Differences between Authenticated Users, Domain Users, and Everyone groups

Author: NetworkAdminKB.com
Created: 2008-11-07
Modified: 2011-07-11

Information:

The following explains the difference between Authenticated Users, Domain Users, and Everyone groups.

 

Domain Users

Of the three groups listed Domain Users is the only actual group.  By that I mean you can add and remove members from this group.  Domain Users is a Global Group in the domain, and it can only contain users that are members of same domain the Domain Users group resides in.  By default all users created in the domain are automatically members of this group.  However, the default Guest account in the domain is not a member of this group, instead it is placed in the Domain Guest group

 

The SID for Domain Users is S-1-5-<domain>-513.  The Domain Users group can be added to other domain groups, and can be given permissions directly to objects, as well as placed in Local computer groups.

 

Because Domain Users normally contains only user accounts and can be directly controlled by the administrator it is generally considered the most secure group of the three listed.

 

Authenticated Users

Authenticated Users was first introduced in Windows NT 4.0 SP3.  This is a built-in group that cannot be modified.  The Authenticated Users group contains users who have authenticated to the domain or a domain that is trusted by the computer domain.  For this reason it is generally thought of as the sum of all Domain User groups the computer’s domain has a trust with.  However, Authenticated Users will contain all manually created user accounts in all trusted domains regardless of whether they are a member of the Domain Users group or not.  Authenticated Users specifically does not contain the built-in Guest account, but will contain other users created and added to Domain Guests.

 

The Authenticated Users group also includes the local computer account (computername$) and the built-in SYSTEM account.  Because of this the Authenticated Users also contains the domain computer accounts (domain\computername$) from all trusted domains.  The local computer account is always a member of the Authenticated Users group even when disconnected from the network.  However, just like Domain Users, the local computer account must first authenticate to the domain to be considered part of the Authenticated Users token when connecting remotely to other computers within its trusted domains.  This membership can be verified by using the gpresult.exe and looking at the following line.

 

The computer is a part of the following security groups:

--------------------------------------------------------

    BUILTIN\Administrators

    Everyone

    BUILTIN\Users

    NT AUTHORITY\NETWORK

    NT AUTHORITY\Authenticated Users

                             

The SID for Authenticated Users is S-1-5-11.  Authenticated Users is available when applying permissions directly to an object, or can be placed in Built-in and user created Local computer groups.  Authenticated Users cannot be added as a member to another user created domain groups (Global, Domain Local, or Universal).  However, the Authenticated Users group can be added to the Built-in Domain Local groups.  

 

When working with domain user accounts and local user accounts remember that the local user accounts will also be members of Authenticated Users, and will therefore have access to local resources secured with this permission.  However, the scope of the local user accounts’ access will not extend onto remote computers via the Authenticated Users group.  This is because while the local user account includes the SID for the Authenticated User group, the local user must still authenticate to any remote computer prior to access being granted.

 

By default the Authenticated Users group is automatically added to the Built-in\Users group on all workstations when added to the domain.

 

Because Authenticated Users automatically includes all domain user accounts from all current and future trusted domains it is considered the most administrator friendly, allowing a good balance between security and future needs or changes.

 

Everyone group

The Everyone group includes all members of the Domain Users, Authenticated Users group as well as the built-in Guest account, and several other Built-in security identifiers like SERVICE, LOCAL_SERVICE, NETWORK_SERVICE, etc.  NULL session connections (aka anonymous logon) used to be included in this group but were removed in Windows 2003.  This is a built-in group that cannot be modified.

 

The SID for the Everyone group is S-1-1-0.  The Everyone group is available when applying permissions directly to an object, or can be placed in Built-in and user created Local computer groups.  The Everyone group cannot be added as a member to another user created domain groups (Global, Domain Local, or Universal).  However, the Everyone group can be added to the Built-in Domain Local groups.

 

 

Because the Everyone group contains the Guest account, and several other Built-in security identifiers like SERVICE, LOCAL_SERVICE, NETWORK_SERVICE, etc. it is generally considered the least secure of the three groups.

 

A common misconception of the Everyone group is that it includes unauthenticated users or users from un-trusted domains and workstations (ie. anonymous users).  This implies that any user account from any un-trusted domain or workstation can access the resource that is being secured using the Everyone group.  This is not true.  To be included in the Everyone group requires that the computer account or user account be a member of the domain or a trusted domain.  User accounts on un-trusted workstations (i.e. consultant laptop) may not access resources secured by the Everyone group that are hosted on another computer without first authenticating with a domain or local user account.

 

More Information:

Well-known security identifiers in Windows operating systems

 

Everyone group does not include anonymous security identifier

 

Restricting information available to anonymous logon users

Article ID: 41, Created On: 9/16/2011, Modified: 9/16/2011

Comments (1)

Dinh Nguyen

A very good brief yet concise article ... Thank you

10/12/2011 at 5:18 AM
Monyker

LOL! @ "brief yet concise". I like that. :-)

5/10/2012 at 11:17 PM