none
Difference between Domain\Domain Users and Everyone Group in SharePoint RRS feed

  • Question

  • Hi,

    In SharePoint 2013, is Everyone Group an AD group ? Please help with details.

    Thanks


    srabon

    Thursday, April 17, 2014 5:12 AM

Answers

  • Hi All,

    Domain Users, Authenticated Users, or Everyone

    Domain Users
    The Domain Users is the only real group of the 3 listed above.  By that I mean you can add and remove members from this group.  Domain Users is a Global Group in the domain, and it can only contain users that are members of same domain the Domain Users group resides in.  By default all users created in the domain are automatically members of this group.  However, the  default Guest account in the domain is NOT a member of Domain Users, instead it is placed in the Domain Guest group. Because Domain Users is generally considered the most secure group of the three listed above.

    Authenticated Users
    Authenticated Users was first introduced in Windows NT 4.0 SP3.  This is a built-in group and cannot be modified.  The Authenticated Users group contains users who have authenticated to the domain or a domain that is trusted by the computer domain.  Authenticated Users contains all manually created user accounts in all trusted domains regardless of whether they are a member of the Domain Users group or not.  Authenticated Users specifically does not contain the built-in Guest account, but will contain other users created and added to Domain Guests.The Authenticated Users group also includes the local computer account (computername$) and the built-in SYSTEM account. 

    Everyone group
    The Everyone group includes all members of the Domain Users, Authenticated Users group as well as the built-in Guest account, and several other Built-in security identifiers like SERVICE, LOCAL_SERVICE, NETWORK_SERVICE, etc.  NULL session connections (aka anonymous logon) used to be included in this group but were removed in Windows 2003.  This is a built-in group that cannot be modified.Because the Everyone group contains the Guest account, and several other Built-in security identifiers like SERVICE, LOCAL_SERVICE, NETWORK_SERVICE, etc. is generally considered the least secure of the three groups.


    Short Answer is there isn't much to worry about unless folks are logging I with a guest account or you have removed a bunch of folks from the domain users group

    clip_image001 clip_image002 clip_image003 clip_image004 clip_image006 clip_image008


    -Ivan



    • Edited by Ivan Sanders Friday, April 18, 2014 12:35 AM
    • Marked as answer by JasonGuo Monday, April 28, 2014 1:39 AM
    Friday, April 18, 2014 12:28 AM
  • You would still be able to 'see' "Everyone", regardless if it was in the Site Collection or not (unless you specified onlysearchwithinsitecollection on the People Picker properties).

    Trevor Seward

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    • Marked as answer by JasonGuo Monday, April 28, 2014 1:39 AM
    Thursday, April 17, 2014 6:15 AM
    Moderator

All replies

  • Everyone encompasses all authenticated users (which could be from other domains trusted by the domain SharePoint resides in) where as Domain Users refers to users of just that particular domain.

    Trevor Seward

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Thursday, April 17, 2014 5:17 AM
    Moderator
  • Let's say we have X\Domain Users, Y\Domain Users and Z\Domain Users and if we add these 3 domains in sharpoint then we are fine in terms of SharePoint Users in SharePoint. But in the meantime few site admins added EVERYONE group in few sites. 

    Now the question is, if we hide the EVERYONE group from SharePoint then what would be the impact? I meant who would not be able to access sharepoint site?

    So this group is also AD group correct?

    Thanks


    srabon


    Thursday, April 17, 2014 5:22 AM
  • Everyone is a "Well-known SID", that is, it is consistent in all Active Directory environments. Yes, it should cover all of those Domain Users group given the trusts are correct.

    Trevor Seward

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Thursday, April 17, 2014 5:32 AM
    Moderator
  • Basically I would like to know,

    As we already add all domains \ domain users and also everyone group has been added in the same site. My question was if we hide everyone group which will not show in the pepole picker of SharePoint anymore then what would be the impact?

    Thanks


    srabon


    Thursday, April 17, 2014 5:44 AM
  • You would still be able to 'see' "Everyone", regardless if it was in the Site Collection or not (unless you specified onlysearchwithinsitecollection on the People Picker properties).

    Trevor Seward

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    • Marked as answer by JasonGuo Monday, April 28, 2014 1:39 AM
    Thursday, April 17, 2014 6:15 AM
    Moderator
  • Hi All,

    Domain Users, Authenticated Users, or Everyone

    Domain Users
    The Domain Users is the only real group of the 3 listed above.  By that I mean you can add and remove members from this group.  Domain Users is a Global Group in the domain, and it can only contain users that are members of same domain the Domain Users group resides in.  By default all users created in the domain are automatically members of this group.  However, the  default Guest account in the domain is NOT a member of Domain Users, instead it is placed in the Domain Guest group. Because Domain Users is generally considered the most secure group of the three listed above.

    Authenticated Users
    Authenticated Users was first introduced in Windows NT 4.0 SP3.  This is a built-in group and cannot be modified.  The Authenticated Users group contains users who have authenticated to the domain or a domain that is trusted by the computer domain.  Authenticated Users contains all manually created user accounts in all trusted domains regardless of whether they are a member of the Domain Users group or not.  Authenticated Users specifically does not contain the built-in Guest account, but will contain other users created and added to Domain Guests.The Authenticated Users group also includes the local computer account (computername$) and the built-in SYSTEM account. 

    Everyone group
    The Everyone group includes all members of the Domain Users, Authenticated Users group as well as the built-in Guest account, and several other Built-in security identifiers like SERVICE, LOCAL_SERVICE, NETWORK_SERVICE, etc.  NULL session connections (aka anonymous logon) used to be included in this group but were removed in Windows 2003.  This is a built-in group that cannot be modified.Because the Everyone group contains the Guest account, and several other Built-in security identifiers like SERVICE, LOCAL_SERVICE, NETWORK_SERVICE, etc. is generally considered the least secure of the three groups.


    Short Answer is there isn't much to worry about unless folks are logging I with a guest account or you have removed a bunch of folks from the domain users group

    clip_image001 clip_image002 clip_image003 clip_image004 clip_image006 clip_image008


    -Ivan



    • Edited by Ivan Sanders Friday, April 18, 2014 12:35 AM
    • Marked as answer by JasonGuo Monday, April 28, 2014 1:39 AM
    Friday, April 18, 2014 12:28 AM