Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Members of Authenticated users

Posted on 2009-05-12
19
Medium Priority
?
2,194 Views
Last Modified: 2013-12-24
Hello all!

Does anyone know how I can obtain a list of users that are a part of the "Authenticated Users" group?

I need to have a complete list of users that are in my domain and a member of this group.  what would be the easiest way to gather this information?
0
Comment
Question by:teksouth
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 4
  • +1
19 Comments
 
LVL 11

Expert Comment

by:g000se
ID: 24365211
Hello,

You could use a program called- Somarsoft DumpSec
0
 
LVL 11

Expert Comment

by:g000se
ID: 24365228
Here is the link- http://www.somarsoft.com/
0
 
LVL 11

Expert Comment

by:g000se
ID: 24365242
With in the program click on Reports\Select Computer (DC)\ Dump Users as a table.  Then you can run a filter.  This program is very useful to have.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Comment

by:teksouth
ID: 24365366
thank you for the reply!

It outputs basically all the users in the domain but I want to know specifically who is in the "group' Authenticated users.  is there a specific way I can sort by that?  maybe I'm just overlooking it.
0
 
LVL 85

Accepted Solution

by:
oBdA earned 400 total points
ID: 24365375
"Authenticated Users" doesn't have a static membership you can query; it's a built-in group you can use to in ACLs which includes any account that has authenticated against the domain:
"Authenticated Users Built-in Group
A new built-in group is created when installing Windows NT 4.0 Service Pack 3 or the Windows NT 3.51 hotfix known as "Authenticated Users." The Authenticated Users group is similar to the "Everyone" group, except for one important difference: anonymous logon users (or NULL session connections) are never members of the Authenticated Users group. The built-in Security Identifier for Authenticated Users is S-1-5-11. Authenticated network connections from any account in the server's Windows NT domain, or any domain trusted by the server's domain, is identified as an Authenticated User. The Authenticated Users group is available for granting access rights to resources in the security ACL editor. Windows NT 4.0 Service Pack 3 and the Windows NT 3.51 hotfix do not modify any access control lists to change access rights granted to Everyone to use Authenticated Users."
Restricting information available to anonymous logon users
http://support.microsoft.com/kb/143474
0
 
LVL 11

Expert Comment

by:g000se
ID: 24365505
and you can use search\filter "domain users" to capture the information since they are part of the authenticated users.
0
 
LVL 18

Expert Comment

by:Americom
ID: 24365513
Basically, when you grant access to the "authenticated groups", you are granting access to all domain users in your domain. If you have multiple domains in your forest or other forest being trusted(forest trust), granting to "authenticated users" also means grant access to all domain users in all domains and forest.
0
 
LVL 18

Expert Comment

by:Americom
ID: 24365546
"Domain Users" including all users only if user account is by default set domain users as the primary group. If any user account set other group as primary and remove from domain users, then domain users will not including all users.
0
 

Author Comment

by:teksouth
ID: 24365557
sorry for the confusion.

so what you're saying is that if they are a domain users then they are also part of Authenticated users by default?  Just trying to get clarification because Americom's comment seems to possibly contradict that.  

thanks for the help Gents.
0
 

Author Comment

by:teksouth
ID: 24365602
so inclusion in the "Authenticated users" group  is  dependent on if their default group is set to "domain users" if it is not then they (going by default) would not be a "member" of the "authenticated users" unless specifically that right... correct?
0
 
LVL 85

Expert Comment

by:oBdA
ID: 24365654
Again: *any* account that is *authenticated* (either against the own domain or a trusted domain) is included in the "Authenticated Users" group; unlike "Domain Users" this includes, for example, Domain Computers as well.
0
 
LVL 18

Assisted Solution

by:Americom
Americom earned 400 total points
ID: 24365661
no, by default when you create a user account, you can leave as default which means the user account's default primary group is Domain Users. But if you set it to a diffferent group other than domain users and remove the domain users group then the user account would not be a member of the Domain User groups. It has nothing to do with Authenticated Users. Granting access to authenticated users group is granting access to all domain(s) users.
0
 
LVL 18

Expert Comment

by:Americom
ID: 24365676
So, your best bet to get a list of all user account is run a Saved Queries frm the Active Directory Users and Computers console which list all the user accounts where you can also export them.
0
 

Author Comment

by:teksouth
ID: 24365679
so by default a user is not granted rights to the "authenticated users" group.  meaning it would have to be specifically added to a users member list?
0
 
LVL 11

Expert Comment

by:g000se
ID: 24365702
Americom is correct.  So if the user account is removed from the domain users group then at this point, this user account wouldn't have access to any domain resources and can't authenticate to the domain.
0
 
LVL 18

Expert Comment

by:Americom
ID: 24365797
no no no, leave authenticated users group as defined by oBdA and me. Do not mix it with domain users group.
0
 
LVL 11

Assisted Solution

by:g000se
g000se earned 200 total points
ID: 24365897
0
 
LVL 18

Expert Comment

by:Americom
ID: 24365908
To clarify on the domain users group(not authenticated users), all account created MUST be a member of a group, by default it is a member of the Domain Users group which the this group is assigned as the primary group. But you can change it and assign the user account to another security group other than the Domain Users group. This clarification has nothing to do with the authenticated users group. Regardless if a user account is a member of Domain Users group or not, it is beign affected by whatever rights granted to the authenticated users group.
0
 
LVL 11

Expert Comment

by:g000se
ID: 24365916
"Because Authenticated Users automatically includes all domain user accounts from all current and future trusted domains it is considered the most administrator friendly, allowing a good balance between security and future needs or changes." from the link above.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes has been used since a very long time as an e-mail client and is very popular because of it's unmatched security. In this article we are going to learn about  RRV Bucket corruption and understand various methods to Fix "RRV Bucket Corrupt…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question