Link to home
Create AccountLog in
Avatar of jskfan
jskfanFlag for Cyprus

asked on

Authenticated Users and Domain Users Members

Authenticated Users and Domain Users Members

If I understand if you have one Active Domain then Authenticated Users group and Domain Users group is the same thing.
If You have Multiple AD Domain, then Authenticated Users group is forest wide but Domain Users group is domain limited.

in both case though the difference is If I am not wrong the authenticated Users group can have Users and Computers as its members but Domain Users Group can have only Users but not computers


I would like an AD Expert to confirm or correct me if I am wrong.

Thank you
Avatar of kevinhsieh
kevinhsieh
Flag of United States of America image

Authenticated Users and Domain Users are NOT the same thing.

Authenticated Users include any type of account that authenticated. That includes users, it includes computers, and it includes special accounts that you setup and remove from domain users. It is everything but the Guest account.

Domain Users wouldn't have computers in it by default, but you can manually add a computer to Domain Users. You can also remove a computer from Domain Computers, if you put it in another group first. It would still be part of Authenticated Users.
Avatar of jskfan

ASKER

kevinhsieh 



Authenticated Users : computers+Users Accounts in whole forest

Domain Users: User accounts only in one Domain.
if you have one Domain,  then Users in Domain users are the same as users in authenticated users group (Any user authenticated to the Domain)

if you have more than one Domain in a forest, then you will have separate Domain Users Groups, but still one Authenticated Users grop




Authenticated Users isn't an Active Directory object or notion. It is machine based. Authenticated Users still exists even for machines not domain joined.
Avatar of jskfan

ASKER

But we are talking in Active Directory Domain world.
if you have a forest with 2 domains , default Authenticated Users group will have users from both domains, but default domain users group from domain 1 is different from default domain users from domain 2 .

I do not know how you can distinguish between domain users group from domain 1 and domain users from domain 2 .  My LAB has one domain only so far.

Hi,

Forget different domains for a moment. I don't have experience/need for multi domain setup so can't comment. However, Authenticated Users ad domain users are NOT the same thing at all. You are definitely wrong on that. If they were "the same" there's no point in having both. This is true in a one domain environment. It is STILL true in multiple domains.

There are 3 groups that are "well known". In MS language they mean common groups that exist in a domain that have a unique security ID (SID). They are:

Everyone
Authenticated users
Domain users

It is a pyramid relationship. As a metaphor think People, men, wizards. All men are people, but not all wizards are men.

i.e. Authenticated users are a parent group almost of "domain users".

All accounts that provide a valid security token in their login credentials and gain login, are "authenticated". This account is controlled by the computer. That's key. You can't change the contents of who is or is not in it. So what? Well, it matters when you design your AD and assign "auth users".

Domain users have authenticated users added by default. It is the group you edit when authenticated users is not enough.

They are very different use cases. Just because they might contain the same user accounts at first does not mean they behave the same.

Short answer:
https://morgantechspace.com/2013/08/authenticated-users-vs-domain-users.html 
Longer
https://www.devadmin.it/2017/01/18/everyone-vs-authenticated-users-vs-domain-users/ 
Use cases
https://serverfault.com/questions/125688/what-is-the-difference-between-the-authenticated-user-and-user-groups-in-win 

If I were you I would concentrate on understanding the core behaviour of these accounts in a single domain, before getting into multi-domain setups. If you don't have a firm grounding on single domain theory, you're going to get in a bigger uglier mess with multi domains.

Domain Users has a unique SID for each and every domain. When assigning permissions, you don't assign "Domain Users", it is "[domain]\Domain Users", so even in the UI you can see where the group comes from, just as you could assign "computer\users", which is a local user group.
Avatar of jskfan

ASKER

kevinhsieh 
thanks fo [domain]\Domain Users

I do not have a lab setup for multiple domains.

What I was trying to confirm, is that in:
One AD Domain:
Authenticated Users : means All users and computers in the domain
Domain Users : All users in the Domain

Multiple Domain under one Forest:
Authenticated Users : All users and Computers in the Forest
Domain Users : all users in a specific domain. for instance you can have DomainA\Domain Users, DomainB\Domain Users

** So Authenticated Users scope is Forest Wide( either one domain or multiple domain)
ASKER CERTIFIED SOLUTION
Avatar of kevinhsieh
kevinhsieh
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of jskfan

ASKER

<<Note that Domain Users can contain members from other domains.  >>

Not by default, but you can manually add users from other domains