Learning about Well-Known Security Principals

Q: What is the exact difference between the Active Directory (AD) Authenticated Users and Everyone well-known security principals that come predefined on each AD installation? Are there any differences in these groups’ default memberships?

A: The Authenticated Users well-known security principal covers all users that are authenticated to Windows using a valid set of user credentials. This not only includes all users with valid credentials in the forest and its domains, but also users from other forests that access resources in the local forest using valid credentials and using a forest or external inter-forest trust relationship.

The Everyone well-known security principal is a superset of the Authenticated Users well-known security principal. It includes the Authenticated Users well-known security principal and the Guest account.

An important difference between the Everyone and Authenticated Users well-known security principals lies in their Guest and Anonymous accounts’ membership. This difference is summarized in Table 1 and described in more detail below.

In a Windows 2000 AD and on Windows XP, the Guest account is automatically a member of both the Everyone and Authenticated Users well-known security principals. In Windows Server 2003 AD and on Windows XP Service Pac k 2 (SP2), this is true for only the Everyone well-known security principal.

In a Win2K AD and on XP, the Anonymous account is automatically a member of the Everyone well-known security principal, but not the Authenticated Users well-known security principal. In a Windows 2003 AD and on XP SP2, the Anonymous account is neither a member of the Authenticated Users well-known security principal, nor by default a member of the Everyone well-known security principal. It's only a member if the following security policy setting is enabled: “Network Access: Let Everyone permissions apply to anonymous users”. This setting can also be controlled using the registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\EveryoneIncludesAnonymous (REG_DWORD). If this key is set to 1, the Anonymous account will be a member of the Everyone well-known security principal.

Table 1: Default Memberships of Everyone and Authenticated Users Well-known Security Principals

Everyone Authenticated Users
All users in domain Yes Yes
All users in forest Yes Yes
All users in trusted domains and forests Yes Yes
Guest Yes No
Anonymous Only in a Windows 2000 AD and on Windows XPNot in Windows Server 2003 AD and on Windows XP SP2 No

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish