As you stated, in Windows NT there was a special group called the "Everyone" group. This group was essentially comprised of everyone logged on over the network and everyone logged on interactively. In reality, the Everyone group ended up being a big security hole, since in Windows NT, Everyone meant really EVERYONE, including users not authenticated by the domain. Also, administrators could not assign anyone to be a member of the Everyone group. Membership was assigned implicitly (in other words, you do not have control over the membership). In order to protect a specific resource (file, folder, printer), the administrator had to remove the Everyone group from the ACL (Access Control List) for that particular object and give the appropriate user or group specific access.
In the Windows 2000 operating system groups such as Everyone and Authenticated Users whose membership is automatically configured by the operating system are not used to assign permissions. Instead, only those groups whose membership can be controlled by an administrator are used. This does not imply that the Everyone group is no longer a part of Windows 2000. Only that that you can't assign a user to be a member of the Everyone group
This table describes which users constitute the default membership in these groups.
|Local Group||Members on Clean-Installed Workstation||Members on Upgraded Workstation||Members on Clean-Installed & Upgraded Server|
|Power Users||Authenticated Users, Interactive Users|
|Users||Authenticated Users, Interactive Users||Authenticated Users, Interactive Users||Authenticated Users, Interactive Users|
The OS handles this issue differently for the different "flavors" of Win2k. On Win2k Professional and Win2k server-based computers Authenticated Users group and the Interactive group are added to the Users group. Membership in the Authenticated Users and Interactive groups are automatically controlled by the OS. Unlike NT, Authenticated Users is the same as the Everyone group except it does not contain anonymous users. Interactive includes anyone who is locally logged on to the system rather than connected over the network.
There is also a difference between a new install of Windows 2000 and an NT upgrade. When an NT computer is upgraded to Win2k Professional, Authenticated Users and Interactive are added to the Power Users group. For clean-installed workstations and servers, as well as upgraded servers, there are no members of the Power Users group by default. This means that any non-administrative users that log on to a Win2k-based server, or a clean-installed Win2k-based workstation will automatically be subject to the secure access control policy granted to Users.
This was first published in January 2001