How to add back "NT Authority\..." to local Users group in PCs

In an attempt to stop all domain users from login to a few critical financial processing PCs (that handles large payments amounts), I've removed "Domain Users" & the following 2 & it worked:
  1. NT AUTHORITY\Authenticated Users (S-1-5-11)
  2. NT AUTHORITY\INTERACTIVE (S-1-5-4)

How do I add them back?  When I enter the above verbatim, it doesn't list them though
"Domain Users" are listed & I could add it back.  A couple of PCs are non-payment PCs
& I accidentally removed the above 2 & Domain Users   from the local "Users" group
sunhuxAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dr. KlahnPrincipal Software EngineerCommented:
Restore from the last full backup made before the change.
0
Peter HutchisonSenior Network Systems SpecialistCommented:
You can use Group Policy and use Restricted Groups feature to update membership of local groups.
http://techgenix.com/Using-Restricted-Groups/
1
sunhuxAuthor Commented:
We don't take  bare metal backups on PCs
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

sunhuxAuthor Commented:
Will try Peter's suggestion / link.

Btw, what are the 2  NT Authority\  groups for or what's their function?
If I don't restore them back, what's the impact / implication
0
BlayneyCommented:
Use system restore?
1
NVITCommented:
To add it on the command line, Run CMD as administrator. Then..

Authenticated Users...
c:\windows\system32\icacls "c:\folder name" /grant *S-1-5-11:(OI)(CI)M

Interactive...
c:\windows\system32\icacls "c:\folder name" /grant *S-1-5-4:(OI)(CI)M

About the SIDs I mentioned, see https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems

About ICACLS usage... https://ss64.com/nt/icacls.html

https://technet.microsoft.com/en-us/library/cc753525(WS.10).aspx

I'm on mobile now, so can't confirm the examples I have, but it should get you started. Please try it on a test folder first.

EDIT:
I've confirmed my examples here do work.
1
sunhuxAuthor Commented:
NVIT,  why need to specify folder_name?  When I remove the 2  "NT Authority\..."  from
local Users group, there' s no folder_name associated with them
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Authenticated Users are all users which have a valid account on this machine. Removing the group from Users means that all user accounts need to be added manually.
Interactive Users are users which can log in using the GUI (versus connecting from a different machine). This includes RDP, as it simulates local login, but still requires RDP privileges (e.g. RDP Users membership). Removing this group from users means that users logging in on console (physically) do not have any privileges by default (as Users is usually the least group membership you need to have to get access to many files and folders).

If you have issues with the GUI, you can always fall back to the command line, so in an elevated command prompt, run
net localgroup /add Users "NT AUTHORITY\Authenticated Users"
net localgroup /add Users "NT AUTHORITY\Interactive"

Open in new window

Whatsoever, if I go into: lusrmgr.msc » groups » Users » Add » Advanced » Search, I see those groups. I can also enter "interactive" or "authenticated" in the Add dialogue and get correct suggestions.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.