Logon Script Placement for Domain

Should not the Primarylogonscript for the domain users be place in the Domain
Policy and not just at the root of the Domain in Active Directory Tree?
Also, doesn't the log on script go in the DC's Sysvol\domain\script folder -
why would it be in a Security Descriptor folder?

Our logon script is mapping the users to see the whole USERS$ and not jsut
their individual user folder many times more than normal. Could this be the