What exactly is included in the Windows "Everything" security identifier (e.g. does it include computer accounts like DOMAIN\MACHINE$)?

windows permissions access-control-list

This is a generalization of a question I initially had asked about computer accounts. I asked:

When one sets Windows permissions for "Everyone", do these permissions apply to computer accounts (aka machine accounts) like MYDOMAIN\MYMACHINE$? Or do they, say, only apply to normal users/groups?

But the question of what Everyone means really deserves a full, general answer -- and ideally one that makes sense to someone who isn't an in-depth expert on Windows permissions. (As of today I've found it hard to get a good sense of Everyone by going through the first few pages of Google results.)

It seems there's at least some subtlety -- eg by default, "anonymous" network connections are not included in Everyone.


Regarding computer accounts:

I've had trouble finding any clear documentation about this, so I'll have to answer from my experience. And in my experience, yes, Everyone permissions do apply to computer accounts. (For example, if you grant write access on a share to Everyone, then machine account MYDOMAIN\MYMACHINE$ will thereby get write access to that share.)

Many will find this obvious, but to be explicit about a couple of cases of accessing network resources: Some of the most well-known built-in identities -- e.g. NETWORK SERVICE -- identify as the computer account (eg DOMAIN\MACHINE$) when they access network resources (e.g. network shares). Because computer accounts are in Everyone, we therefore know that processes running under, say, NETWORK SERVICE, are also thus considered as in Everyone for the purpose of accessing network resources. (Theoretically IIS app pool identities should also identity to remote machines as the local computer account, but apparently people are having trouble with this. In contrast, the Local Service account definitely won't count as in Everyone if it accesses resources -- because Local Service identifies to remote servers anonymously, rather than as the machine account.)

(Most of my experimentation involved having Windows Storage Server 2008 as a file server, and trying to access that from Windows Server 2008 (Standard) or Windows 7 Pro. Access from the client machines was made by a process running under NETWORK SERVICE, which authenticates remotely as the client machine's machine account.)

Related

Support for refresh tokens in ADFS 2.2 OAuth flow
uWSGI permissions issue
Can't seem to set AcceptPathInfo in Apache
Is there a way to restore deleted contacts via OWA?
Windows Server 2012r2 black screen after bootup logo
Active Directory Integrated DNS Records Deletion by System
Two domains, two SSL certificates, one IP
Copy SQL Server Databases
How to route traffic from private network to openvpn subnet (and back)
Installing additional LUA modules into Redis
Nginx not redirecting but is working
Which domains list my server in their glue records?