Q: What's the scope of the built-in Authenticated Users group in a multi-forest Active Directory (AD) environment? When I reference the Authenticated Users in the permissions of an object, will these permissions also automatically apply to the Authenticated Users groups of the other forests that are linked to the forest that's hosting the object?

A: When setting up a trust between two forests, the reach of the Authenticated Users group is instantly expanded to include the trusting domains. This means that, by default, users from the trusted domains have access to any servers and data in the trusting domain that are authorized for authenticated users. This includes read access to most objects in the foreign AD.

Authenticated Users can be viewed as a dynamic group that users are added to after they've successfully authenticated themselves to their home domain. After a successful logon, Windows automatically adds the Authenticated Users SID to a user's access token. This SID is also honored in any trusting domain when a foreign user crosses a trust, which explains the expansion of the Authenticated Users' scope.

The type of trust also influences this scope, as illustrated in the three examples shown here. In examples 1 and 2, an external trust has been configured between the root domains of forests A and B. Because there are no other trusts to domains in Forest B, the scope of Authenticated Users is only extended for Domain 1 in Forest A to include users from the root domain of Forest B.

Click to expand.

Due to the transitive nature of a Windows Server 2003 forest trust (as used in example 3), the Authenticated Users scope is extended for any domain in Forest A to include users from any domain in Forest B. Microsoft introduced forest trust is in Windows Server 2003. See this Microsoft site for more on forest trusts.

Related Reading: