"authenticated users" vs "specific user" question

Discussion:

(too old to reply)

2017-05-19 22:13:21 UTC

Hi All,

W7 pro sp1 x64

I thought understood this, but ...

Okay, I have a series of subdirectories, the root of
which is shared. I only want specific users to be able
to access their named subdirectory.

In the security tab, I have:

authenticated users
specific user name

If I set authenticated to denied and the specific user to
allow all, no one can get into the directory including
Administrator. Can't delete it either (Linux Live can though)

What exactly is an "authenticated user"? And does that
include any users logged in using a shared drive?

My fear is that by allowing Authenticated Users, I
will let all network loggers into the subdirectory.

And, what is the best way to do what I want?

Many thanks,
-T

2017-05-20 00:10:03 UTC

Permalink

Post by T
Hi All,
W7 pro sp1 x64
I thought understood this, but ...
Okay, I have a series of subdirectories, the root of
which is shared. I only want specific users to be able
to access their named subdirectory.
authenticated users
specific user name
If I set authenticated to denied and the specific user to
allow all, no one can get into the directory including
Administrator. Can't delete it either (Linux Live can though)
What exactly is an "authenticated user"? And does that
include any users logged in using a shared drive?
My fear is that by allowing Authenticated Users, I
will let all network loggers into the subdirectory.
And, what is the best way to do what I want?
Many thanks,
-T

The best I have found mirrors what I though it was but
does not explain why the folder is unreadable afterward

http://www.tomshardware.com/forum/225342-46-difference-user-authenticated-user

Any user that authenticates to your computer becomes
a member of the special group authenticated users which
is also a member of the users group. You can use whoami
or gpresult to see all the groups that a logged on users
is a member of. You can not control membership of the
authenticated users group while you can control membership
to the users group. In general I would leave membership
of the users group alone at default levels and instead
create new groups if you want to restrict access to
resources. I don't see an advantage of using one over
the other when you want to grant permissions/privileges
to a broad group if the user group membership is not
messed with. However for instance it is possible to add
guest account to the users group [don't ask me why anyone
would want to do such!]. Because of that many security
guides recommend giving permissions to authenticated
users instead of users.

Paul

2017-05-20 01:16:41 UTC

Permalink

Post by T

The best I have found mirrors what I though it was but
does not explain why the folder is unreadable afterward
http://www.tomshardware.com/forum/225342-46-difference-user-authenticated-user
Any user that authenticates to your computer becomes
a member of the special group authenticated users which
is also a member of the users group. You can use whoami
or gpresult to see all the groups that a logged on users
is a member of. You can not control membership of the
authenticated users group while you can control membership
to the users group. In general I would leave membership
of the users group alone at default levels and instead
create new groups if you want to restrict access to
resources. I don't see an advantage of using one over
the other when you want to grant permissions/privileges
to a broad group if the user group membership is not
messed with. However for instance it is possible to add
guest account to the users group [don't ask me why anyone
would want to do such!]. Because of that many security
guides recommend giving permissions to authenticated
users instead of users.

I'm always on the lookout for utilities that will "explain"
permissions.

I haven't tested this, so you can test it for me, on
your "tough case" :-) There is a free version and a paid
version. The free version may give HTML-style output while
the paid has some sort of CSV option too.

http://cjwdev.co.uk/Software/NtfsReports/Info.html

Sysinternals has "AccessChk", but that will only give you
a headache. That's the kind of utility I normally find
in searches.

Authenticated users might be "Everyone minus Guest". Article here.

http://windowsitpro.com/systems-management/should-you-use-authenticated-users-group

Using "Deny" on file systems, isn't considered (by some)
to be a best practice. Due to the difficulty that
can result from combinations of "Deny plus Inheritance".
The fun begins, when you come back in two years time,
and cannot remember what booby traps you set for yourself.

Paul

2017-05-20 01:32:40 UTC

Permalink

Post by Paul

Post by T

The best I have found mirrors what I though it was but
does not explain why the folder is unreadable afterward
http://www.tomshardware.com/forum/225342-46-difference-user-authenticated-user
Any user that authenticates to your computer becomes
a member of the special group authenticated users which
is also a member of the users group. You can use whoami
or gpresult to see all the groups that a logged on users
is a member of. You can not control membership of the
authenticated users group while you can control membership
to the users group. In general I would leave membership
of the users group alone at default levels and instead
create new groups if you want to restrict access to
resources. I don't see an advantage of using one over
the other when you want to grant permissions/privileges
to a broad group if the user group membership is not
messed with. However for instance it is possible to add
guest account to the users group [don't ask me why anyone
would want to do such!]. Because of that many security
guides recommend giving permissions to authenticated
users instead of users.

I'm always on the lookout for utilities that will "explain"
permissions.
I haven't tested this, so you can test it for me, on
your "tough case" :-) There is a free version and a paid
version. The free version may give HTML-style output while
the paid has some sort of CSV option too.
http://cjwdev.co.uk/Software/NtfsReports/Info.html
Sysinternals has "AccessChk", but that will only give you
a headache. That's the kind of utility I normally find
in searches.
Authenticated users might be "Everyone minus Guest". Article here.
http://windowsitpro.com/systems-management/should-you-use-authenticated-users-group
Using "Deny" on file systems, isn't considered (by some)
to be a best practice. Due to the difficulty that
can result from combinations of "Deny plus Inheritance".
The fun begins, when you come back in two years time,
and cannot remember what booby traps you set for yourself.
Paul

I am going to try just disabling the allows on the folder,
instead of using deny.

B00ze

2017-05-20 04:09:17 UTC

Permalink

Post by T

Post by Paul

Post by T

The best I have found mirrors what I though it was but
does not explain why the folder is unreadable afterward
http://www.tomshardware.com/forum/225342-46-difference-user-authenticated-user
Any user that authenticates to your computer becomes
a member of the special group authenticated users which
is also a member of the users group. You can use whoami
or gpresult to see all the groups that a logged on users
is a member of. You can not control membership of the
authenticated users group while you can control membership
to the users group. In general I would leave membership
of the users group alone at default levels and instead
create new groups if you want to restrict access to
resources. I don't see an advantage of using one over
the other when you want to grant permissions/privileges
to a broad group if the user group membership is not
messed with. However for instance it is possible to add
guest account to the users group [don't ask me why anyone
would want to do such!]. Because of that many security
guides recommend giving permissions to authenticated
users instead of users.

I'm always on the lookout for utilities that will "explain"
permissions.
I haven't tested this, so you can test it for me, on
your "tough case" :-) There is a free version and a paid
version. The free version may give HTML-style output while
the paid has some sort of CSV option too.
http://cjwdev.co.uk/Software/NtfsReports/Info.html
Sysinternals has "AccessChk", but that will only give you
a headache. That's the kind of utility I normally find
in searches.
Authenticated users might be "Everyone minus Guest". Article here.
http://windowsitpro.com/systems-management/should-you-use-authenticated-users-group
Using "Deny" on file systems, isn't considered (by some)
to be a best practice. Due to the difficulty that
can result from combinations of "Deny plus Inheritance".
The fun begins, when you come back in two years time,
and cannot remember what booby traps you set for yourself.
Paul

I am going to try just disabling the allows on the folder,
instead of using deny.

Paul's right, Deny is really powerful but it gets complicated fast.
Authenticated Users is anyone your computer knows (and if it is part of
a domain then everyone in the domain) except guests. Since Deny trumps
Allow, denying Authenticated Users means you allow guests but no one
else. You don't have to Deny btw; if this is a private folder for 1
person, just remove all inherited permissions and give Full or Modify to
the one user - no one else will be able to read it.

Best Regards,

--
! _\|/_ Sylvain / ***@hotmail.com
! (o o) Member:David-Suzuki-Fdn/EFF/Red+Cross/SPCA/Planetary-Society
oO-( )-Oo Beauty is in the eye of the beer holder.

VanguardLH

2017-05-20 03:06:51 UTC

Permalink

Post by T
W7 pro sp1 x64
I thought understood this, but ...
Okay, I have a series of subdirectories, the root of
which is shared. I only want specific users to be able
to access their named subdirectory.
authenticated users
specific user name
If I set authenticated to denied and the specific user to
allow all, no one can get into the directory including
Administrator. Can't delete it either (Linux Live can though)
What exactly is an "authenticated user"? And does that
include any users logged in using a shared drive?
My fear is that by allowing Authenticated Users, I
will let all network loggers into the subdirectory.
And, what is the best way to do what I want?
Many thanks,
-T

Security *groups* can overlap on their permissions while some have a
subset of permissions from another. Your specific user (Windows
account) has to be assigned to a security group. Run:

control.exe userpasswords2

Alas, I'm on a Home Premium edition of Windows 7 and that kills off much
of the other security admin functions. When I try to get to some
security apps, I'm greeted a some message telling me it is not
available. As a consequence, I cannot see the overlap in permissions
between the different security groups.

My guess is your specific user (Windows account) is in a security group
which is a subset (child) of the Authenticated Users security group. A
Windows account can be assigned to multiple security groups. Security
groups can be a subset of another.

There are only 2 real hives in the registry. The others that you are
are pseudo-hives: they are a compilation of settings from the 2 real
hives. Similarly, Authenticated Users is not a true security group.

http://windowsitpro.com/systems-management/understanding-authenticated-users-group
https://blog.varonis.com/the-difference-between-everyone-and-authenticated-users/

Saying that you added a Windows account to have permissions on a folder
doesn't say what permissions that account was given on that object nor
does it say you recursed those permissions to its child objects (files
and subfolders).

Also, for each "named subdirectory", did you assign that folder as being
owned by the associated Windows account for that user? And recurse that
permissions into its children?

For the parent (root) folder, did you add the Everyone pseudo security
group so all those visitors can then navigate to a child folder (by the
name of that visitor)? For the subfolders (by the name of the visitor),
how are you going to add their Windows account to have all permissions
if that Windows account is not defined on the host doing the sharing?
Or, when you add "specific user", are you specifying their hostname when
you add that account from the other host? On the host where you are
changing permissions for a subfolder under your root folder, are you
adding "theirComputerName_sharingFrom\theirAccountName_sharingFrom" to
grant their access here from their host? Or did you create an account
on your root folder host for each of those visitors with the same
Windows account name and permissions as for the Windows account under
which they log onto their host (so you could then just use the local
Windows account to allow their remote connect)?

Deny permissions are not the exact converse of Allow permissions. Also,
depending on how to added permissions to the subfolders, they may be
authenticated users but you chose to deny their access. You overrode
the specific user by denying them since they are also an authenticated
user.

http://www.ntfs.com/ntfs-permissions-allow.htm

2017-05-27 21:15:17 UTC

Permalink

Follow up:

I was at the customer's site yesterday and fussed with
this. I had to leave Authenticated uses on or
the folder was locked out. And leaving it on, every
authenticated user could see the folder. So poop!

Then it occurred to me, I clicked on Authenticated User
and pressed "remove". Then I set only the user and
Administrator to have access. Worked like a charm.

Thank you all for the tips and suggestions!

-T