Want to modify sysvol and netlogon share permissions RRS feed

  • Question

  • HI all,


    As per security concern we need to remove the everyone from share permission on SYSVOL and NETLOGON share.......can anyone provide me the suggesstion for the same...or any documented article which says that how to do it or what precaution showld we take....

    Or if the permission is by design has any document or Kb article which says the permission should not be changed.

    Appreciate any help.



    Ahmed Gaziyani Enterprise Admin.
    Monday, December 5, 2011 5:11 PM


All replies

  • Hello,

    If you remove such permission then you will have issues in appliance of group policies and netlogon scripts on your users. Users should have at least read permission on the SYSVOL folder so that group policies and netlogon scripts will be applied.

    More if you ask them here: http://social.technet.microsoft.com/Forums/en-US/winserverGP/threads


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Monday, December 5, 2011 6:31 PM
  • MR x,

    can you provide me the article which shows that modifying the Netlogon & Sysvol share permission can create issues. 


    Ahmed Gaziyani Enterprise Admin.
    Tuesday, December 6, 2011 2:35 PM
  • By default the SYSVOL share,allows read-only access to the Everyone user context. However, the NTFS
    permissions for the SYSVOL folder (C:\Windows\SYSVOL be default) restrict read-only access to the Authenticated Users context.
      So by default, only domain authenticated users will be granted readprivileges to the SYSVOL share.

    I would suggest leaving it with everyone and authenticated users for read
    permissions to the shares as recommended. Computer accounts are also in the
    everyone and authenticated users groups. You might be able to remove
    everyone, but I would suggest leaving it as it is..

    Tuesday, December 6, 2011 3:50 PM
  • Hi,

    Although GPOs can be linked to sites, domains, and OUs, they are stored only in the domain. As explained earlier, a GPO is a virtual object that stores its data in two locations: a Group Policy container and a Group Policy template.

    All Group Policy templates in a domain are stored in the \\domain_name\Sysvol\domain_name\Policies folder, where domain_name is the FQDN of the domain. The Group Policy template for the most part stores the actual data for the policy extensions, for example Security Settings inf file, Administrative Template-based policy settings .adm and .pol files, applications available for the Group Policy Software installation extension, and potentially scripts.

    For those Group Policy extensions that store data in only one data store (either Active Directory or Sysvol), this is not an issue, and Group Policy is applied as it can be read. Such extensions include Administrative Templates, Scripts, Folder Redirection, and most of the Security Settings.

    For details:

    How Core Group Policy Works

    In addition, I will share some Microsoft articles for you, maybe you will like it:

    Troubleshooting missing SYSVOL and NETLOGON shares on Windows domain controllers

    Check the Status of the SYSVOL and Netlogon Shares

    Hope this helps!

    Best Regards
    Elytis Cheng

    Please remember to click “Mark as Answer” on the post that

    Elytis Cheng

    TechNet Community Support

    • Marked as answer by Elytis Cheng Monday, December 12, 2011 7:46 AM
    • Unmarked as answer by Mahdi Tehrani Sunday, February 5, 2017 3:59 AM
    Wednesday, December 7, 2011 5:48 AM
  • The  following are the minimum permision required for sysvol.

    Folder permissions:
    System -> Full Control
    Authenticated users -> Read
    Administrators -> Full control

    Share permissions:
    Authenticated Users -> Full Control
    Administrators -> Full Control
    Everyone -> Read

    There is nothing wrong with using the "everyone" permission on the share, as long as you use something like authenticated users, or groups or users you specify on the NTFS rights. It's also recommended by M$, between NTFS and Share Permissions, the effective permissions are whichever is most restrictive. If the NTFS permission is Read and the Share Permission is Full Control, the effective permission is Read because it is the most restrictive. If the NTFS and Share Permissions were reversed, Read would still be the effective permission. http://www.microsoft.com/technet/technetmag/issues/2005/11/HowITWorksNTFS/

    Netlogon and Sysvol perms. http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B319808

    Problems can occur with modifing the permissions, however they can also be rectified easily.
    Removing the Everyone group, should have no effect, as long as administratosr and authenticated users are still there.

    Hope this helps

    Sandesh Dubey.
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    • Marked as answer by Elytis Cheng Monday, December 12, 2011 7:46 AM
    Wednesday, December 7, 2011 7:10 AM
  • While the effective permissions are read-only access to the Authenticated Users group there is a problem for those of us that work for government agencies.  Any share that is open to the Everyone group will be flagged by scans for programs like Retina which is widly used by the DoD and many federal angencies.  The powers that be don't care about the effective permissions.  They have tunnel vision and will write up admins for having the Everyone Group in a share regardless of the NTFS permissions.

    Retina will flag this with a Cat I but Low Risk.  In the past this finding never caused any issue with my yearly scans so I never gave it a thought.  Of late they want all risks mitigated or documented why it is needed.  So far I cannot find one MS document stating that the Everyone Group requires read rights on the Sysvol or Netlogon share.  I plan on replacing the everyone group for the authenticated users group for one of my child domains and monitor the systems. I will reply again after a few weeks.

    Friday, March 16, 2012 6:01 PM
  • Did you find any repercussions with setting this to Authenticated Users?  Like you, I work for the government and I am also having to mitigate all risks.  This is one that the security group won't let go and wants to have eliminated, regardless of risk level.  

    Thanks for any info you have!

    Monday, April 16, 2012 2:39 PM
  • I thought logic prevailed after I explained that NTFS permission are also calculated into the equation.  Sadly I was wrong.  The government customer is requesting that all shares that have the Everyone group in them be removed.  I have to test replacing everyone-read with authenticated users-read.  I will post my results on my domains as well as the position of the government personnel when I have results.
    Tuesday, May 6, 2014 12:42 PM
  • Zach,

    Did you resolve this issue? We have the same requirement...

    Wednesday, May 11, 2016 5:17 PM
  • If I'm not misstaken if you will set permissions like that you can have interesting situation.

    Basically if one of the users in you domain has admin permissions and can use psexec he can launch is as a system.

    If he does it he will gain full control to your SYSVOL share without being administrator of domain.

    Tell me if I'm wrong.




    Thursday, June 16, 2016 1:01 PM
  • Maciej,

    Local System Permissions are only for the system you're on.  So gaining local system permission to a workstation does not give you Full control of your domain's SYSVOL Share.   

    Friday, February 3, 2017 8:38 PM
  • Same question for me. And I'll add one more:

    Is Sandesh actually correct above when he says that it's "required" that Authenticated Users have Full Control permissions on the SYSVOL share?  If so, I haven't been able to confirm that, and it makes little sense given the ACLs.  I understand that the ACL takes precedence, but still.

    More often, I've seen that it should have only Read, though that's far from recent.

    Sunday, June 25, 2017 10:54 PM