Q: What are the differences between the Authenticated Users group and the Everyone group? Does it matter which one I choose when setting permissions on my Windows resources? Are there any changes regarding these groups’ memberships in Windows XP SP2 and Windows Server 2003?

A: Both the Authenticated Users and Everyone groups are built-in (this is predefined) Windows groups whose memberships are automatically controlled by the Windows OS. The Authenticated Users group covers all users that are authenticated to the Windows OS using a valid set of user credentials. In a multiforest Active Directory (AD) environment, Authenticated Users not only includes all users with valid credentials in the local forest and its domains, but also users from other forests that access resources in the local forest using valid credentials and using a forest or external inter-forest trust relationship.

The Everyone group is a superset of the Authenticated Users group. It includes the Authenticated Users group and the Guest account. An important difference between the Everyone and Authenticated Users groups lies in their Guest and Anonymous accounts’ membership (this is summarized in Table 1, below).

In a Windows 2000 AD and on XP, the Guest account is automatically a member of both Everyone and Authenticated Users. In Windows 2003 AD and on XP SP2 this is true only for the Everyone group.

In a Win2K AD and on XP, the Anonymous account is automatically a member of the Everyone group, but not Authenticated Users. In a Windows 2003 AD and on XP SP2, the Anonymous account is neither a member of Authenticated Users, nor by default a member of Everyone. It is only a member if the following security policy setting is enabled: “Network Access: Let Everyone permissions apply to anonymous users.” This setting can also be controlled using the following registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\EveryoneIncludesAnonymous (REG_DWORD). If this key is set to 1, the Anonymous account will be a member of the Everyone group.

In summary, on XP SP2 and Server 2003, there's no more difference between the Everyone and Authenticated Users groups’ Anonymous user memberships (unless you enable the registry setting above). This is not true for the Guest user membership: Guest is a member of the Everyone group but not the Authenticated Users group.

The Everyone group is useful for applying permissions and controlling access to resources that should be accessible by anyone. The Everyone group has one important drawback: its inclusion of the Guest (this is true for all Windows versions) and anonymous (this is not true for XP SP2 and Windows 2003) accounts.

In circumstances in which you want to grant permissions to everyone except the Guest and Anonymous users, you must use the Authenticated Users group. Microsoft introduced the Authenticated Users group in Win2K. As explained above, Authenticated Users is similar to Everyone except it excludes the Guest (this isn't true for XP and Win2K) and Anonymous users (this is true for all Windows versions). Authenticated Users includes all users whose credentials are validated by Windows OS security mechanisms. That's why if you want to restrict access to a resource to only those users who have valid, non-Guest and non-Anonymous accounts, you must use Authenticated Users instead of Everyone.

Table 1: Default Memberships of Everyone and Authenticated Users Groups


Everyone Authenticated Users

Everyone Authenticated Users
All users in domain Yes Yes
All users in forest Yes Yes
All users in trusted domains and forests Yes Yes
Guest Yes Only in a Windows 2000 AD and on Windows XP Not in Windows Server 2003 AD and on Windows XP SP2
Anonymous Only in a Windows 2000 AD and on Windows XP. Not in Windows Server 2003 AD and on Windows XP SP2 No

 

Learn more from "Q: What's the scope of the built-in Authenticated Users group in a multi-forest Active Directory (AD) environment?" November 2009.