<div>
Authenticated Users and Domain Users are NOT the same thing.<br />
<br />
Authenticated Users include any type of account that authenticated. That includes users, it includes computers, and it includes special accounts that you setup and remove from domain users. It is everything but the Guest account.<br />
<br />
Domain Users wouldn't have computers in it by default, but you can manually add a computer to Domain Users. You can also remove a computer from Domain Computers, if you put it in another group first. It would still be part of Authenticated Users.
</div>


COG Lead Engineer

Shaun Vermaak

<div>
<a href="https://www.experts-exchange.com/members/kevinhsieh.html" rel="ugc">kevinhsieh</a>&nbsp;<br><br><br><br>Authenticated Users : computers+Users Accounts in whole forest<br><br>Domain Users: User accounts only in one Domain. <br>if you have one Domain, &nbsp;then Users in Domain users are the same as users in authenticated users group (Any user authenticated to the Domain)<br><br>if you have more than one Domain in a forest, then you will have separate Domain Users Groups, but still one Authenticated Users grop<br><br><br><br><br>
</div>


<div>
Authenticated Users isn't an Active Directory object or notion. It is machine based. Authenticated Users still exists even for machines not domain joined.
</div>


<div>
But we are talking in Active Directory Domain world.<br>if you have a forest with 2 domains , default Authenticated Users group will have users from both domains, but default domain users group from domain 1 is different from default domain users from domain 2 .<br><br>I do not know how you can distinguish between domain users group from domain 1 and domain users from domain 2 . &nbsp;My LAB has one domain only so far.<br><br>
</div>


<div>
Hi,<br><br>Forget different domains for a moment. I don't have experience/need for multi domain setup so can't comment. However, Authenticated Users ad domain users are NOT the same thing at all. You are definitely wrong on that. If they were "the same" there's no point in having both. This is true in a one domain environment. It is STILL true in multiple domains.<br><br>There are 3 groups that are "well known". In MS language they mean common groups that exist in a domain that have a unique security ID (SID). They are:<br><br>Everyone<br>Authenticated users<br>Domain users<br><br>It is a pyramid relationship. As a metaphor think People, men, wizards. All men are people, but not all wizards are men.<br><br>i.e. Authenticated users are a parent group almost of "domain users".<br><br>All accounts that provide a valid security token in their login credentials and gain login, are "authenticated". This account is controlled by the computer. That's key. You can't change the contents of who is or is not in it. So what? Well, it matters when you design your AD and assign "auth users".<br><br>Domain users have authenticated users added by default. It is the group you edit when authenticated users is not enough.<br><br>They are very different use cases. Just because they might contain the same user accounts at first does not mean they behave the same.<br><br>Short answer:<br><a href="https://morgantechspace.com/2013/08/authenticated-users-vs-domain-users.html" rel="ugc">https://morgantechspace.com/2013/08/authenticated-users-vs-domain-users.html</a>&nbsp;<br>Longer<br><a href="https://www.devadmin.it/2017/01/18/everyone-vs-authenticated-users-vs-domain-users/" rel="ugc">https://www.devadmin.it/2017/01/18/everyone-vs-authenticated-users-vs-domain-users/</a>&nbsp;<br>Use cases<br><a href="https://serverfault.com/questions/125688/what-is-the-difference-between-the-authenticated-user-and-user-groups-in-win" rel="ugc">https://serverfault.com/questions/125688/what-is-the-difference-between-the-authenticated-user-and-user-groups-in-win</a>&nbsp;<br><br>If I were you I would concentrate on understanding the core behaviour of these accounts in a single domain, before getting into multi-domain setups. If you don't have a firm grounding on single domain theory, you're going to get in a bigger uglier mess with multi domains.<br><br>
</div>


<div>
Domain Users has a unique SID for each and every domain. When assigning permissions, you don't assign "Domain Users", it is "[domain]\Domain Users", so even in the UI you can see where the group comes from, just as you could assign "computer\users", which is a local user group.
</div>


<div>
<a href="https://www.experts-exchange.com/members/kevinhsieh.html" rel="ugc">kevinhsieh</a>&nbsp;<br>thanks fo [domain]\Domain Users <br><br>I do not have a lab setup for multiple domains.<br><br>What I was trying to confirm, is that in:<br><strong>One AD Domain:</strong><br>Authenticated Users : means All users and computers in the domain<br>Domain Users : All users in the Domain<br><br><strong>Multiple Domain under one Forest:</strong><br>Authenticated Users : All users and Computers in the Forest <br>Domain Users : all users in a specific domain. for instance you can have DomainA\Domain Users, DomainB\Domain Users<br><br>** So Authenticated Users scope is Forest Wide( either one domain or multiple domain)
</div>


jskfan

<div>
&lt;&lt;Note that Domain Users can contain members from other domains. &nbsp;&gt;&gt;<br><br>Not by default, but you can manually add users from other domains
</div>


<div>
<div class="content wysiwyg-content">
Authenticated Users and Domain Users Members<br />
<br />
If I understand if you have one Active Domain then Authenticated Users group and Domain Users group is the same thing. <br />
If You have Multiple AD Domain, then Authenticated Users group is forest wide but Domain Users group is domain limited.<br />
<br />
in both case though the difference is If I am not wrong the authenticated Users group can have Users and Computers as its members but Domain Users Group can have only Users but not computers<br />
<br />
<br />
I would like an AD Expert to confirm or correct me if I am wrong.<br />
<br />
Thank you
</div>
</div>


Authenticated Users and Domain Users Members

If I understand if you have one Active Domain then Authenticated Users group and Domain Users group is the same thing. 
If You have Multiple AD Domain, then Authenticated Users group is forest wide but Domain Users group is domain limited.

in both case though the difference is If I am not wrong the authenticated Users group can have Users and Computers as its members but Domain Users Group can have only Users but not computers


I would like an AD Expert to confirm or correct me if I am wrong.

Thank you

Authenticated Users and Domain Users Members

Windows Server 2008 and Windows Server 2008 R2, based on the Microsoft Vista codebase, is the last 32-bit server operating system released by Microsoft. It has a number of versions, including including Foundation, Standard, Enterprise, Datacenter, Web, HPC Server, Itanium and Storage; new features included server core installation and Hyper-V.

Windows Server 2008

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.