JSI Tip 7872. The Everyone group does NOT include the Anonymous Security Identifier in Windows XP and Windows Server 2003?

In Windows XP and Windows Server 2003, you are only granted Anonymous access to an object if the Access Control List (ACL) explicitly contains the Anonymous SID.

NOTE: In previous versions of Windows NT, the access token for Anonymous users contained SIDs for:

The Everyone group.
The Anonymous Logon group.
The logon type group (usually Network).

NOTE: Windows 2000 implemented the Pre-Windows 2000 Compatible Access security group.

On Windows Server 2003 domain controllers, to grant Anonymous access, you must include the Everyone and Anonymous groups in the Pre-Windows 2000 Compatible Access group.

NOTE: If you upgrade a Windows 2000 domain controller to Windows Server 2003 and you had already added the Everyone group to the Pre-Windows 2000 Compatible Access group, the Anonymous group is automatically added during the upgrade.

NOTE: If you promote a Windows Server 2003 computer to a domain controller using DCPROMO, check Permissions compatible with pre-Windows 2000 servers to add both the Everyone and Anonymous groups to the Pre-Windows 2000 Compatible Access group.

If you upgrade Windows 2000 to Windows XP, the resources granted to the Everyone group are no longer available to Anonymous users.

If you need Anonymous access in Windows XP, explicitly add the Anonymous group to the ACL of the objects that require it. If you have difficulty in determining which objects require Anonymous access, you could include the Anonymous group in the Everyone group.  This requires the support of the everyoneincludesanonymous Value Name, a REG_DWORD data type, at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. When the access token for an Anonymous user is created and the data value of the everyoneincludesanonymous Value Name is 0, the default, the Local Security Authority (LSA) of Windows XP does NOT include the SID of the Everyone group in the Anonymous user's access token. If the everyoneincludesanonymous data value is 1 when the access token for an Anonymous user is created, the LSA includes the SID of the Everyone group.

You can also use Group Policy to set the everyoneincludesanonymous Value Name:

1. Open the Local Security Policy from Administrative Tools, or on a domain controller, the Domain Security Policy.

2. Expand Security Settings / Local Policies / Security Options.

3. Double-click Network access:Let Everyone permissions apply to anonymous user.

4. Press Enabled to allow Anonymous users to be members of the Everyone group, which sets everyoneincludesanonymous to 1. Press Disabled to revert to default Windows XP behavior, setting everyoneincludesanonymous to 0.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.