Want to modify sysvol and netlogon share permissions

All replies

• 

  

  0

  Sign in to vote

  Hello,

  If you remove such permission then you will have issues in appliance of group policies and netlogon scripts on your users. Users should have at least read permission on the SYSVOL folder so that group policies and netlogon scripts will be applied.

  More if you ask them here: http://social.technet.microsoft.com/Forums/en-US/winserverGP/threads

   

  ---

  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

  Microsoft Student Partner 2010 / 2011
  Microsoft Certified Professional
  Microsoft Certified Systems Administrator: Security
  Microsoft Certified Systems Engineer: Security
  Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
  Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
  Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
  Microsoft Certified Technology Specialist: Windows 7, Configuring
  Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
  Microsoft Certified IT Professional: Enterprise Administrator
  Microsoft Certified IT Professional: Server Administrator
  Microsoft Certified Trainer

  Monday, December 5, 2011 6:31 PM
• 

  

  0

  Sign in to vote

  MR x,

  can you provide me the article which shows that modifying the Netlogon & Sysvol share permission can create issues. 

   

  ---

  Ahmed Gaziyani Enterprise Admin.

  Tuesday, December 6, 2011 2:35 PM
• 

  

  0

  Sign in to vote

  By default the SYSVOL share,allows read-only access to the Everyone user context. However, the NTFS
  permissions for the SYSVOL folder (C:\Windows\SYSVOL be default) restrict read-only access to the Authenticated Users context.
    So by default, only domain authenticated users will be granted readprivileges to the SYSVOL share.

  I would suggest leaving it with everyone and authenticated users for read
  permissions to the shares as recommended. Computer accounts are also in the
  everyone and authenticated users groups. You might be able to remove
  everyone, but I would suggest leaving it as it is..

  Tuesday, December 6, 2011 3:50 PM
• 

  

  1

  Sign in to vote

  Hi,

  Although GPOs can be linked to sites, domains, and OUs, they are stored only in the domain. As explained earlier, a GPO is a virtual object that stores its data in two locations: a Group Policy container and a Group Policy template.

  All Group Policy templates in a domain are stored in the \\domain_name\Sysvol\domain_name\Policies folder, where domain_name is the FQDN of the domain. The Group Policy template for the most part stores the actual data for the policy extensions, for example Security Settings inf file, Administrative Template-based policy settings .adm and .pol files, applications available for the Group Policy Software installation extension, and potentially scripts.

  For those Group Policy extensions that store data in only one data store (either Active Directory or Sysvol), this is not an issue, and Group Policy is applied as it can be read. Such extensions include Administrative Templates, Scripts, Folder Redirection, and most of the Security Settings.

  For details:

  How Core Group Policy Works
  http://technet.microsoft.com/en-us/library/cc784268(v=WS.10).aspx

  In addition, I will share some Microsoft articles for you, maybe you will like it:

  Troubleshooting missing SYSVOL and NETLOGON shares on Windows domain controllers
  http://support.microsoft.com/kb/257338

  Check the Status of the SYSVOL and Netlogon Shares
  http://technet.microsoft.com/en-us/library/cc816833(v=WS.10).aspx

  Hope this helps!

  Best Regards
  Elytis Cheng

  ---

  Please remember to click “Mark as Answer” on the post that

  Elytis Cheng

  TechNet Community Support

  

  • Marked as answer by Elytis Cheng Monday, December 12, 2011 7:46 AM
  • Unmarked as answer by Mahdi Tehrani Sunday, February 5, 2017 3:59 AM

  Wednesday, December 7, 2011 5:48 AM
• 

  

  0

  Sign in to vote

  The  following are the minimum permision required for sysvol.
  
  Folder permissions:
  System -> Full Control
  Authenticated users -> Read
  Administrators -> Full control
  
  Share permissions:
  Authenticated Users -> Full Control
  Administrators -> Full Control
  Everyone -> Read
  

  There is nothing wrong with using the "everyone" permission on the share, as long as you use something like authenticated users, or groups or users you specify on the NTFS rights. It's also recommended by M$, between NTFS and Share Permissions, the effective permissions are whichever is most restrictive. If the NTFS permission is Read and the Share Permission is Full Control, the effective permission is Read because it is the most restrictive. If the NTFS and Share Permissions were reversed, Read would still be the effective permission. http://www.microsoft.com/technet/technetmag/issues/2005/11/HowITWorksNTFS/
  http://support.microsoft.com/kb/304040
  
  Netlogon and Sysvol perms. http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B319808
  http://support.microsoft.com/kb/828760/
  
  Problems can occur with modifing the permissions, however they can also be rectified easily. Removing the Everyone group, should have no effect, as long as administratosr and authenticated users are still there.
  http://technet2.microsoft.com/WindowsServer/en/library/30915c77-d4ac-4525-abf7-e1fe6eb217931033.mspx?mfr=true
  
  Hope this helps
  

  Regards,
  Sandesh Dubey.
  -------------------------------
  MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
  My Blog: http://sandeshdubey.wordpress.com
  This posting is provided AS IS with no warranties, and confers no rights.
  
  

  • Marked as answer by Elytis Cheng Monday, December 12, 2011 7:46 AM

  Wednesday, December 7, 2011 7:10 AM
• 

  

  1

  Sign in to vote

  While the effective permissions are read-only access to the Authenticated Users group there is a problem for those of us that work for government agencies.  Any share that is open to the Everyone group will be flagged by scans for programs like Retina which is widly used by the DoD and many federal angencies.  The powers that be don't care about the effective permissions.  They have tunnel vision and will write up admins for having the Everyone Group in a share regardless of the NTFS permissions.

  Retina will flag this with a Cat I but Low Risk.  In the past this finding never caused any issue with my yearly scans so I never gave it a thought.  Of late they want all risks mitigated or documented why it is needed.  So far I cannot find one MS document stating that the Everyone Group requires read rights on the Sysvol or Netlogon share.  I plan on replacing the everyone group for the authenticated users group for one of my child domains and monitor the systems. I will reply again after a few weeks.

  Friday, March 16, 2012 6:01 PM
• 

  

  0

  Sign in to vote

  Did you find any repercussions with setting this to Authenticated Users?  Like you, I work for the government and I am also having to mitigate all risks.  This is one that the security group won't let go and wants to have eliminated, regardless of risk level.  

  Thanks for any info you have!

  Monday, April 16, 2012 2:39 PM
• 

  

  0

  Sign in to vote

  I thought logic prevailed after I explained that NTFS permission are also calculated into the equation.  Sadly I was wrong.  The government customer is requesting that all shares that have the Everyone group in them be removed.  I have to test replacing everyone-read with authenticated users-read.  I will post my results on my domains as well as the position of the government personnel when I have results.

  Tuesday, May 6, 2014 12:42 PM
• 

  

  0

  Sign in to vote

  Zach,

  Did you resolve this issue? We have the same requirement...

  Wednesday, May 11, 2016 5:17 PM
• 

  

  0

  Sign in to vote

  If I'm not misstaken if you will set permissions like that you can have interesting situation.

  Basically if one of the users in you domain has admin permissions and can use psexec he can launch is as a system.

  If he does it he will gain full control to your SYSVOL share without being administrator of domain.

  Tell me if I'm wrong.

  Regards,

  Maciej

  

  Thursday, June 16, 2016 1:01 PM
• 

  

  0

  Sign in to vote

  Maciej,

  Local System Permissions are only for the system you're on.  So gaining local system permission to a workstation does not give you Full control of your domain's SYSVOL Share.   

  Friday, February 3, 2017 8:38 PM
• 

  

  0

  Sign in to vote

  Same question for me. And I'll add one more:

  Is Sandesh actually correct above when he says that it's "required" that Authenticated Users have Full Control permissions on the SYSVOL share?  If so, I haven't been able to confirm that, and it makes little sense given the ACLs.  I understand that the ACL takes precedence, but still.

  More often, I've seen that it should have only Read, though that's far from recent.

  Sunday, June 25, 2017 10:54 PM