What is the meaning of the "Authenticated Users" group in Windows?

628    Asked by BellaBlake in Cyber Security , Asked on Sep 23, 2022

What is the purpose of the "Authenticated Users" group in Windows? Under Linux it doesn't exist and I'm starting to think this is another idiosyncrasy or over-engineering of the Windows operating system.

Here is why:

Assume I want to know what rights has the user Mike on disk C:, I will type:

net user mike

and will be returned:


User name                    mike

Full Name                    

Comment                      

User's comment               

Country code                 000 (System Default)

Account active               Yes

Account expires              Never


Password last set            7/13/2013 7:55:45 AM

Password expires             Never

Password changeable          7/13/2013 7:55:45 AM

Password required            Yes

User may change password     Yes


Workstations allowed         All

Logon script                 

User profile                 

Home directory               

Last logon                   7/13/2013 7:53:58 AM


Logon hours allowed          All


Local Group Memberships      *Users            

Global Group memberships     *None

I therefore assume the user mike belongs to group Users only, so I will check the security tab with a right click on the disk C and will see that users belonging to the "Users" group cannot modify the disk c but only read it.

Surprise surprise however, user mike will be able to write to C: !!! Why? because the command net cannot know it but mike also belongs to the Authenticated Users group which has the right to write on C:!!

Can someone confirm the above story, comment whether it makes any sense or as I doubt it is a case of over-engineering and elaborate on the reasons behind this?

There are a number of special groups in Windows. Included among these are Authenticated Users, Interactive Users, Everyone, etc. These days, Everyone and Authenticated Users are effectively equivalent for most purposes, but if you had a pre-2003 domain level domain that would not be true.


In any event, there is no way to observe the membership of these groups. In a sense the membership is calculated when a SACL or DACL is processed.

That said, it seems strange to me that you would be assigning permissions in the file system to authenticated users, especially C:. A more appropriate setting would be Interactive Users or, if you're locking down workstations, read only.

The technical definitions of these two, according to Microsoft, are:

Authenticated Users:

Any user accessing the system through a logon process has the Authenticated Users identity. This identity allows access to shared resources within the domain, such as files in a shared folder that should be accessible to all the workers in the organisation.

Everyone:

All interactive, network, dial-up, and authenticated users are members of the Everyone group. This special identity group gives wide access to a system resource.

You can find these for yourself, along with all others, here: http://technet.microsoft.com/en-us/magazine/dd637754.aspx



Your Answer

Interviews

Parent Categories