Tip: Understand Implicit Groups and Identities in Windows Server 2008

Windows Server 2008 defines a set of special identities that you can use to assign permissions in certain situations. You usually assign permissions implicitly to special identities. However, you can assign permissions to special identities when you modify Active Directory objects. The special identities include the following:

The Anonymous Logon identity Any user accessing the system through anonymous logon has the Anonymous Logon identity. This identity allows anonymous access to resources, such as a Web page published on the corporate presence servers.

The Authenticated Users identity Any user accessing the system through a logon process has the Authenticated Users identity. This identity allows access to shared resources within the domain, such as files in a shared folder that should be accessible to all the workers in the organization.

The Batch identity Any user or process accessing the system as a batch job (or through the batch queue) has the Batch identity. This identity allows batch jobs to run scheduled tasks, such as a nightly cleanup job that deletes temporary files.

Tips RSS Feed

Subscribe to the TechNet Magazine Tips RSS feed.

The Creator Group identity Windows Server 2008 uses this special identity group to automatically grant access permissions to users who are members of the same group(s) as the creator of a file or a directory.

The Creator Owner identity The person who created the file or the directory is a member of this special identity group. Windows Server 2008 uses this identity to automatically grant access permissions to the creator of a file or directory.

The Dial-Up identity Any user accessing the system through a dial-up connection has the Dial-Up identity. This identity distinguishes dial-up users from other types of authenticated users.

The Enterprise Domain Controllers identity Domain controllers with enterprise-wide roles and responsibilities have the Enterprise Domain Controllers identity. This identity allows them to perform certain tasks in the enterprise using transitive trusts.

The Everyone identity All interactive, network, dial-up, and authenticated users are members of the Everyone group. This special identity group gives wide access to a system resource.

The Interactive identity Any user logged on to the local system has the Interactive identity. This identity allows only local users to access a resource.

The Network identity Any user accessing the system through a network has the Network identity. This identity allows only remote users to access a resource.

The Proxy identity Users and computers accessing resources through a proxy have the Proxy identity. This identity is used when proxies are implemented on the network.

The Restricted identity Users and computers with restricted capabilities have the Restricted identity.

The Self identity The Self identity refers to the object itself and allows the object to modify itself.

The Service identity Any service accessing the system has the Service identity. This identity grants access to processes being run by Windows Server 2008 services.

The System identity The Windows Server 2008 operating system itself has the System identity. This identity is used when the operating system needs to perform a system-level function.

The Terminal Server User identity Any user accessing the system through Terminal Services has the Terminal Server User identity. This identity allows terminal server users to access terminal server applications and to perform other necessary tasks with Terminal Services.

From the Microsoft Press book Microsoft Windows Server 2008 Administrator’s Pocket Consultant by William R. Stanek.

Looking for More Tips?

For more Windows Server tips, visit the TechNet Magazine Windows Server 2008 Tips page.

For more Tips on other products, visit the TechNet Magazine Tips index.