same forest or trusting forests |
Global | Accounts from the same domainOther Global groups from the same domain | Can be converted to Universal scope if the group isn’t a member of any other Global group | On any domain in the same forest, or trusting domains or forests | Universal groups from any domain in the same forestOther Global groups from the same domainDomain Local groups from any domain in the same forest, or from any trusting domain |
Domain Local | Accounts from any domain or any trusted domainGlobal groups from any domain or any trusted domainUniversal groups from any domain in the same forestOther Domain Local groups from the same domainAccounts, Global groups, and Universal groups from other forests and from external domains | Can be converted to Universal scope if the group doesn’t contain any other Domain Local group | Within the same domain | Other Domain Local groups from the same domainLocal groups on computers in the same domain, excluding built-in groups that have well-known security identifiers (SIDs) |
What is a Special Identity Group?
Officially, Microsoft calls the built in groups that you can’t edit “Special Identity Groups” and here is a complete list of them:
- Anonymous Logon
- Attested key property
- Authenticated Users
- Authentication authority asserted identity
- Batch
- Console logon
- Creator Group
- Creator Owner
- Dialup
- Digest Authentication
- Enterprise Domain Controllers
- Enterprise Read-only Domain Controllers
- Everyone
- Fresh Public Key identity
- Interactive
- IUSR
- Key trust
- Local Service
- LocalSystem
- MFA key property
- Network
- Network Service
- NTLM Authentication
- Other Organization
- Owner Rights
- Principal Self
- Proxy
- Read-only Domain Controllers
- Remote Interactive Logon
- Restricted
- SChannel Authentication
- Service
- Service asserted identity
- Terminal Server User
- This Organization
- Window Manager\Window Manager Group
Whats The Difference Between Everyone & Authenticated Users?
Put simply, everyone excludes no-one, including users that do not have an Active Directory account.
For instance, imagine an FTP site setup in IIS being restricted to AUTHENTICATED USERS; it would not allow anonymous access. Another scenario we have run into several times is having Linux machines contact windows shares. The share is set to allow everyone to connect linux will not have problems but if it is set to authenticated users those connecting from Linux will need to use Windows credentials.
0 Comments