Friday, 23 August 2013

Authenticated Users vs Domain Users

Both are built-in groups introduced in windows to control security of objects like user,computer and service account at different level.

Authenticated Users

The Authenticated Users group contains users who have authenticated to the domain or a domain that is trusted by the computer domain. Authenticated Users will contain all manually created user accounts in all trusted domains regardless of whether they are a member of the Domain Users group or not.  Authenticated Users specifically does not contain the built-in Guest account, but will contain other users created and added to Domain Guests.
The following list shows the members who are fall under this group
  1. All the domain users and  users who are in trusted domain.
  2. Local computers.
  3. Built-in system accounts.

The local computer account is always a member of the Authenticated Users group even when disconnected from the network.  However, just like Domain Users, the local computer account must first authenticate to the domain to be considered part of the Authenticated Users token when connecting remotely to other computers within its trusted domains.
The SID for Authenticated Users is S-1-5-11.  Authenticated Users is available when applying permissions directly to an object, or can be placed in Built-in and user created Local computer groups.  Authenticated Users cannot be added as a member to another user created domain groups (Global, Domain Local, or Universal).  However, the Authenticated Users group can be added to the Built-in Domain Local groups.

When working with domain user accounts and local user accounts remember that the local user accounts will also be members of Authenticated Users, and will therefore have access to local resources secured with this permission.  However, the scope of the local user accounts’ access will not extend onto remote computers via the Authenticated Users group.  This is because while the local user account includes the SID for the Authenticated User group, the local user must still authenticate to any remote computer prior to access being granted.

 Recommendation for Security: Use the Authenticated Users group instead of the Everyone group to prevent anonymous access to a resource.

Domain Users

Domain Users is the group in which we can add or remove members that we can not do in Authenticated Users group . In a domain environment, the Administrator account and all new user accounts are automatically included as members of this group. This group is also a member of the Users local group for the domain and for every Windows computer in the domain

By default all users created in the domain are automatically members of this group.  However, the default Guest account in the domain is not a member of this group, instead it is placed in the Domain Guest group

The SID for Domain Users is S-1-5-<domain>-513.  The Domain Users group can be added to other domain groups, and can be given permissions directly to objects, as well as placed in Local computer groups.

You can refer this article to know about other built-in groups.

Software Developer


No comments:

Post a Comment