Difference between a USER and an AUTHENTICATED USER

  • Thread starter Thread starter Bill Tkach
  • Start date Start date
B

Bill Tkach

I assume that if you are a USER, are you not already an AUTHENTICATED USER?

Can someone tell me the difference between these two groups? Why I would
use one over the other?
Thanks!
 
Any user that authenticates to your computer becomes a member of the special
group authenticated users which is also a member of the users group. You can
use whoami or gpresult to see all the groups that a logged on users is a
member of. You can not control membership of the authenticated users group
while you can control membership to the users group. In general I would
leave membership of the users group alone at default levels and instead
create new groups if you want to restrict access to resources. I don't see
an advantage of using one over the other when you want to grant
permissions/privileges to a broad group if the user group membership is not
messed with. However for instance it is possible to add guest account to the
users group [don't ask me why anyone would want to do such!]. Because of
that many security guides recommend giving permissions to authenticated
users instead of users.

The main thing to consider is to avoid giving permissions to "everyone" .
Everyone includes well everyone including guest account, and anonymous
logon. If you use authenticated users you will be sure to not allow access
to guest account or anonymous logon access. If the guest account becomes
enabled on a computer then any network user can access shares that include
permissions for the everyone group for both the share and ntfs. --- Steve

http://www.microsoft.com/technet/security/default.mspx --- TechNet
Security link.
 
I'll take a crack at the critical difference, briefly.

A "user" is a member of the Users group, which you control and
is exactly what you see when you look at the groups membership.

An "authenticated user" is any account that has been authenticated
(i.e. logged in with credentials) anywhere in the forest.
 
That makes it clearer.
So, if someone logs on to the domain, they are automatically assigned to the
Authenticated Users group.
This might not be so for the user group, since the people in this group are
assigned by the administrator.

That helps a lot.
thank you.
 
Bill Tkach said:
That makes it clearer.
So, if someone logs on to the domain, they are automatically assigned to the
Authenticated Users group.
yes

This might not be so for the user group, since the people in this group are
assigned by the administrator.
Click to expand...

yes - and similarly for Domain Users

but - they do not have to log into the domain to be an
Authenticated Users "member" - they only need to log
into some domain of the forest.
 
Back
Top