Categories: Windows Server

SOLVED: Can Find AUTHENTICATED USERS in Active Directory & Can’t Add It To Security Groups

“Authenticated Users” is a special built-in group in Active Directory. It doesn’t exist like a typical group as shown in the Group Scope table below. This group includes all users who have a password in the Active Directory domain or in a trusted domain.

To be clear, Authenticated Users contains all manually created user accounts in all trusted domains regardless of whether they are a member of the Domain Users group or not.  Authenticated Users specifically does not contain the built-in Guest account, but will contain other users created and added to Domain Guests.

By design, “Authenticated Users” cannot be added to user-created groups. It can only be added to built-in groups. You must assign the “Authenticated Users” permissions directly to each resource (like a file share, or NTFS permission, or printer). This is because any account with a password is part of “Authenticated Users”, and it’s available when applying permissions directly to an object, or can be placed in Local computer groups.


ScopePossible membersScope conversionCan grant permissionsPossible member of
UniversalAccounts from any domain in the same forestGlobal groups from any domain in the same forestOther Universal groups from any domain in the same forestCan be converted to Domain Local scope if the group isn’t a member of any other Universal groupCan be converted to Global scope if the group doesn’t contain any other Universal groupOn any domain in the same forest or trusting forestsOther Universal groups in the same forestDomain Local groups in the same forest or trusting forestsLocal groups on computers in the same forest or trusting forests
GlobalAccounts from the same domainOther Global groups from the same domainCan be converted to Universal scope if the group isn’t a member of any other Global groupOn any domain in the same forest, or trusting domains or forestsUniversal groups from any domain in the same forestOther Global groups from the same domainDomain Local groups from any domain in the same forest, or from any trusting domain
Domain LocalAccounts from any domain or any trusted domainGlobal groups from any domain or any trusted domainUniversal groups from any domain in the same forestOther Domain Local groups from the same domainAccounts, Global groups, and Universal groups from other forests and from external domainsCan be converted to Universal scope if the group doesn’t contain any other Domain Local groupWithin the same domainOther Domain Local groups from the same domainLocal groups on computers in the same domain, excluding built-in groups that have well-known security identifiers (SIDs)
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups


What is a Special Identity Group?

Officially, Microsoft calls the built in groups that you can’t edit “Special Identity Groups” and here is a complete list of them:

Whats The Difference Between Everyone & Authenticated Users?

Put simply, everyone excludes no-one, including users that do not have an Active Directory account.

For instance, imagine an FTP site setup in IIS being restricted to AUTHENTICATED USERS; it would not allow anonymous access. Another scenario we have run into several times is having Linux machines contact windows shares. The share is set to allow everyone to connect linux will not have problems but if it is set to authenticated users those connecting from Linux will need to use Windows credentials.


Published by
Ian Matthews

This website uses cookies.