Everyone group: Who belongs?

[Irongeek]

Ok, I’ve Googled for, but I’m not getting what I’m looking for. It seems, as I remember from playing with it, that if you grant the Everyone group access to a share on a box that’s part of a domain the only folks that can access it are those that are authenticated to the box’s domain (or a trusted domain). If the box is not a part of a domain, anyone can access it if you give rights to the Everyone group.

Is this standard? Or is my environment non-standard and this is being set by a GPO or something (Maybe by setting the reg key EveryoneIncludesAnonymous).


The gist is this, I’m confused about who belongs to the Everyone group in different cases. Care to enlighten me?

[Egaladeist]

Hi Irongeek,

Change Everyone Group to Authenticated Users

Security in Microsoft Windows is assigned to users based on a group that a user belongs to. By default Microsoft Windows has a group called everyone. The "everyone" group refers to all users of the computer.
Our Recommendation:

The "everyone" user group should be disabled to prevent system resources being accessed by all users. The Computer Security Tool will remove the everyone group and ensure that only people with a valid username and password are allowed to authenticate to the computer. This means that in order for a person to access this computer they will need a username and password. This can be done in from the control panel Users icon.
Benefit When Secure:

Removing the "everyone" reduces the risk of unauthorized access to computer resources.

Important:

This task is for ADVANCED users only who are aware of the implications of removing the “everyone” group. This task will take approximately 1 hour to complete.

If resources on this computer are shared with non authenticated users, removing the “everyone group” may block this access.

http://www.computersecuritytool.com/...one_group.html
Computer security, Disable the Everyone Group

Hope this helps!

Eg

[Egaladeist]

Hi Irongeek,

This might help you too...

http://search.microsoft.com/search/r...Everyone+Group
Search Results

Eg

[Irongeek]

Thanks for trying, but not quite the explanation I'm looking for. It may just come down to me doing some testing.

[HTRegz]

Hey Hey,

I think that the MS Search link that Eg posted (second link on the search page) may be of some assistance to you, along with this article.

http://www.microsoft.com/technet/pro...6f8e548d5.mspx

A Change was made between Server 2000 and Server 2003. With a domain running server 2000 the Everyone Group means that even Anonymous Users have access. With Server 2003 this is changed and the Everyone Group no longer allows anonymous access

Anyone who accesses a computer and its resources through the network without an account name, password, or domain is a member of the Anonymous Logon built-in security group. In previous versions of Windows, members of the Anonymous Logon security group had access to many resources, due to membership of the Everyone group. Because Administrators did not realize that anonymous users were members of the Everyone group they might have inadvertently granted them access to resources only intended for authenticated users.

Depending on the OS you're dealing with, I've got a Server 2000 Bible laying around, I can dust it off if you want a more detailed description of how it works with server 2000.

Peace,
HT

[nihil]

HTRegz is absolutely spot on with Windows 2000 Pro/Server (I have both). By default, everyone is literally that: "every tom, dick and harry"................even Saddam

I am afraid that I don't know 2003Server.

[Irongeek]

Ok, I’ve did some playing with it and I still don’t have quite the info I’m looking for. I have two computers, lets call them:

Dwork = Domainworkstation
Swork = Stand alone workstation (not a part of any domain)

I set up a share on both and gave the every one group full rights on both the share and file system levels. If I try to access \\Dwork\test from Swork I get prompted for a password (even if I just try for \\Dwork it still asks for a password). If I try to access \\Swork\test from Dwork it opens up no problem and I can make changes to the file system.

The EveryoneIncludesAnonymous setting is the same on both boxes so I still don’t really have what I’m looking for. Just want to know under different circumstances who belongs to Everyone.

[Negative]

If I'm correct, accounts that currently belong to the domain get assigned automatically to the Everyone group. In Win2k, this group will automatically have Full Control (in 2003, it's only Read). I would think that if you're setting rights for Everyone on Swork, you're not doing anything (since it's not part of a domain, accounts logging on to Swork won't belong to Everyone)? This would explain why, if you try accessing Dwork from Swork, you're prompted for a password (you're not part of Everyone); the other way around, you won't...

[cacosapo]

Originally posted here by Negative
If I'm correct, accounts that currently belong to the domain get assigned automatically to the Everyone group.

AFAIK, the group that all domains accounts get is "Domain Users".
Everyone is a group that means "all accounts, including those not authenticated by domain".
HT already mencioned the difererences between W2K and W2K3 about "anonymous" behavior.

Irongeek: please check when you are joining a station to a domain, the "allow anonymous connections' may be being changed, like anonymous account may be being disabled. So that is the diference (perhaps).

[Irongeek]

Originally posted here by cacosapo
AFAIK, the group that all domains accounts get is "Domain Users".
Everyone is a group that means "all accounts, including those not authenticated by domain".
HT already mencioned the difererences between W2K and W2K3 about "anonymous" behavior.

Irongeek: please check when you are joining a station to a domain, the "allow anonymous connections' may be being changed, like anonymous account may be being disabled. So that is the diference (perhaps).

I checked, "Network access: Let Everyone permissions apply to anonymous users" is set to disabled on both.