Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Authenticated Users vs Domain Users Group

Posted on 2004-11-30
12
Medium Priority
?
15,122 Views
Last Modified: 2012-06-21
What is the major difference between the Authenticated Users and the Domain Users Group?  When setting share or NTFS permissions, is it best practice to use the authenticated users or Domain users group and why...
0
Comment
Question by:daveyd123
  • 5
  • 2
  • 2
  • +2
12 Comments
 
LVL 5

Expert Comment

by:beechfielder
ID: 12710569
The authenticated users group can be used to grant permissions across a forest,  but domain users is a security group for users in a specific domain.

1
 
LVL 4

Expert Comment

by:dmox
ID: 12710585
When applying permissions it's best to be as restrictive as possible so you don't leave any unseen security holes.  You could have guests authenticating for example that would be able to get access to your accounting information if you applied Authenticated Users as opposed to an Accounting Group.  
0
 
LVL 6

Expert Comment

by:Casca1
ID: 12710977
Study question?
Well, the basic answer has been given, but they didn't elaborate on the shares thing. Share vs NTFS. It's pretty simple.
In order to access the share across the network, the user has to be in a group that has share level permissions. The easiest way to deal with them is to add change to the everyone group at the share level, and then restrict access through NTFS permissions. You can add the individual permissions to the shares, but that can get confusing, and adds another step in the process that can go wrong. Remember, KISS.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 11

Expert Comment

by:WeHe
ID: 12714658
Domain Users contains all Users from the Domain the Group belongs to.
Authenticated Users contains Users from Trusted Domains too.
0
 
LVL 11

Expert Comment

by:WeHe
ID: 12714683
Best Practice is to give everyone modify permissions on the share level.
On NTFS Level grant permissions per local domain security groups.
So you have not to change permissions on NTFS if you have to change access for a user. just drop them from the granted group.
0
 
LVL 1

Author Comment

by:daveyd123
ID: 12714726
Would it be best to give the Everyone, Domain Users or Authenticated Users group "Change" share permissions on a folder?
0
 
LVL 11

Accepted Solution

by:
WeHe earned 200 total points
ID: 12714804
Everyone or Authenticated Users will be the best. The difference is: Everyone includes Authenticated Users plus Guests.
If you want to be a little bit more secure, use "Authenticated Users".
btw, we use "Everyone" because security is granted only per NTFS.
0
 
LVL 4

Expert Comment

by:dmox
ID: 12726126
The everyone group shouldn't be modified.  It's a little confusing how it works, but EVERYONE is any person that can access that share or resource.  Meaning, anyone who can successfully log on to that share.  If, for example, you were to remove the Read permission to the everyone group then NOBODY could read the folder.  If you were to remove the write permission, then NOBODY could write to the share.  This includes administrators!

If you have a share that is an admin share for read only access, remove the Permissions write, Take Ownership and Change  from the Everyone group and then do any updates locally from the machine with an Admin account.  

Most shares are a place for people to upload and download files however, so the Everyone group should be left as unrestrictive as possible.  Tighten the security with User specific or Groups to make sure that the correct people can access the share.

0
 
LVL 11

Expert Comment

by:WeHe
ID: 12726358
> The everyone group shouldn't be modified
it's not possible to modify the everyone group. it is a special group.

> EVERYONE is any person that can access that share or resource
No. in everyone group are only authenticated users and the guest account.
So you must provide a username/password to the server/domain to be in everyone group.

> If you have a share that is an admin share for read only access, remove the Permissions write, Take Ownership and Change  from the Everyone group and then do any updates locally from the machine with an Admin account.  
What is an Adminshare for read only access?
If you need an admin share, just delete all other groups and permit only Administrators Group to access.

> Tighten the security with User specific or Groups to make sure that the correct people can access the share
Ms recommendation is to put everyone full or change on share and handle permissions only in NTFS.
So do not grant rights on shares, as you will be confused sooner or later.
E.g.: If you set Readonly on share, no user will have more rights then readonly, regardless what you set on NTFS.
And you won't remberer that, if you are searching for permission problems.
0
 
LVL 6

Expert Comment

by:Casca1
ID: 12728572
On the last point, I have to agree with WeHe; Follow the MS best practice on shares; open the share to change and use NTFS to restrict access.
0
 
LVL 1

Author Comment

by:daveyd123
ID: 12755822
Say I have a Hard drive desigintated for data.  It's shared by default as D$.  I am creating a shared folder on the D drive called "shared".  In that folder will be subfolders for each department.  I need each deparment to be able to access and modify ONLY the documents in their respective folders.

Permission wise....I would set the NTFS permissions on the D$ share to Everyone (Read&Execute, List Folder Contents, Read).  In the D$ drive, the shared folder named "shared" would have Everyone (Change) share permissions and Everyone (Read&Execute, List Folder Contents, Read) NTFS permissions.  In the shared folder name "shared", create folders for each department.  The NTFS permissions on each department folder would not inherit permissions and I would grant Modify rights for the departments Security Group on each respective folder...

Correct?
0
 
LVL 11

Expert Comment

by:WeHe
ID: 12759345
Dont touch the D$ share. It's for admin porposes only. Only Administrators should have rights there.
Create one Group "Share_List".
Create one Group per Department (Share_DepartmentX_Modify) and put them into "Share_List" Group.
Uncheck "Inherit from parent ..." for "Share" folder.
Share d:\share as "Share", set Share permissions "Everyone - Change" and NTFS to "Share_List - List folder contents".
Set NTFS permissions for each DepartmentX folder to "Share_DepartmentX - Modify".
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Screencast - Getting to Know the Pipeline

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question