Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Authenticated Users vs Domain Users vs Everyone Groups

Status
Not open for further replies.
fivetenmm

fivetenmm

IS-IT--Management
Jul 26, 2007
7
US
Can anybody help explain the differences and best practices for setting permission levels using these groups in a Domain environment? When should you use each one of these groups for setting permissions? Appreciate any insight!
 
Sort by date Sort by votes
I tend to use domain users.

I am not 100% on this but I think the main differences are.

Everyone permission can let anyone access the data but you have to have the server setup to not require authentication to make a connection to so anyone could walk in and plug a laptop in and access info on a server.

Domain users means a user must have an account of the domain in question.

Authenticated users means a user has authenticated somehow, this can include users from alternate domains via trusts etc.

 
Upvote 0 Downvote
Everyone permission can let anyone access the data but you have to have the server setup to not require authentication to make a connection to so anyone could walk in and plug a laptop in and access info on a server.
Click to expand...
Not quite.
The everyone group includes every user in the domain and guests and users from other domains-there would need to be some kind of trust setup for the user from the other domain to be allowed access to files on this domain.

I could not walk up and plug my laptop in your domain and get access to files on a share if you had the Everyone group listed in NTFS or share permissions.
Sometimes, MS recommends that you use the Everyone group for share permissions-eg READ for distribution points for software that gets installed by Group Policy.

Everyone is not the same as Anonymous.
However, there isn't usually a need for Everyone to have full control either.

On the whole, you want to assign users to (security)groups you have created for specific reasons(whether structural or functional) and then assign permissions to resources(files printers etc) by giving the group the permissions to use it/read it/ change it.
Least privilege is the thing to remember here. Give the group/user the least privileges it needs. Everything else is dependant on your situation. Here's a good place to start:

Also, get hold of Mark Minasi's Windows Server 2003 book.
 
Upvote 0 Downvote
Actually as long as the server is set to not require authentication which it is be default, putting everyone on shares and folders will allow access to the files without authentication.
 
Upvote 0 Downvote
Actually as long as the server is set to not require authentication which it is be default, putting everyone on shares and folders will allow access to the files without authentication.
Click to expand...
Are you sure of that? I didn't think that was the case with 2003 but might have to take your word for it.
What would change that then during the setup of say a member server or a DC?
 
Upvote 0 Downvote
I get the feeling I may have misunderstood you here theravager
Can you clarify exactly what you mean by 'not requiring authentication'?

Do you mean the guest account? Because that still requires an authentication process.
 
Upvote 0 Downvote
Sorry i just relised my above comment wasn't really clear. By default it doesn't work.

Its been a while since I've have had to do this and i don't have a system in my current workplace i can check set like this but i believe its two group policy setting in the local policy, one is in the user rights area and one is in security option
 
Upvote 0 Downvote
Okay, the reason it wouldn't work is because by default NTFS perms do not include the Everyone group.

I had to have a discussion with some people to get this. Anonymous also does not belong to Everyone.

Personally, I take everyone out and put in auth users or just security groups or individuals for granularity.
 
Upvote 0 Downvote
Ok, so Everyone group, read permissions for shares for distribution points for Software via Group Policy.

Authenticated Users group when setting up NTFS Permissions for the domain and trusted domains. Domain Users group for NTFS permissions in the respective domain only, not trusted domains.

Create specific security groups for specific functions. And the Everyone group includes all accounts including the guest account, anonymous accounts, etc.? So, remove the Everyone group in most situations, or are there any other situations where you would use this group?

Thanks!!

 
Upvote 0 Downvote
Create specific security groups for specific functions. And the Everyone group includes all accounts including the guest account, anonymous accounts, etc.?
Click to expand...
Anonymous does not belong to Everyone. It used to pre W2003.
So, remove the Everyone group in most situations, or are there any other situations where you would use this group?
Click to expand...
Yes-as per MS guidelines when setting up a distribution point for software applied via GPO.

HTH
 
Upvote 0 Downvote
This is where I'm still a little unclear.

Would it be possible to remove Everyone group totally? And say, replace it with "Authenticated Users" ?

 
Upvote 0 Downvote
Upvote 0 Downvote
Ok, so Everyone group, read permissions for shares for distribution points for Software via Group Policy.
Click to expand...
That depends. If you're using startup GPOs, then assign permissions to DOMAIN COMPUTERS, since the computers need rights to get to those packages. If you're assigning based on login GPOs, assign DOMAIN USERS rights. DOMAIN USERS usually contains users from the local domain, IIRC. Authenticated Users, as mentioned above, are users from any trusted domain.

Authenticated Users group when setting up NTFS Permissions for the domain and trusted domains. Domain Users group for NTFS permissions in the respective domain only, not trusted domains.
Click to expand...
Exactly

Create specific security groups for specific functions. And the Everyone group includes all accounts including the guest account, anonymous accounts, etc.? So, remove the Everyone group in most situations, or are there any other situations where you would use this group?
Click to expand...
I generally never use the EVERYONE group. It gets removed from all NTFS and sharing permissions.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
 
Upvote 0 Downvote
Ok, so everyone gets replaced, most probably by "Authenticated" users. Does anyone also include the "Sysvol" folder on DC's when removing the "everyone" group?

Do people here in general add "Administrators" and "Domain Administrators" to everything, including users profiles and home folders?

Also, I was considering allowing admins only permission changes on some shared folders that have the most sensitive data. Is that something that people here adhere to, or not considered an issue?

Thanks
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

goombawaho
  • Locked
  • Question
Domain join from wifi connected laptop
Replies
4
Views
349
goombawaho
goombawaho
MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
133
ADB100
ADB100
fredmartinmaine
  • Locked
  • Question
Domain Controller without DNS Server
Replies
4
Views
321
fredmartinmaine
fredmartinmaine
tviman
  • Locked
  • Question
How to restrict RDP users to the desktop 2
Replies
13
Views
227
strongm
strongm
tviman
  • Locked
  • Question
Remote Apps vs Remote Desktop Connection
Replies
0
Views
66
tviman
tviman

Part and Inventory Search

Sponsor

Back
Top