Skip navigation
Understanding the Authenticated Users Group

Understanding the Authenticated Users Group

Are accounts such as ASPNET, IWAM_machine_name, and IUSR_machine_name members of the Authenticated Users group?

Authenticated Users isn't a true group—it's a special security principal that specifies any session that's been authenticated using some account, such as a local SAM account, domain account, or account from any trusted domain. So Authenticated Users does include the accounts you mention.

Microsoft created the Authenticated Users group in response to fears that Anonymous logons could gain access to objects for which Everyone (another special security principal) has access. I don't recommend using the Authenticated Users group for controlling permissions because it includes local accounts, which are a bad practice to use because you can't centrally manage them at the domain level, and they use NT LAN Manager (NTLM) authentication rather than the stronger Kerberos. Also, the membership of Authenticated Users changes dynamically when you create a trust to another domain. When you want to give all users in a domain access to a resource, I recommend that you use the Domain Users group, which limits membership to the domain. If you need to give all users in a forest access to a resource, create a universal scope group called Forest Users and add each domain's Domain Users group as a member.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.