Best practices for Domain Users group membership
Posted on 2013-12-13
We have various resources where we want anyone in our domain to be able to access resources (file shares, etc) and each share has a group in active directory for read access and another for write access.
Some previous admins had added the Domain Users group as a member of the security group for the shares (roughly 200). Thus now through inheritance every user in our AD domain is a member of that security group (though it doesn't show explicitly in their MemberOf field).
We've been told that many users are having authentication issues due to their Kerberos token size being too small. On obvious solution is to increase everyone's in AD via a GPO.
However the question I have is this: what is the best practice for granting domain users access to shares without using the Everyone group. We don't want anonymous access or non-authenticated users. Should we simply use the "Authenticated Users" and make that a member of these shares security groups that control access? Or does that end up with the same effect as using Domain Users group?