15

What is the purpose of the "Authenticated Users" group in Windows? Under Linux it doesn't exist and I'm starting to think this is another idiosyncrasy or over-engineering of the Windows operating system.

Here is why:

Assume I want to know what rights has the user Mike on disk C:\, I will type:

net user mike

and will be returned:

User name                    mike
Full Name                    
Comment                      
User's comment               
Country code                 000 (System Default)
Account active               Yes
Account expires              Never

Password last set            7/13/2013 7:55:45 AM
Password expires             Never
Password changeable          7/13/2013 7:55:45 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   7/13/2013 7:53:58 AM

Logon hours allowed          All

Local Group Memberships      *Users            
Global Group memberships     *None

I therefore assume the user mike belongs to group Users only, so I will check the security tab with a right click on the disk C and will see that users belonging to the "Users" group cannot modify the disk c but only read it.

Surprise surprise however, user mike will be able to write to C:\ !!! Why? because the command net cannot know it but mike also belongs to the Authenticated Users group which has right to write on C:!!

Can someone confirm the above story, comment whether it makes any sense or as I doubt it is a case of over-engineering and elaborate on the reasons behind this?

EDIT:

Notice the net command correctly shows groups if I create a new group and add user mike to it.

 net localgroup testgroup /add
 net localgroup testgroup mike 
 net user mike

returns 

[*]
Local Group Memberships      *Users     *testgroup       
Global Group memberships     *None
dendini
  • 680
  • 2
  • 8
  • 12
  • Excuse my ignorance, but why can't the command net know that mike also belongs to another group? The plural in "Local Group Memberships" makes me think it should be able to see all groups to which mike belong. – Lex Jul 12 '13 at 12:16
  • 2
    That's exactly my point, it should list all groups but it doesn't! My "the command net cannot know it but mike also belongs to the Authenticated Users group" is a stating of the facts under Windows 7. – dendini Jul 12 '13 at 12:28
  • what if you create a new group, such as caesar for instance, and add mike to that group, would it show as output of the net command then? – Lex Jul 12 '13 at 12:35
  • see my edit, anyway it correctly shows groups caesar under mike's groups. – dendini Jul 12 '13 at 13:09
  • so you have a very good question here. Definitely a +1. – Lex Jul 12 '13 at 13:23
  • Upvoted. I just ran into this totally non-obvious & potentially dangerous Microsoftism. Now I have to work out whether I'm best to remove Auth Users from Users & potentially break something, or add a specific Deny rule to the other group/s. If this system just worked as any average user would intuit out-of-the-box, I wouldn't have to make this weird decision! – underscore_d Oct 12 '15 at 09:45

3 Answers3

12

There are a number of special groups in Windows. Included among these are Authenticated Users, Interactive Users, Everyone, etc. These days, Everyone and Authenticated Users are effectively equivalent for most purposes, but if you had a pre-2003 domain level domain that would not be true.

In any event, there is no way to observe the membership of these groups. In a sense the membership is calculated when a SACL or DACL is processed.

That said, it seems strange to me that you would be assigning permissions in the file system to authenticated users, especially C:\. A more appropriate setting would be Interactive Users or, if you're locking down workstations, read only.

The technical definitions of these two, according to Microsoft, are:

Authenticated Users:

Any user accessing the system through a logon process has the Authenticated Users identity. This identity allows access to shared resources within the domain, such as files in a shared folder that should be accessible to all the workers in the organization.

Everyone:

All interactive, network, dial-up, and authenticated users are members of the Everyone group. This special identity group gives wide access to a system resource.

You can find these for yourself, along with all others, here: http://technet.microsoft.com/en-us/magazine/dd637754.aspx

amn
  • 103
  • 3
David Hoelzer
  • 615
  • 4
  • 9
  • 3
    _"Authenticated Users specifically does not contain the built-in Guest account, but will contain other users created and added to Domain Guests."_ [SOURCE](http://security.stackexchange.com/editing-help#comment-formatting) – Pressacco Jan 19 '15 at 02:49
  • 1
    The craziest thing happens when you realise Allow Local Logon by default contains _Users_, which itself contains _Authenticated Users_ & _Interactive_. Let's break this down, shall we? -/- A hypothetical user is not a member of _Users_. Thus, they're not allowed to log in. Yet, by trying to log in & achieving the feat of remembering their password, they get added to a hidden group. Which **is** part of Users & hence _is_ allowed to log in. -/- So, you're not allowed to log in. Unless you manage to log in, in which case you're allowed to log in. So, you can't log in--unless you can. _Microsoft_ – underscore_d Oct 12 '15 at 10:50
  • 1
    underscore_d, these integrated groups/principals are not assigned to users, but to individual sessions. So even if somebody logged on, his "other" not logged on session would not get this. Or another more realistic example: If I'm logged on interactively and at the same time access a shared folder from another machine, my interactive session will have INTERACTIVE principal but my remote one will not, although both are logged with the same user. – mihi Jan 24 '16 at 12:53
  • 2
    and you can use `whoami /ALL` to see all your principals for the current session, also integrated ones. – mihi Jan 24 '16 at 12:55
5

Authenticated users means exactly that - any and all users which have authenticated to the system. That would be any user that is a member of any group on your local system.

Since Mike is a member of users he is inherently an authenticated user.

In a domain environment this would be any user that is a member of any group on the domain.

Tim Brigham
  • 3,762
  • 3
  • 29
  • 35
  • 1
    Why then net command doesn't show "Authenticated Users" in the users of mike? what is Authenticated Users? a group or something else? I get your point but your answer makes the whole thing look even more arcane. – dendini Jul 12 '13 at 14:27
  • For the reason stated in the accepted answer. :) – David Hoelzer Feb 06 '14 at 01:11
0

So if the file system is NTFS and Mike is denied write privilege's in one group then he should be denied write privilege's in all groups because a deny overrides an allow. So it won't matter what access Mike is given from the pseudo group Authenticated Users if the Deny box is checked in the Users group for write or whatever else. I get your point of why doesn't it show all groups and can't answer that more than other have, but at least you known someone won't have a certain permission by using deny.

Ronnie
  • 1
  • 1