Special OS, AD Accounts and SQL Server



Windows has a few special built-in accounts and groups.  And, same goes for Active Directory.

Unfortunately, how to reference those accounts within SQL Server is not always in reach.


Account & Group Names

Sam Account

The SAM Database is the database that houses the local computer’s users and groups.


Account Name What does it mean? Account Name  Create Login
Everyone All interactive, network, dial-up, and authenticated users are members of the Everyone group  \EVERYONE  CREATE LOGIN [\Everyone]
Authenticated Users The Authenticated Users identity Any user accessing the system through a logon process has the Authenticated Users identity.  NT AUTHORITY\Authenticated Users CREATE LOGIN
[NT AUTHORITY\Authenticated Users]




Active Directory Domain

Account Name What does it mean? Account Name  Create Login
Domain Users <domain-name>\Domain Users CREATE LOGIN [<domain-name>\Domain Users]





Authenticated Users

Randy Franklin Smith

  1. Understanding the Authenticated Users Group

    Microsoft created the Authenticated Users group in response to fears that Anonymous logons could gain access to objects for which Everyone (another special security principal) has access. I don’t recommend using the Authenticated Users group for controlling permissions because it includes local accounts, which are a bad practice to use because you can’t centrally manage them at the domain level, and they use NT LAN Manager (NTLM) authentication rather than the stronger Kerberos. Also, the membership of Authenticated Users changes dynamically when you create a trust to another domain. When you want to give all users in a domain access to a resource, I recommend that you use the Domain Users group, which limits membership to the domain. If you need to give all users in a forest access to a resource, create a universal scope group called Forest Users and add each domain’s Domain Users group as a member.




  1. Windows Built-in Users and Default Groups

    A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer. Users can perform tasks such as running applications, using local and network printers, shutting down the computer, and locking the computer. Users can install applications that only they are allowed to use if the installation program of the application supports per-user installation.




  1. Microsoft – TechNet Magazine
    • TechNet Magazine > Tips > Windows Server 2008
    • Windows Server 2008 > Understand Implicit Groups and Identities
  2. WeaselFire Ramblings
    • Everyone isn’t everyone
  3. Exploit Database
    • Ubisoft Uplay 4.6 – Insecure File Permissions Privilege Escalation
  4. Varonis.com
    • Rob Sobers
      • The Difference Between Everyone and Authenticated Users
  5. Windows IT Pro
    • Jan De Clercq
      • What’s the scope of the built-in Authenticated Users group in a multi-forest Active Directory (AD) environment?
    • Randy Franklin Smith
      • Understanding the Authenticated Users Group
  6. Stack Overflow
    • StackExchange.com
      • Windows groups and permissions: Authenticated Users group meaning
  7. ss64.com
    • Windows Built-in Users and Default Groups

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s