Authenticated Users vs Domain Users!

I need some idea on this. I'm going throw my Local Security Setting on some my server when I noticed that the setting were not the same. In the Policy "Access this computer form the network" and some NTFS permission, some servers restrict the access to Authenticated Users build-in group and some restrict it using Domain Users build-in group! Witch one is the best?

I'm thinking Authenticated Users might be better since it a group that include all my 3 domains users instead of adding each domain to the security policy but I would like to get feedback from AO community.

Thank.

Authenticated users should basically replace anywhere where you used to have "everyone"...
Authenticated users includes any account that has authenticated, including computer accounts (which are often overlooked) for example...


Ammo

Yeah, Domain Users covers USERS of that Domain. I can almost gurantee the Administrator account isnt in the Domain Users group, its in the Domain Admins group...

Whereas, Authenticated Users (definietly replace all occurances of Everyone) covers every user aslong as they have been Authenticated....

Quote:

---

Originally posted here by Double//Cut
Yeah, Domain Users covers USERS of that Domain. I can almost gurantee the Administrator account isnt in the Domain Users group, its in the Domain Admins group...

Whereas, Authenticated Users (definietly replace all occurances of Everyone) covers every user aslong as they have been Authenticated....

---

Domain Users include ALL account from the domaine including all Admin Account.

Quote:

---

Originally posted here by SDK
Domain Users include ALL account from the domaine including all Admin Account.

---

Actually, not necessarily. By default all users are set to 'Primary Group: Domain Users', but if you change a users Primary Group to something else, you can remove the user from 'Domain Users'... not really sure why you would wanna do that though.. but you could.. heh.. !
So I guess 'Authenticated Users' is a safer bet.

A Domain administrator is not an Administrator. The Domain Admin has local Admin privileges on all machines in the domain as well as access to join new machines to the domain and create new accounts in the domain, etc. You can still have regular admin accounts which do not have these 'Domain' rights. The authenticated users will include, as stated machines, as well as local and domain accounts. Domain users are for users who have authed against the/a DC. So generally a network resource that was restricted to users whose machines were joined to the Domain (therefore affected by domain Group Policy), might use Domain Users, but you might use Authenticated users for just a public share on the local machine that didnt neccesarily require the accessing machine to be in the domain, but you just didnt want to use the Everyone access.

-Maestr0

Also, if you want to grant access to all domain workstations to a share (you may need this when using a process running as SYSTEM) there is also a Domain Computers group that can be used for this purpose.