"Everyone" group vs "Users" group

Hi all, I have been getting quite confused in my readings as to what users are included (by default) in the built-in local group of "Users" and the built-in system group of "Everyone".

Now, correct me if Im wrong but based on my readings, I thought that the Users group comprises only of users who were created on the local system (excluding the default Guest and Administrator accounts) but not those users who connect to the local computer over the network.

I suppose I have always seen the "Users" group of being related to only the local system (i.e interactive users).

In some practice exam questions I have done, the "Users" group has been assigned "shared permissions" on folders which doesn't make a whole lot of sense if the group does not include network-based users.

It is however my understanding that the Everyone group does as the name suggests comprise of everyone, including network-based users.

Could somebody please explain to me the exact compostion of both the Users group and the Everyone group and therefore their differences. Its just that there isnt much documentation about these built-in groups (and the info I have found is quite ambiguous to say the least).

In addition, maybe someone could explain how the groups' composition changes depending on whether we are talking about just 1 local computer, a workgroup or a domain environment.

For example, from my readings, it seems that in a domain environment, the "domain users" group is added to the "local users" group, thus allowing domain users to connect to the system over the network.

Also, in addition, in a 1 computer environment, it seems that the "Users" group and the "Everyone" group would pretty much have the same composition (in terms of members).

My thanks in advance.

Mark

Find more posts tagged with

Comments

Mishra

While reviewing the NTFS permissions on my server, I found that the Everyone group has Read and Execute permissions on many files and folders. To tighten security, some publications suggest using the Authenticated Users group instead of the Everyone group. However, I'm not sure how the Authenticated Users group is more secure. What's the difference between the Everyone group and the Authenticated Users group?

The differences between the Everyone, Users, and Authenticated Users groups aren't apparent from the group names. In a nutshell, the Everyone group is the least secure of these groups because it does indeed include everyone. The Everyone group often contains the same set of users as the Users and Authenticated Users groups. However, if you've enabled the Guest account, you'll find that users who have logged on as Guest are members of Everyone but not members of Users or Authenticated Users.

The difference between the Users and Authenticated Users groups is a bit more esoteric. After all, if all users must authenticate, aren't all users authenticated users? If they are, why do you need a different group called Authenticated Users? The answer is that not all members of the Users group are authenticated. Windows networks include the ability to have computer-to-computer connections that involve null sessions. Computers use these sessions to exchange lists of shared folders, printers, and other network resources; workstations use null sessions to connect to domain controllers (DCs) before users authenticate to the domain. (For more information about null sessions, see the Microsoft articles "Local System Account and Null Sessions in Windows NT" at http://support.microsoft.com/ default.aspx?scid=kb;en-us;q132679 and "Restricting Information Available to Anonymous Logon Users" at http://support.microsoft.com/default.aspx?scid=kb;en-us;q143474.)

Don't confuse null sessions, which are sometimes called anonymous sessions or anonymous connections, with Anonymous authentication in IIS. These concepts are completely different. Users who use Anonymous authentication to access IIS use the built-in IUSR_computername account and are members of the Everyone, Users, and Authenticated Users groups.

The inclusion of null connections in User group membership represents a security problem. Consequently, Microsoft introduced the Authenticated Users group around the time of Windows NT 4.0 Service Pack 3 (SP3) to include users who have authenticated but exclude null sessions. So, to answer your question, yes—for NTFS permissions, you should use Authenticated Users instead of Everyone.

http://www.windowsitpro.com/Article/ArticleID/23581/23581.html

Second question,

Yes, users are allowed to connect to any Microsoft workstation OS (not server) as basic users.

The everyone group contains guests and the Users group is still a controlled group so they would contain different members.

Magnum2544

Put it this way...

The "Everyone" group is everyone in the human race.

THe "Users" group is populated by your control.

Markie

Hi Magnum.

Thanks for your input.

I wish I could say its as simple as you put it, but I really don't think it is.

This is especially with regards to your statement about the "Users" group.

You see, when you go into computer management (at least on my machine), you'll see that by default, both the "authenticated users" and "interactive" built-in system groups are also included. Thus, it seems the system automatically adds these built-in system groups to the user accounts that may have been created by an administrator (meaning we dont actually have control of the full composition of the group but rather only control of who may be added to the group). Its this distinction that I think makes this group (and its composition) a little confusing.

And thanks to Mishra's post, I suppose we have to throw the "authenticated users" group into the mix as well.

Ive got some extra points to make, but as Im pretty tired, I will leave it until tomorrow.

In the meantime, if anyone else responds to this post, can we please try and focus on the compostion (i.e. members) of these groups, rather than the groups' rights.

My thanks again to both you and Mishra.

Mark

Mishra

Markie wrote:

Hi Magnum.

Thanks for your input.

I wish I could say its as simple as you put it, but I really don't think it is.

This is especially with regards to your statement about the "Users" group.

You see, when you go into computer management (at least on my machine), you'll see that by default, both the "authenticated users" and "interactive" built-in system groups are also included. Thus, it seems the system automatically adds these built-in system groups to the user accounts that may have been created by an administrator (meaning we dont actually have control of the full composition of the group but rather only control of who may be added to the group). Its this distinction that I think makes this group (and its composition) a little confusing.

And thanks to Mishra's post, I suppose we have to throw the "authenticated users" group into the mix as well.

Ive got some extra points to make, but as Im pretty tired, I will leave it until tomorrow.

In the meantime, if anyone else responds to this post, can we please try and focus on the compostion (i.e. members) of these groups, rather than the groups' rights.

My thanks again to both you and Mishra.

Mark

"The Everyone group often contains the same set of users as the Users and Authenticated Users groups. However, if you've enabled the Guest account, you'll find that users who have logged on as Guest are members of Everyone but not members of Users or Authenticated Users.
"

Everyone group contains users/ authenticated users/ and guests. You cannot control who is in this group.

Authenticated Users is everyone who can successfully authenticated against the workgroup or
domain except for guests. That means every user you have configured in your domain or workgroup is an authenticated user.

Users defined is anyone who is in the domain user and local users groups.