Q

NT "Everyone" group and user group configuration for Win2k

Windows NT defined a special group called the "Everyone" group. This proved to be a big security risk, since everyone was a member of this group, even non-authenticated members of the domain, therefore allowing anyone and everyone access. Does Windows 2000 have the same problem? What is the user group configuration in Windows 2000?

As you stated, in Windows NT there was a special group called the "Everyone" group. This group was essentially comprised of everyone logged on over the network and everyone logged on interactively. In reality, the Everyone group ended up being a big security hole, since in Windows NT, Everyone meant really EVERYONE, including users not authenticated by the domain. Also, administrators could not assign anyone to be a member of the Everyone...

group. Membership was assigned implicitly (in other words, you do not have control over the membership). In order to protect a specific resource (file, folder, printer), the administrator had to remove the Everyone group from the ACL (Access Control List) for that particular object and give the appropriate user or group specific access.

In the Windows 2000 operating system groups such as Everyone and Authenticated Users whose membership is automatically configured by the operating system are not used to assign permissions. Instead, only those groups whose membership can be controlled by an administrator are used. This does not imply that the Everyone group is no longer a part of Windows 2000. Only that that you can't assign a user to be a member of the Everyone group

This table describes which users constitute the default membership in these groups.

Local Group Members on Clean-Installed Workstation Members on Upgraded Workstation Members on Clean-Installed & Upgraded Server
Administrators Administrator Administrator Administrator
Power Users Authenticated Users, Interactive Users
Users Authenticated Users, Interactive Users Authenticated Users, Interactive Users Authenticated Users, Interactive Users

The OS handles this issue differently for the different "flavors" of Win2k. On Win2k Professional and Win2k server-based computers Authenticated Users group and the Interactive group are added to the Users group. Membership in the Authenticated Users and Interactive groups are automatically controlled by the OS. Unlike NT, Authenticated Users is the same as the Everyone group except it does not contain anonymous users. Interactive includes anyone who is locally logged on to the system rather than connected over the network.

There is also a difference between a new install of Windows 2000 and an NT upgrade. When an NT computer is upgraded to Win2k Professional, Authenticated Users and Interactive are added to the Power Users group. For clean-installed workstations and servers, as well as upgraded servers, there are no members of the Power Users group by default. This means that any non-administrative users that log on to a Win2k-based server, or a clean-installed Win2k-based workstation will automatically be subject to the secure access control policy granted to Users.

This was first published in January 2001

Dig deeper on Windows legacy operating systems

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close