Solved

Members of Authenticated users

Posted on 2009-05-12
19
2,192 Views
Last Modified: 2013-12-24
Hello all!

Does anyone know how I can obtain a list of users that are a part of the "Authenticated Users" group?

I need to have a complete list of users that are in my domain and a member of this group.  what would be the easiest way to gather this information?
0
Comment
Question by:teksouth
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 4
  • +1
19 Comments
 
LVL 11

Expert Comment

by:g000se
ID: 24365211
Hello,

You could use a program called- Somarsoft DumpSec
0
 
LVL 11

Expert Comment

by:g000se
ID: 24365228
Here is the link- http://www.somarsoft.com/
0
 
LVL 11

Expert Comment

by:g000se
ID: 24365242
With in the program click on Reports\Select Computer (DC)\ Dump Users as a table.  Then you can run a filter.  This program is very useful to have.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:teksouth
ID: 24365366
thank you for the reply!

It outputs basically all the users in the domain but I want to know specifically who is in the "group' Authenticated users.  is there a specific way I can sort by that?  maybe I'm just overlooking it.
0
 
LVL 85

Accepted Solution

by:
oBdA earned 100 total points
ID: 24365375
"Authenticated Users" doesn't have a static membership you can query; it's a built-in group you can use to in ACLs which includes any account that has authenticated against the domain:
"Authenticated Users Built-in Group
A new built-in group is created when installing Windows NT 4.0 Service Pack 3 or the Windows NT 3.51 hotfix known as "Authenticated Users." The Authenticated Users group is similar to the "Everyone" group, except for one important difference: anonymous logon users (or NULL session connections) are never members of the Authenticated Users group. The built-in Security Identifier for Authenticated Users is S-1-5-11. Authenticated network connections from any account in the server's Windows NT domain, or any domain trusted by the server's domain, is identified as an Authenticated User. The Authenticated Users group is available for granting access rights to resources in the security ACL editor. Windows NT 4.0 Service Pack 3 and the Windows NT 3.51 hotfix do not modify any access control lists to change access rights granted to Everyone to use Authenticated Users."
Restricting information available to anonymous logon users
http://support.microsoft.com/kb/143474
0
 
LVL 11

Expert Comment

by:g000se
ID: 24365505
and you can use search\filter "domain users" to capture the information since they are part of the authenticated users.
0
 
LVL 18

Expert Comment

by:Americom
ID: 24365513
Basically, when you grant access to the "authenticated groups", you are granting access to all domain users in your domain. If you have multiple domains in your forest or other forest being trusted(forest trust), granting to "authenticated users" also means grant access to all domain users in all domains and forest.
0
 
LVL 18

Expert Comment

by:Americom
ID: 24365546
"Domain Users" including all users only if user account is by default set domain users as the primary group. If any user account set other group as primary and remove from domain users, then domain users will not including all users.
0
 

Author Comment

by:teksouth
ID: 24365557
sorry for the confusion.

so what you're saying is that if they are a domain users then they are also part of Authenticated users by default?  Just trying to get clarification because Americom's comment seems to possibly contradict that.  

thanks for the help Gents.
0
 

Author Comment

by:teksouth
ID: 24365602
so inclusion in the "Authenticated users" group  is  dependent on if their default group is set to "domain users" if it is not then they (going by default) would not be a "member" of the "authenticated users" unless specifically that right... correct?
0
 
LVL 85

Expert Comment

by:oBdA
ID: 24365654
Again: *any* account that is *authenticated* (either against the own domain or a trusted domain) is included in the "Authenticated Users" group; unlike "Domain Users" this includes, for example, Domain Computers as well.
0
 
LVL 18

Assisted Solution

by:Americom
Americom earned 100 total points
ID: 24365661
no, by default when you create a user account, you can leave as default which means the user account's default primary group is Domain Users. But if you set it to a diffferent group other than domain users and remove the domain users group then the user account would not be a member of the Domain User groups. It has nothing to do with Authenticated Users. Granting access to authenticated users group is granting access to all domain(s) users.
0
 
LVL 18

Expert Comment

by:Americom
ID: 24365676
So, your best bet to get a list of all user account is run a Saved Queries frm the Active Directory Users and Computers console which list all the user accounts where you can also export them.
0
 

Author Comment

by:teksouth
ID: 24365679
so by default a user is not granted rights to the "authenticated users" group.  meaning it would have to be specifically added to a users member list?
0
 
LVL 11

Expert Comment

by:g000se
ID: 24365702
Americom is correct.  So if the user account is removed from the domain users group then at this point, this user account wouldn't have access to any domain resources and can't authenticate to the domain.
0
 
LVL 18

Expert Comment

by:Americom
ID: 24365797
no no no, leave authenticated users group as defined by oBdA and me. Do not mix it with domain users group.
0
 
LVL 11

Assisted Solution

by:g000se
g000se earned 50 total points
ID: 24365897
0
 
LVL 18

Expert Comment

by:Americom
ID: 24365908
To clarify on the domain users group(not authenticated users), all account created MUST be a member of a group, by default it is a member of the Domain Users group which the this group is assigned as the primary group. But you can change it and assign the user account to another security group other than the Domain Users group. This clarification has nothing to do with the authenticated users group. Regardless if a user account is a member of Domain Users group or not, it is beign affected by whatever rights granted to the authenticated users group.
0
 
LVL 11

Expert Comment

by:g000se
ID: 24365916
"Because Authenticated Users automatically includes all domain user accounts from all current and future trusted domains it is considered the most administrator friendly, allowing a good balance between security and future needs or changes." from the link above.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Access is a place to store data within tables and represent this stored data using multiple database objects such as in form of macros, forms, reports, etc. After a MS Access database is created there is need to improve the performance and…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question