Access Denied: Limiting Access to Users at the Forest and Domain Levels

Get answers to your security-related Win2K questions

\[Editor's Note: Do you have a security-related question about Windows 2000? Send it to [email protected], and you might see the answer in this column!\]

When I grant access to Authenticated Users, to whom am I actually giving access? How can I limit access to all users at the forest and domain levels?

Imagine that you're adjusting the ACL of a folder on a member server in an Active Directory (AD) domain called is part of a Windows 2000 forest that includes two other domains. In addition, trusts a Windows NT domain called OLDNT and a Kerberos realm called KERB1. In this case, Authenticated Users includes all local users in the member server's local SAM, all users in the domain, and all users in all other domains that are in the same forest as Authenticated Users also includes global users in the OLDNT domain and principals from the KERB1 realm. Because AD trust relationships with domains and realms outside the AD forest are intransitive, Authenticated Users doesn't include users from other domains or realms that OLDNT or KERB1 trust.

To limit access to the domain users of a given domain, allow access to only that domain's Domain Users group. Win2K automatically adds every new AD user account to the Domain Users group. Because Domain Users is a global group, it will never include machine local users in a member server's or workstation's SAM or users from any other domain. To grant access to all domain users in the forest while excluding local SAM users and users in legacy NT domains or Kerberos realms, create a universal group called Forest Users. For each domain in the forest, add the Domain Users group as a member of Forest Users.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.