6

This is a generalization of a question I initially had asked about computer accounts. I asked:

When one sets Windows permissions for "Everyone", do these permissions apply to computer accounts (aka machine accounts) like MYDOMAIN\MYMACHINE$? Or do they, say, only apply to normal users/groups?

But the question of what Everyone means really deserves a full, general answer -- and ideally one that makes sense to someone who isn't an in-depth expert on Windows permissions. (As of today I've found it hard to get a good sense of Everyone by going through the first few pages of Google results.)

It seems there's at least some subtlety -- eg by default, "anonymous" network connections are not included in Everyone.

Chris
  • 1,063
  • 4
  • 12
  • 18

1 Answers1

3

Regarding computer accounts:

I've had trouble finding any clear documentation about this, so I'll have to answer from my experience. And in my experience, yes, Everyone permissions do apply to computer accounts. (For example, if you grant write access on a share to Everyone, then machine account MYDOMAIN\MYMACHINE$ will thereby get write access to that share.)

Many will find this obvious, but to be explicit about a couple of cases of accessing network resources: Some of the most well-known built-in identities -- e.g. NETWORK SERVICE -- identify as the computer account (eg DOMAIN\MACHINE$) when they access network resources (e.g. network shares). Because computer accounts are in Everyone, we therefore know that processes running under, say, NETWORK SERVICE, are also thus considered as in Everyone for the purpose of accessing network resources. (Theoretically IIS app pool identities should also identity to remote machines as the local computer account, but apparently people are having trouble with this. In contrast, the Local Service account definitely won't count as in Everyone if it accesses resources -- because Local Service identifies to remote servers anonymously, rather than as the machine account.)

(Most of my experimentation involved having Windows Storage Server 2008 as a file server, and trying to access that from Windows Server 2008 (Standard) or Windows 7 Pro. Access from the client machines was made by a process running under NETWORK SERVICE, which authenticates remotely as the client machine's machine account.)

Community
  • 1
Chris
  • 1,063
  • 4
  • 12
  • 18
  • 1
    Why would you think that anyone was not part of everyone? – Ryan Ries Jan 23 '14 at 03:23
  • 4
    I don't mean to sound condescending, by the way. I understand that it can seem counter-intuitive at first, but to Active Directory, computers and users are equal. They're both security principals with account names, passwords, and security groups that log in and have group memberships, etc. Computers and Users both derive from the same schema class, which is, confusingly enough... called User. – Ryan Ries Jan 23 '14 at 03:39
  • 1
    @RyanRies It might be that the ordinary English word "everyone" only applies to people, leaving me without an intuition as to how the particularly "computer-ish" concept of machine accounts would be handled. In addition I found it counter-intuitive that the anonymous identifier was not part of "everyone" -- so I became curious about other potential subtleties. – Chris Jan 24 '14 at 03:56
  • @RyanRies I've generalized my question, because I saw I didn't really understand Everyone as a whole either. If you want to post an official "answer" that shares your helpful insights, feel free! – Chris Jan 24 '14 at 04:37