What is the meaning of the "Authenticated Users" group in Windows?
What is the purpose of the "Authenticated Users" group in Windows? Under Linux it doesn't exist and I'm starting to think this is another idiosyncrasy or over-engineering of the Windows operating system.
Here is why:
Assume I want to know what rights has the user Mike on disk C:, I will type:
net user mike
and will be returned:
User name mike
Full Name
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 7/13/2013 7:55:45 AM
Password expires Never
Password changeable 7/13/2013 7:55:45 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 7/13/2013 7:53:58 AM
Logon hours allowed All
Local Group Memberships *Users
Global Group memberships *None
I therefore assume the user mike belongs to group Users only, so I will check the security tab with a right click on the disk C and will see that users belonging to the "Users" group cannot modify the disk c but only read it.
Surprise surprise however, user mike will be able to write to C: !!! Why? because the command net cannot know it but mike also belongs to the Authenticated Users group which has the right to write on C:!!
Can someone confirm the above story, comment whether it makes any sense or as I doubt it is a case of over-engineering and elaborate on the reasons behind this?
There are a number of special groups in Windows. Included among these are Authenticated Users, Interactive Users, Everyone, etc. These days, Everyone and Authenticated Users are effectively equivalent for most purposes, but if you had a pre-2003 domain level domain that would not be true.
In any event, there is no way to observe the membership of these groups. In a sense the membership is calculated when a SACL or DACL is processed.
That said, it seems strange to me that you would be assigning permissions in the file system to authenticated users, especially C:. A more appropriate setting would be Interactive Users or, if you're locking down workstations, read only.
The technical definitions of these two, according to Microsoft, are:
Authenticated Users:
Any user accessing the system through a logon process has the Authenticated Users identity. This identity allows access to shared resources within the domain, such as files in a shared folder that should be accessible to all the workers in the organisation.
Everyone:
All interactive, network, dial-up, and authenticated users are members of the Everyone group. This special identity group gives wide access to a system resource.
You can find these for yourself, along with all others, here: http://technet.microsoft.com/en-us/magazine/dd637754.aspx