Home / server / Questions / 5831
Accepted
Yaakov Ellis
Asked: 2009-05-08 07:07:56 +0800 CST

Reference to all users/groups in Active Directory

  • 772

I am working with an application that allows security to a hierarchy of folders to be set through Active Directory. I have run into an issue with the application where it seems that the default security mode for all users is full access, and only those users that are deliberately excluded will not be able to receive access. So I would thus like to set the permissions so that all users/groups in a domain are excluded, and then explicitly include the groups and users that should have access.

So my question: is there a way that I can refer to all groups and/or users within Active Directory? For domain ABC, and user XYZ, I would input ABC\XYZ. Same for a group. Is there a syntax like ABC\* that would be a blanket reference to all users and groups for the domain? Or would I have to go in and exclude them all explicitly?

security active-directory permissions

4 Answers

  1. Best Answer

    "Authenticated Users" includes all domain users, not sure if this would be available within your application but it works for group policies.

    • 5

  2. "Everyone", "Domain Users" or "Domain Admins" etc. are other ways to reference your users.

    See this article with more info (I think it is still valid today)

    Important text:

    However, if you've enabled the Guest account, you'll find that users who have logged on as Guest are members of Everyone but not members of Users or Authenticated Users.

    • 4

  3. Perhaps you can use the "Authenticated Users" system group? If I remember correctly, Active Directory uses a "deny by default" rules where it will only allow access to those specifically granted access in the ACL for an object. If you only want to allow certain users or groups, clear the list and add only those that you want to have access with the permissions desired. If there is a specific user that you do not want to have access that is part of a group that otherwise would have access, add them to the list with a specific "deny all" rule which will override the group setting for that user.

    • 0

  4. If you are dealing with NTFS permissions, your model will not work. If you deny everyone access, then allow certain users, the deny will take precedence.

    You need to remove the default access, and then allow certain users. Windows NTFS will only allow access if someone has been explicitly granted the rights - you don't need to explicitly deny them if you don't want.

    • 0