Active Directory membership

Is there a group or OU in Active Directory that would allow users to be authenticated via LDAP but not automatically allow them access to resources?
Who is Participating?
Toni UranjekConnect With a Mentor Consultant/TrainerCommented:
Don't mix OUs with permission. You should use security groups for configuring access to resources. Microsoft recommends using A G DL P strategy. Put user accounts in global groups, put global groups in domain local groups and use domain local groups to assign permissions. If you would use this strategy, you could be completely sure, that they could not access anything else.
But It doesn't really matter if these user accounts are part of Domain users, if you (for example) use Everyone group on for assigning permissions on shares and NTFS.
Toni UranjekConsultant/TrainerCommented:

There is special group "Authenticated users" but you can not add members to this group. Sucessfully authenticated users are automatically members of this group.
Resorces in AD domain are not automatically accessible, you always have to share them first or set correct permissions.

eva623Author Commented:
Thanks Toni,
I've been asked to create secure access to a group of folks who want to authenticate to our domain in order to use one application - but we don't want them to have access to anything else.  Can I create an OU that doesn't have rights to anything except the application?  Do they have to be members of domain users?
eva623Author Commented:
thanks again.  I'll create user accounts and put them in a new global group and give them no permissions except the explicit ones they need.  I guess I'm afraid that my predecessors gave authenticated users rights to some resources - I guess we'll find out!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.