We have a lot of people in our company: employees, contractors, people in joint ventures, etc. So, we want to control access to our intranet. To do that, we need to be able to prevent people in SharePoint from granting access to "Authenticated Users." Is there a way to do this?
One way it seems feasible to do this is to deny access to Authenticated Users in web application policy, but that seems like it would override everything else, basically preventing anyone from accessing SharePoint. I may be wrong.
This is more a "through obscurity" technique - but you can remove the "Add all authenticated users" link from the permissions page. More savvy users will still be able to type in nt authority\all authenticated users - but it keeps the average Joe from easily adding the group.
The only way to do this properly is through the web.config. We can deny authenticated users, but allow a specific group to access SharePoint. The built-in SharePoint web application security won't do it, because denying Authenticated Users shuts everyone out. You have to use the regular ASP.NET conventions in the web.config to restrict access.
(if i understand well) delete "Authenticated Users" from your website, disable access to security info for the users and manage yourself
You can also modify the permission that you are granting end users. Frequently admins will grant "full control" to site owners - without really taking a look at what permissions you are really granting.
In addition to giving users the ability to grant access to other users, you also grant them the ability to create sub-sites and other little tricks that make DR more difficult than it needs to be.
For me - once I add my users to the owners group - I then modify group settings, and change the permissions level of owners from Full Control to Design. That's all most users want anyway. To be able to contribute - or have some design input on their collaboration site (I.E. add a web part, create a list etc).
When they ask to add another site below the first, I create a page for them - and show them how that accomplishes the same thing.
We manage user access via AD groups - so adding users to a site is really more about having a network admin add a user to the AD group. Seems to work for us.