• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 272
  • Last Modified:

How to add back "NT Authority\..." to local Users group in PCs

In an attempt to stop all domain users from login to a few critical financial processing PCs (that handles large payments amounts), I've removed "Domain Users" & the following 2 & it worked:
  1. NT AUTHORITY\Authenticated Users (S-1-5-11)

How do I add them back?  When I enter the above verbatim, it doesn't list them though
"Domain Users" are listed & I could add it back.  A couple of PCs are non-payment PCs
& I accidentally removed the above 2 & Domain Users   from the local "Users" group
3 Solutions
Dr. KlahnPrincipal Software EngineerCommented:
Restore from the last full backup made before the change.
Peter HutchisonSenior Network Systems SpecialistCommented:
You can use Group Policy and use Restricted Groups feature to update membership of local groups.
sunhuxAuthor Commented:
We don't take  bare metal backups on PCs
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

sunhuxAuthor Commented:
Will try Peter's suggestion / link.

Btw, what are the 2  NT Authority\  groups for or what's their function?
If I don't restore them back, what's the impact / implication
Use system restore?
To add it on the command line, Run CMD as administrator. Then..

Authenticated Users...
c:\windows\system32\icacls "c:\folder name" /grant *S-1-5-11:(OI)(CI)M

c:\windows\system32\icacls "c:\folder name" /grant *S-1-5-4:(OI)(CI)M

About the SIDs I mentioned, see https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems

About ICACLS usage... https://ss64.com/nt/icacls.html


I'm on mobile now, so can't confirm the examples I have, but it should get you started. Please try it on a test folder first.

I've confirmed my examples here do work.
sunhuxAuthor Commented:
NVIT,  why need to specify folder_name?  When I remove the 2  "NT Authority\..."  from
local Users group, there' s no folder_name associated with them
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Authenticated Users are all users which have a valid account on this machine. Removing the group from Users means that all user accounts need to be added manually.
Interactive Users are users which can log in using the GUI (versus connecting from a different machine). This includes RDP, as it simulates local login, but still requires RDP privileges (e.g. RDP Users membership). Removing this group from users means that users logging in on console (physically) do not have any privileges by default (as Users is usually the least group membership you need to have to get access to many files and folders).

If you have issues with the GUI, you can always fall back to the command line, so in an elevated command prompt, run
net localgroup /add Users "NT AUTHORITY\Authenticated Users"
net localgroup /add Users "NT AUTHORITY\Interactive"

Open in new window

Whatsoever, if I go into: lusrmgr.msc » groups » Users » Add » Advanced » Search, I see those groups. I can also enter "interactive" or "authenticated" in the Add dialogue and get correct suggestions.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now