Ask the Expert

NT "Everyone" group and user group configuration for Win2k

Windows NT defined a special group called the "Everyone" group. This proved to be a big security risk, since everyone was a member of this group, even non-authenticated members of the domain, therefore allowing anyone and everyone access. Does Windows 2000 have the same problem? What is the user group configuration in Windows 2000?

As you stated, in Windows NT there was a special group called the "Everyone" group. This group was essentially comprised of everyone logged on over the network and everyone logged on interactively. In reality, the Everyone group ended up being a big security hole, since in Windows NT, Everyone meant really EVERYONE, including users not authenticated by the domain. Also, administrators could not assign anyone to be a member of the Everyone group. Membership was assigned implicitly (in other words, you do not have control over the membership). In order to protect a specific resource (file, folder, printer), the administrator had to remove the Everyone group from the ACL (Access Control List) for that particular object and give the appropriate user or group specific access.

In the Windows 2000 operating system groups such as Everyone and Authenticated Users whose membership is automatically configured by the operating system are not used to assign permissions. Instead, only those groups whose membership can be controlled by an administrator are used. This does not imply that the Everyone group is no longer a part of Windows 2000. Only that that you can't assign a user to be a member of the Everyone group

This table describes which users constitute the default membership in these groups.

Local Group Members on Clean-Installed Workstation Members on Upgraded Workstation Members on Clean-Installed & Upgraded Server
Administrators Administrator Administrator Administrator
Power Users Authenticated Users, Interactive Users
Users Authenticated Users, Interactive Users Authenticated Users, Interactive Users Authenticated Users, Interactive Users

The OS handles this issue differently for the different "flavors" of Win2k. On Win2k Professional and Win2k server-based computers Authenticated Users group and the Interactive group are added to the Users group. Membership in the Authenticated Users and Interactive groups are automatically controlled by the OS. Unlike NT, Authenticated Users is the same as the Everyone group except it does not contain anonymous users. Interactive includes anyone who is locally logged on to the system rather than connected over the network.

There is also a difference between a new install of Windows 2000 and an NT upgrade. When an NT computer is upgraded to Win2k Professional, Authenticated Users and Interactive are added to the Power Users group. For clean-installed workstations and servers, as well as upgraded servers, there are no members of the Power Users group by default. This means that any non-administrative users that log on to a Win2k-based server, or a clean-installed Win2k-based workstation will automatically be subject to the secure access control policy granted to Users.

This was first published in January 2001

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: