What is the best method to remove the Authenticated users group from all windows 7 workstations?
Hello, I am a System Admin and have been tasked to look into removing the "Authenticated Users" from all Desktops and Laptops in the enviornment. I have looked through numerous posts and forms trying to find the best method to do this, but have come up empty so far. The thought is that removing the "AU" group and having other AD groups (which are already in place) control access to logon's, etc.. would be the best course of action. I am not sure is somehow scripting this and deploying through a login script would be best or maybe setting something up through Group Policy may work best. I am really looking for any and all info that you may have to assist with this. Please let me know if you need more detail or have any thoughts. Thanks
April 25th, 2012 11:21am

Are you talking about folder permissions or membership of this group. That's not a real group. Systems and Users become member of that group as they get authenticated. http://www.windowsitpro.com/article/user-management-and-profiles/understanding-the-authenticated-users-group http://networkadminkb.com/KB/a41/differences-between-authenticated-users-domain-users.aspx
Free Windows Admin Tool Kit Click here and download it now
April 25th, 2012 11:39am

Thank you for the fast reply. That first link is one that I initially stumbled on, and noticed that the posted also recommended removing Authenticated users and going with the AD Security Groups. I do realize it is not a group and I am refering more to folder permissions/Login access. In essences what I am after is a way to remove the Authenticated Users from all workstation and then go back in and enforce other AD groups to control permissions for allowing users to login, modify files/folders etc. So if I have a user called USERa, and they are a part of an AD Security group called G_ITusers (or something), then only USERa or someone else in the G_ITusers group could log into workstation_xyz. But USERb who is a part of a different AD group could not login to that same workstation. If Authenticated Users is preset USERa or USERb could login to each others computers, etc.. which is why I am wanting to remove the Authenticated Users. I was thinking of some how using Group Policy to say that for any user trying to login to a workstation that is in group G_ITUsers that user would need to have the same group G_ITUsers as part of their groups. I hope this makes sense, again, please let me know if you have additional thoughts or need clarification.
April 25th, 2012 12:28pm

So if I have a user called USERa, and they are a part of an AD Security group called G_ITusers (or something), then only USERa or someone else in the G_ITusers group could log into workstation_xyz. But USERb who is a part of a different AD group could not login to that same workstation. * I think this would be controlled via different group "Domain Users". You would need to remove "Domain Users" via GPO restricted groups or some other method and then add your group "G_ITusers" to your local "Users" group. If Authenticated Users is preset USERa or USERb could login to each others computers, etc.. which is why I am wanting to remove the Authenticated Users. * if you folow the first step above they can login only if they have local account. I was thinking of some how using Group Policy to say that for any user trying to login to a workstation that is in group G_ITUsers that user would need to have the same group G_ITUsers as part of their groups. * you can use logon script that would display a message to a user if you are not member of "G_ITUsers" then you are not allowed to logon and then logged them off.
Free Windows Admin Tool Kit Click here and download it now
April 25th, 2012 12:49pm

Would something like this work? icacls C:\ /remove:g *S-1-5-11 I had seen this on another post and though it may be something to try. Upon further review, i need to both have "Authenticated Users" removed from the ACL's as well as from the Local Users and Groups/Users section on the workstations. Any additional thoughts? Thanks
April 26th, 2012 10:26am

That might work. http://ss64.com/nt/icacls.html However that group is a default system group and removing that group might break some applications and prevent them from running properly. I can understand removing the group from ACL but i would probably say don't remove it from Local Users and Groups but it is up to you. If you decide to go that route, go very very very slow with implementation as something probably will stop working and you will need to have plan "B".
Free Windows Admin Tool Kit Click here and download it now
April 26th, 2012 10:45am

That might work. http://ss64.com/nt/icacls.html However that group is a default system group and removing that group might break some applications and prevent them from running properly. I can understand removing the group from ACL but i would probably say don't remove it from Local Users and Groups but it is up to you. If you decide to go that route, go very very very slow with implementation as something probably will stop working and you will need to have plan "B".
April 26th, 2012 5:31pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics