Computer Accounts in the Authenticated Users Group

Q: Does the Authenticated Users group include the computer accounts in a domain? Is that how Group Policy Objects (GPOs) with default security filtering are able to be applied to only organizational units (OU) containing computer accounts?  

A: The Authenticated Users group does include computer accounts, but isn’t a group per se. The Authenticated Users group is one of several security principals in Windows that correspond with certain roles, types of logon sessions, and so on. (For a list of all security principals, see the Microsoft article "Well-known security identifiers in Windows operating systems" at http://support.microsoft.com/kb/243330.) Each security principal has a corresponding SID. Whenever a user or computer account logs on, Windows determines all of the security principals that apply to that logon session and adds the security principals' corresponding SIDs (as well as the SID of the account itself and of actual groups of which the account is a member) to the logon session’s access token. For more information about security principals, see the Windows IT Security article, "Understanding Well-Known Security Principals, Part 1," November 2006, InstantDoc ID 47857.

At any rate, you are correct. When you create a new GPO, its default security permissions grant the Authenticated Users group Read and Apply Group Policy access. That’s why a GPO linked to an OU automatically applies to all user and computer accounts in that OU unless you change the permissions on the GPO and restrict either Read or Apply Group Policy to only certain accounts.