Windows

I would think that with strickly domain user accounts for domain users, they would be denied installation of anything that you do not want them to have.

The Authenticated Users group on client computers allows users to log on to trusted domains. Since the sysvol and netlogon folder is a required share, and if you have other domains that users are in that need to log on to your netowrk I would think the deny read only access would prohibit them log on rights . Never tried this so I don't know.

Users need read access to Active Directory, "authenticated users" includes all users in your domain. With deny taking precedence over any other permissions you set, I would think you basicly disallow total access to authentication.

I agree with the other two posters. Denying Read access to the Authenticated Users group would give you a ton of headaches.

Instead, why not create a policy that denies the installation of the tools, place the Authenticated Users in it, then deny that policy for the users (e.g. domain admins) that need the toolkit installed? That will give you more flexibility without having to modify the basic security model for AD.

Good luck!

I'd like to do something like the original post. How about just remove "READ" permission from "authenticated users"? This will not have any override issue the other pointed out.

-Yuemo