Questions on Authenticated Users and Access This Computer From Network User Right

Microsoft KB 823659 implies that Authenticated Users is equivalent to Users,
Computers, and Service accounts. I have two questions on this:

1) If I want to remove Authenticated Users from the User right "Access this
computer from network" then what are the entities that should be used
instead of Authenticated Users? I am guessing at minimum I need these:

Domain Users
Domain Computers
Network Service

Let's assume for now that I only want users in a single domain to have
access to the shares.

Does Authenticated Users cover other cases (yes, I do realize it covers
users in other domains of the same forest)?

2) Microsoft KB 823659 implies without saying it clearly that *member
servers* need to have the Authenticated Users" added to the "Access this
computer from network". The sentence that throws me off is the very first
sentence of 823659 under the "Access this computer from network" section
heading:

"The ability to interact with remote Windows computers requires the Access
this computer from network user right."

This sentence seems to be written from the perspective of the client
computer, not the server. Does the client computer on a network that
needs to access a share on a file server need to include all of the same
elements in "Access this computer from network" that the file server does?
If the answer is no, Microsoft really needs to rewrite this entire document
and supply a different list of recommended entries based on the role of the
computer on the network.

--
Will

"Will" <(E-Mail Removed)> wrote in message
news:CIKdnVveCsHG-(E-Mail Removed)...
> Microsoft KB 823659 implies that Authenticated Users is equivalent to
> Users,
> Computers, and Service accounts. I have two questions on this:
>
> 1) If I want to remove Authenticated Users from the User right "Access
> this
> computer from network" then what are the entities that should be used
> instead of Authenticated Users?

Access this computer from network:
This user right can be void. There is no need to grant access to any
account.
You determine who/what you want to allow.

> I am guessing at minimum I need these:
>
> Domain Users
> Domain Computers
> Network Service
>
> Let's assume for now that I only want users in a single domain to have
> access to the shares.
>

If you want only the users from domain X to have access then
the user right would be granted to X\Domain Users only.
Network Service would not be used unless you wanted the machine
itself to access its own shares via a network connection.
Domain Computers would only be used if you wanted to allow
processes running as Local System or Network Service on any
machine in the domain whose Domain Computers group is use.
Use of a grant of this right to Domain Computers is highly unusual,
but is used for such as access to startup scripts or to where info
is written during startup.

> Does Authenticated Users cover other cases (yes, I do realize it covers
> users in other domains of the same forest)?
>

Authenticated Users represents any account in the forest except Guest
accounts (and Anonymous which is not authenticated)

> 2) Microsoft KB 823659 implies without saying it clearly that *member
> servers* need to have the Authenticated Users" added to the "Access this
> computer from network".

I do not see such implication.
As said before, the right only needs to be granted to what you want
to have network access (to shares/printer), and Authenticated Users
is almost every forest account. So, if you wanted all except Guest
accounts in the forest, except Anonymous, to have access then one
would use such a grant.
This is contrary to normal use guided by the principal of least privilege.
Grant the right to what is entitled, what has a valid, defined need for
the access.

> The sentence that throws me off is the very first
> sentence of 823659 under the "Access this computer from network" section
> heading:
>
> "The ability to interact with remote Windows computers requires the Access
> this computer from network user right."
>

.. . . as validated, i.e. authorized at the machine where the user
right is to be used . . .
Authoriztion to access is checked at the point of access, so the right needs
to be in the user token on that machine, meaning the right needs to be
granted
on that machine - not the accessed from machine where the same account
has a token used for authorization checks on that access-from machine.

> This sentence seems to be written from the perspective of the client
> computer, not the server.

I guess that view is relative to reader supplied context.

> Does the client computer on a network that
> needs to access a share on a file server need to include all of the same
> elements in "Access this computer from network" that the file server does?

I believe the answer should be clear by now. No.

> If the answer is no, Microsoft really needs to rewrite this entire
> document
> and supply a different list of recommended entries based on the role of
> the
> computer on the network.
>

Try rereading with the above added clarifications, keeping in mind that
when a account is authorized at each different machine by establishing
a connection the basic user token is adjusted to represent authorization
on that specific machine.

"Roger Abell [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> If you want only the users from domain X to have access then
> the user right would be granted to X\Domain Users only.
> Network Service would not be used unless you wanted the machine
> itself to access its own shares via a network connection.
> Domain Computers would only be used if you wanted to allow
> processes running as Local System or Network Service on any
> machine in the domain whose Domain Computers group is use.
> Use of a grant of this right to Domain Computers is highly unusual,
> but is used for such as access to startup scripts or to where info
> is written during startup.

What about for replicating machine group policy from the domain controller
to the member server? Isn't that replication being done by some service
that runs as Local System or Network Service


> > Does the client computer on a network that
> > needs to access a share on a file server need to include all of the same
> > elements in "Access this computer from network" that the file server
does?
>
> I believe the answer should be clear by now. No.

So on the typical member server, what should be in the list of users in the
"Access this computer from the network" user right? It should be empty?


> > If the answer is no, Microsoft really needs to rewrite this entire
> > document
> > and supply a different list of recommended entries based on the role of
> > the
> > computer on the network.
>
> Try rereading with the above added clarifications, keeping in mind that
> when a account is authorized at each different machine by establishing
> a connection the basic user token is adjusted to represent authorization
> on that specific machine.

I still think the Microsoft KB article, as written, does a poor job of
explaining that the client side settings will different from the server
side, and it should be written to supply an explicit recommendation about
what users or groups to add to this privilege on client computers.

--
Will

"Will" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ...
>
> "Roger Abell [MVP]" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> If you want only the users from domain X to have access then
>> the user right would be granted to X\Domain Users only.
>> Network Service would not be used unless you wanted the machine
>> itself to access its own shares via a network connection.
>> Domain Computers would only be used if you wanted to allow
>> processes running as Local System or Network Service on any
>> machine in the domain whose Domain Computers group is use.
>> Use of a grant of this right to Domain Computers is highly unusual,
>> but is used for such as access to startup scripts or to where info
>> is written during startup.
>
> What about for replicating machine group policy from the domain controller
> to the member server? Isn't that replication being done by some service
> that runs as Local System or Network Service
>

Will, that is the grants on the DC that are involved, and in general,
unless you know pretty well the architecture of AD you would be
well off not fooling with the settings on a DC.

>
>> > Does the client computer on a network that
>> > needs to access a share on a file server need to include all of the
>> > same
>> > elements in "Access this computer from network" that the file server
> does?
>>
>> I believe the answer should be clear by now. No.
>
> So on the typical member server, what should be in the list of users in
> the
> "Access this computer from the network" user right? It should be empty?
>

It all depends on what roles are filled by the member.
For example, an SQL server might have need for no grants of this,
whereas an organizations' fileservers or printservers certainly would.

>
>> > If the answer is no, Microsoft really needs to rewrite this entire
>> > document
>> > and supply a different list of recommended entries based on the role of
>> > the
>> > computer on the network.
>>
>> Try rereading with the above added clarifications, keeping in mind that
>> when a account is authorized at each different machine by establishing
>> a connection the basic user token is adjusted to represent authorization
>> on that specific machine.
>
> I still think the Microsoft KB article, as written, does a poor job of
> explaining that the client side settings will different from the server
> side, and it should be written to supply an explicit recommendation about
> what users or groups to add to this privilege on client computers.
>

Perhaps, but generally, in an enterprise, clients do not share and so
have no need for any account to be granted this right, given that there
is distinct preference for server-based storage and print queueing.