Understanding the Authenticated Users Group
Learn which accounts belong to Authenticated Users and discover alternative methods for granting access to resources.
October 24, 2005
Are accounts such as ASPNET, IWAM_machine_name, and IUSR_machine_name members of the Authenticated Users group?
Authenticated Users isn't a true group—it's a special security principal that specifies any session that's been authenticated using some account, such as a local SAM account, domain account, or account from any trusted domain. So Authenticated Users does include the accounts you mention.
Microsoft created the Authenticated Users group in response to fears that Anonymous logons could gain access to objects for which Everyone (another special security principal) has access. I don't recommend using the Authenticated Users group for controlling permissions because it includes local accounts, which are a bad practice to use because you can't centrally manage them at the domain level, and they use NT LAN Manager (NTLM) authentication rather than the stronger Kerberos. Also, the membership of Authenticated Users changes dynamically when you create a trust to another domain. When you want to give all users in a domain access to a resource, I recommend that you use the Domain Users group, which limits membership to the domain. If you need to give all users in a forest access to a resource, create a universal scope group called Forest Users and add each domain's Domain Users group as a member.
—Randy Franklin Smith
About the Author
You May Also Like