Solved

Members of Authenticated users

Posted on 2009-05-12
19
2,177 Views
Last Modified: 2013-12-24
Hello all!

Does anyone know how I can obtain a list of users that are a part of the "Authenticated Users" group?

I need to have a complete list of users that are in my domain and a member of this group.  what would be the easiest way to gather this information?
0
Comment
Question by:teksouth
  • 7
  • 6
  • 4
  • +1
19 Comments
 
LVL 11

Expert Comment

by:g000se
ID: 24365211
Hello,

You could use a program called- Somarsoft DumpSec
0
 
LVL 11

Expert Comment

by:g000se
ID: 24365228
Here is the link- http://www.somarsoft.com/
0
 
LVL 11

Expert Comment

by:g000se
ID: 24365242
With in the program click on Reports\Select Computer (DC)\ Dump Users as a table.  Then you can run a filter.  This program is very useful to have.
0
 

Author Comment

by:teksouth
ID: 24365366
thank you for the reply!

It outputs basically all the users in the domain but I want to know specifically who is in the "group' Authenticated users.  is there a specific way I can sort by that?  maybe I'm just overlooking it.
0
 
LVL 83

Accepted Solution

by:
oBdA earned 100 total points
ID: 24365375
"Authenticated Users" doesn't have a static membership you can query; it's a built-in group you can use to in ACLs which includes any account that has authenticated against the domain:
"Authenticated Users Built-in Group
A new built-in group is created when installing Windows NT 4.0 Service Pack 3 or the Windows NT 3.51 hotfix known as "Authenticated Users." The Authenticated Users group is similar to the "Everyone" group, except for one important difference: anonymous logon users (or NULL session connections) are never members of the Authenticated Users group. The built-in Security Identifier for Authenticated Users is S-1-5-11. Authenticated network connections from any account in the server's Windows NT domain, or any domain trusted by the server's domain, is identified as an Authenticated User. The Authenticated Users group is available for granting access rights to resources in the security ACL editor. Windows NT 4.0 Service Pack 3 and the Windows NT 3.51 hotfix do not modify any access control lists to change access rights granted to Everyone to use Authenticated Users."
Restricting information available to anonymous logon users
http://support.microsoft.com/kb/143474
0
 
LVL 11

Expert Comment

by:g000se
ID: 24365505
and you can use search\filter "domain users" to capture the information since they are part of the authenticated users.
0
 
LVL 18

Expert Comment

by:Americom
ID: 24365513
Basically, when you grant access to the "authenticated groups", you are granting access to all domain users in your domain. If you have multiple domains in your forest or other forest being trusted(forest trust), granting to "authenticated users" also means grant access to all domain users in all domains and forest.
0
 
LVL 18

Expert Comment

by:Americom
ID: 24365546
"Domain Users" including all users only if user account is by default set domain users as the primary group. If any user account set other group as primary and remove from domain users, then domain users will not including all users.
0
 

Author Comment

by:teksouth
ID: 24365557
sorry for the confusion.

so what you're saying is that if they are a domain users then they are also part of Authenticated users by default?  Just trying to get clarification because Americom's comment seems to possibly contradict that.  

thanks for the help Gents.
0
 

Author Comment

by:teksouth
ID: 24365602
so inclusion in the "Authenticated users" group  is  dependent on if their default group is set to "domain users" if it is not then they (going by default) would not be a "member" of the "authenticated users" unless specifically that right... correct?
0
 
LVL 83

Expert Comment

by:oBdA
ID: 24365654
Again: *any* account that is *authenticated* (either against the own domain or a trusted domain) is included in the "Authenticated Users" group; unlike "Domain Users" this includes, for example, Domain Computers as well.
0
 
LVL 18

Assisted Solution

by:Americom
Americom earned 100 total points
ID: 24365661
no, by default when you create a user account, you can leave as default which means the user account's default primary group is Domain Users. But if you set it to a diffferent group other than domain users and remove the domain users group then the user account would not be a member of the Domain User groups. It has nothing to do with Authenticated Users. Granting access to authenticated users group is granting access to all domain(s) users.
0
 
LVL 18

Expert Comment

by:Americom
ID: 24365676
So, your best bet to get a list of all user account is run a Saved Queries frm the Active Directory Users and Computers console which list all the user accounts where you can also export them.
0
 

Author Comment

by:teksouth
ID: 24365679
so by default a user is not granted rights to the "authenticated users" group.  meaning it would have to be specifically added to a users member list?
0
 
LVL 11

Expert Comment

by:g000se
ID: 24365702
Americom is correct.  So if the user account is removed from the domain users group then at this point, this user account wouldn't have access to any domain resources and can't authenticate to the domain.
0
 
LVL 18

Expert Comment

by:Americom
ID: 24365797
no no no, leave authenticated users group as defined by oBdA and me. Do not mix it with domain users group.
0
 
LVL 11

Assisted Solution

by:g000se
g000se earned 50 total points
ID: 24365897
0
 
LVL 18

Expert Comment

by:Americom
ID: 24365908
To clarify on the domain users group(not authenticated users), all account created MUST be a member of a group, by default it is a member of the Domain Users group which the this group is assigned as the primary group. But you can change it and assign the user account to another security group other than the Domain Users group. This clarification has nothing to do with the authenticated users group. Regardless if a user account is a member of Domain Users group or not, it is beign affected by whatever rights granted to the authenticated users group.
0
 
LVL 11

Expert Comment

by:g000se
ID: 24365916
"Because Authenticated Users automatically includes all domain user accounts from all current and future trusted domains it is considered the most administrator friendly, allowing a good balance between security and future needs or changes." from the link above.
0

Join & Write a Comment

CCModeler offers a way to enter basic information like entities, attributes and relationships and export them as yEd or erviz diagram. It also can import existing Access or SQL Server tables with relationships.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now