Certification Success – Implicit Groups

On the road to acquiring an MCSA or MCSE, you will undoubtedly come across an exam questions that refers to implicit groups. So let’s try and make some sense out of this concept.

Implicit groups are transient in nature. By this, I mean that group membership is controlled by the system and based upon who is currently logged in, and how they are getting to the system. Membership changes automatically and is real-time. Looking at implicit group memberships will tell you a lot about what’s going on with your system.

Keep in mind that many automated system functions perform their various tasks under the guise of a hidden user account. A good example of this would be the Enterprise Domain Controllers group, which will consist of domain controller computer accounts in the entire enterprise. Trust and replication tasks are performed by these accounts.

Outside of the curiosity factor associated with implicit groups, a good rule of thumb is to take advantage of these implicit groups when granting access to data and resources as much as possible. The reasoning deals again with security.

All user accounts are members of the EVERYONE user group, and that includes the Guest account. IF the guest account is enabled, an anonymous user with a completely unknown username and password can gain access to the system by way of the guest account, as long as it has no assigned password. The result is that the anonymous user comes up as an Anonymous user when monitoring logins and share access. Even though the anonymous user is ‘piggybacking’ off of the Guest account, he is still a member of the EVERYONE group by definition, and this could become a problem because default share permissions are always set to allow full control for members of that group. Of course, you can disable the guest account, but the situation often arises where legitimate anonymous access is necessary. In order to resolve this particular conundrum, you can use the implicit group Authenticated Users to assign permissions to resources that you would normally assign to the EVERYONE group. In kind, you can then assign more stringent, anonymous-specific permissions to the guest account specifically, or to the EVERYONE group. Standard user accounts will automatically become members of the Authenticated Users group, while the masked-guest account will not.

Here is a key to give you some ideas about how implicit and standard groups work.

Locally Logged on Users are members of

  • Authenticated Users
  • Everyone
  • Interactive

Networked Users are members of

  • Authenticated Users
  • Everyone
  • Network

Terminal Server Clients are members of

  • Authenticated Users
  • Everyone
  • Terminal Server User

Anonymous Users are

  • Anonymous logon
  • Everyone

As you look at this table, you might better be able to understand how Implicit Groups can save you some time and organizational headaches. Let’s take an example of Terminal Server. Once a user account is enabled as a Terminal Server Client, the only remaining thing that needs to be done is install the Terminal Services Client on the user computer. Now, let’s say that by your definition, all Terminal Server users are remote as well. Instead of creating an extra Terminal Server or remote user group, you can simply assign any unique permissions specific for those accounts to the Terminal Server User group.

Article Written by