Members of Authenticated users

Hello all!

Does anyone know how I can obtain a list of users that are a part of the "Authenticated Users" group?

I need to have a complete list of users that are in my domain and a member of this group.  what would be the easiest way to gather this information?
teksouthAsked:
Who is Participating?
 
oBdAConnect With a Mentor Commented:
"Authenticated Users" doesn't have a static membership you can query; it's a built-in group you can use to in ACLs which includes any account that has authenticated against the domain:
"Authenticated Users Built-in Group
A new built-in group is created when installing Windows NT 4.0 Service Pack 3 or the Windows NT 3.51 hotfix known as "Authenticated Users." The Authenticated Users group is similar to the "Everyone" group, except for one important difference: anonymous logon users (or NULL session connections) are never members of the Authenticated Users group. The built-in Security Identifier for Authenticated Users is S-1-5-11. Authenticated network connections from any account in the server's Windows NT domain, or any domain trusted by the server's domain, is identified as an Authenticated User. The Authenticated Users group is available for granting access rights to resources in the security ACL editor. Windows NT 4.0 Service Pack 3 and the Windows NT 3.51 hotfix do not modify any access control lists to change access rights granted to Everyone to use Authenticated Users."
Restricting information available to anonymous logon users
http://support.microsoft.com/kb/143474
0
 
g000seCommented:
Hello,

You could use a program called- Somarsoft DumpSec
0
 
g000seCommented:
Here is the link- http://www.somarsoft.com/
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
g000seCommented:
With in the program click on Reports\Select Computer (DC)\ Dump Users as a table.  Then you can run a filter.  This program is very useful to have.
0
 
teksouthAuthor Commented:
thank you for the reply!

It outputs basically all the users in the domain but I want to know specifically who is in the "group' Authenticated users.  is there a specific way I can sort by that?  maybe I'm just overlooking it.
0
 
g000seCommented:
and you can use search\filter "domain users" to capture the information since they are part of the authenticated users.
0
 
AmericomCommented:
Basically, when you grant access to the "authenticated groups", you are granting access to all domain users in your domain. If you have multiple domains in your forest or other forest being trusted(forest trust), granting to "authenticated users" also means grant access to all domain users in all domains and forest.
0
 
AmericomCommented:
"Domain Users" including all users only if user account is by default set domain users as the primary group. If any user account set other group as primary and remove from domain users, then domain users will not including all users.
0
 
teksouthAuthor Commented:
sorry for the confusion.

so what you're saying is that if they are a domain users then they are also part of Authenticated users by default?  Just trying to get clarification because Americom's comment seems to possibly contradict that.  

thanks for the help Gents.
0
 
teksouthAuthor Commented:
so inclusion in the "Authenticated users" group  is  dependent on if their default group is set to "domain users" if it is not then they (going by default) would not be a "member" of the "authenticated users" unless specifically that right... correct?
0
 
oBdACommented:
Again: *any* account that is *authenticated* (either against the own domain or a trusted domain) is included in the "Authenticated Users" group; unlike "Domain Users" this includes, for example, Domain Computers as well.
0
 
AmericomConnect With a Mentor Commented:
no, by default when you create a user account, you can leave as default which means the user account's default primary group is Domain Users. But if you set it to a diffferent group other than domain users and remove the domain users group then the user account would not be a member of the Domain User groups. It has nothing to do with Authenticated Users. Granting access to authenticated users group is granting access to all domain(s) users.
0
 
AmericomCommented:
So, your best bet to get a list of all user account is run a Saved Queries frm the Active Directory Users and Computers console which list all the user accounts where you can also export them.
0
 
teksouthAuthor Commented:
so by default a user is not granted rights to the "authenticated users" group.  meaning it would have to be specifically added to a users member list?
0
 
g000seCommented:
Americom is correct.  So if the user account is removed from the domain users group then at this point, this user account wouldn't have access to any domain resources and can't authenticate to the domain.
0
 
AmericomCommented:
no no no, leave authenticated users group as defined by oBdA and me. Do not mix it with domain users group.
0
 
AmericomCommented:
To clarify on the domain users group(not authenticated users), all account created MUST be a member of a group, by default it is a member of the Domain Users group which the this group is assigned as the primary group. But you can change it and assign the user account to another security group other than the Domain Users group. This clarification has nothing to do with the authenticated users group. Regardless if a user account is a member of Domain Users group or not, it is beign affected by whatever rights granted to the authenticated users group.
0
 
g000seCommented:
"Because Authenticated Users automatically includes all domain user accounts from all current and future trusted domains it is considered the most administrator friendly, allowing a good balance between security and future needs or changes." from the link above.
0
All Courses

From novice to tech pro — start learning today.