Authenticated Users vs Domain Users Group

What is the major difference between the Authenticated Users and the Domain Users Group?  When setting share or NTFS permissions, is it best practice to use the authenticated users or Domain users group and why...
LVL 1
daveyd123Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

beechfielderCommented:
The authenticated users group can be used to grant permissions across a forest,  but domain users is a security group for users in a specific domain.

1
dmoxCommented:
When applying permissions it's best to be as restrictive as possible so you don't leave any unseen security holes.  You could have guests authenticating for example that would be able to get access to your accounting information if you applied Authenticated Users as opposed to an Accounting Group.  
0
Casca1Commented:
Study question?
Well, the basic answer has been given, but they didn't elaborate on the shares thing. Share vs NTFS. It's pretty simple.
In order to access the share across the network, the user has to be in a group that has share level permissions. The easiest way to deal with them is to add change to the everyone group at the share level, and then restrict access through NTFS permissions. You can add the individual permissions to the shares, but that can get confusing, and adds another step in the process that can go wrong. Remember, KISS.
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

WeHeCommented:
Domain Users contains all Users from the Domain the Group belongs to.
Authenticated Users contains Users from Trusted Domains too.
0
WeHeCommented:
Best Practice is to give everyone modify permissions on the share level.
On NTFS Level grant permissions per local domain security groups.
So you have not to change permissions on NTFS if you have to change access for a user. just drop them from the granted group.
0
daveyd123Author Commented:
Would it be best to give the Everyone, Domain Users or Authenticated Users group "Change" share permissions on a folder?
0
WeHeCommented:
Everyone or Authenticated Users will be the best. The difference is: Everyone includes Authenticated Users plus Guests.
If you want to be a little bit more secure, use "Authenticated Users".
btw, we use "Everyone" because security is granted only per NTFS.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dmoxCommented:
The everyone group shouldn't be modified.  It's a little confusing how it works, but EVERYONE is any person that can access that share or resource.  Meaning, anyone who can successfully log on to that share.  If, for example, you were to remove the Read permission to the everyone group then NOBODY could read the folder.  If you were to remove the write permission, then NOBODY could write to the share.  This includes administrators!

If you have a share that is an admin share for read only access, remove the Permissions write, Take Ownership and Change  from the Everyone group and then do any updates locally from the machine with an Admin account.  

Most shares are a place for people to upload and download files however, so the Everyone group should be left as unrestrictive as possible.  Tighten the security with User specific or Groups to make sure that the correct people can access the share.

0
WeHeCommented:
> The everyone group shouldn't be modified
it's not possible to modify the everyone group. it is a special group.

> EVERYONE is any person that can access that share or resource
No. in everyone group are only authenticated users and the guest account.
So you must provide a username/password to the server/domain to be in everyone group.

> If you have a share that is an admin share for read only access, remove the Permissions write, Take Ownership and Change  from the Everyone group and then do any updates locally from the machine with an Admin account.  
What is an Adminshare for read only access?
If you need an admin share, just delete all other groups and permit only Administrators Group to access.

> Tighten the security with User specific or Groups to make sure that the correct people can access the share
Ms recommendation is to put everyone full or change on share and handle permissions only in NTFS.
So do not grant rights on shares, as you will be confused sooner or later.
E.g.: If you set Readonly on share, no user will have more rights then readonly, regardless what you set on NTFS.
And you won't remberer that, if you are searching for permission problems.
0
Casca1Commented:
On the last point, I have to agree with WeHe; Follow the MS best practice on shares; open the share to change and use NTFS to restrict access.
0
daveyd123Author Commented:
Say I have a Hard drive desigintated for data.  It's shared by default as D$.  I am creating a shared folder on the D drive called "shared".  In that folder will be subfolders for each department.  I need each deparment to be able to access and modify ONLY the documents in their respective folders.

Permission wise....I would set the NTFS permissions on the D$ share to Everyone (Read&Execute, List Folder Contents, Read).  In the D$ drive, the shared folder named "shared" would have Everyone (Change) share permissions and Everyone (Read&Execute, List Folder Contents, Read) NTFS permissions.  In the shared folder name "shared", create folders for each department.  The NTFS permissions on each department folder would not inherit permissions and I would grant Modify rights for the departments Security Group on each respective folder...

Correct?
0
WeHeCommented:
Dont touch the D$ share. It's for admin porposes only. Only Administrators should have rights there.
Create one Group "Share_List".
Create one Group per Department (Share_DepartmentX_Modify) and put them into "Share_List" Group.
Uncheck "Inherit from parent ..." for "Share" folder.
Share d:\share as "Share", set Share permissions "Everyone - Change" and NTFS to "Share_List - List folder contents".
Set NTFS permissions for each DepartmentX folder to "Share_DepartmentX - Modify".
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.