Special OS, AD Accounts and SQL Server

 

Background

Windows has a few special built-in accounts and groups.  And, same goes for Active Directory.

Unfortunately, how to reference those accounts within SQL Server is not always in reach.

 

Account & Group Names

Sam Account

The SAM Database is the database that houses the local computer’s users and groups.

 

Account Name What does it mean? Account Name  Create Login
Users BUILTIN\Users  CREATE LOGIN [BUILTIN\Users]
FROM WINDOWS;
Everyone All interactive, network, dial-up, and authenticated users are members of the Everyone group  \EVERYONE  CREATE LOGIN [\Everyone]
FROM WINDOWS
Authenticated Users The Authenticated Users identity Any user accessing the system through a logon process has the Authenticated Users identity.  NT AUTHORITY\Authenticated Users CREATE LOGIN
[NT AUTHORITY\Authenticated Users]
FROM WINDOWS

 

 

 

Active Directory Domain

Account Name What does it mean? Account Name  Create Login
Domain Users <domain-name>\Domain Users CREATE LOGIN [<domain-name>\Domain Users]
FROM WINDOWS;

 

 

 

Anecdotes

Authenticated Users

Randy Franklin Smith

  1. Understanding the Authenticated Users Group
    Link

    Microsoft created the Authenticated Users group in response to fears that Anonymous logons could gain access to objects for which Everyone (another special security principal) has access. I don’t recommend using the Authenticated Users group for controlling permissions because it includes local accounts, which are a bad practice to use because you can’t centrally manage them at the domain level, and they use NT LAN Manager (NTLM) authentication rather than the stronger Kerberos. Also, the membership of Authenticated Users changes dynamically when you create a trust to another domain. When you want to give all users in a domain access to a resource, I recommend that you use the Domain Users group, which limits membership to the domain. If you need to give all users in a forest access to a resource, create a universal scope group called Forest Users and add each domain’s Domain Users group as a member.

 

Users

SS64.com

  1. Windows Built-in Users and Default Groups
    Link

    A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer. Users can perform tasks such as running applications, using local and network printers, shutting down the computer, and locking the computer. Users can install applications that only they are allowed to use if the installation program of the application supports per-user installation.

 

 

Reference

  1. Microsoft – TechNet Magazine
    • TechNet Magazine > Tips > Windows Server 2008
      Link
    • Windows Server 2008 > Understand Implicit Groups and Identities
      Link
  2. WeaselFire Ramblings
    • Everyone isn’t everyone
      Link
  3. Exploit Database
    • Ubisoft Uplay 4.6 – Insecure File Permissions Privilege Escalation
      Link
  4. Varonis.com
    • Rob Sobers
      • The Difference Between Everyone and Authenticated Users
        Link
  5. Windows IT Pro
    • Jan De Clercq
      • What’s the scope of the built-in Authenticated Users group in a multi-forest Active Directory (AD) environment?
        Link
    • Randy Franklin Smith
      • Understanding the Authenticated Users Group
        Link
  6. Stack Overflow
    • StackExchange.com
      • Windows groups and permissions: Authenticated Users group meaning
        Link
  7. ss64.com
    • Windows Built-in Users and Default Groups
      Link

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s