Re: Share Permissions on NETLOGON and SYSVOL

From: Research Services (key_at_lamar.n0-sp@m.colostate.edu.NO)
Date: 12/31/04 

Date: Thu, 30 Dec 2004 18:02:00 -0700

So then would it be safe to Remove 'Authenticated Users' and it replace it
with both 'Domain Users' AND 'Domain Computers'?

"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:uYkBROp7EHA.2788@TK2MSFTNGP15.phx.gbl...
> Domain Users does not include machine accounts
> while Authenticated Users does. Machines need
> access (startup script, computer policies, replication, . . )
>
> --
> Roger Abell
> Microsoft MVP (Windows Server System: Security)
> MCDBA, MCSE W2k3+W2k+Nt4
> "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message
> news:uHAKS8O7EHA.2600@TK2MSFTNGP09.phx.gbl...
>> Share Permissions on NETLOGON and SYSVOL
>>
>>
>>
>> We have been tightening down the security on our Windows 2003 and Windows
>> 2000 Domain Controllers, we are a Child Domain within an Active Directory
>> Forest.
>>
>>
>>
>> We are looking at the default share permissions on the NETLOGON and
>> SYSVOL shares on the DCs and noticed that 'Everyone' has Read on both
>> shares, and Authenticated Users has Full Control on SYSVOL.
>>
>> According to the Microsoft KB article below, Authenticated Users should
>> only have Read access to SYSVOL.
>>
>> Authenticated Users Group Has Too Many Permissions to the SYSVOL Network
>> Share
>>
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;812538
>>
>>
>>
>> However, we are wondering if we can safely remove 'Everyone' from both
>> shares, and remove 'Authenticated Users' from SYSVOL, and substitute
>> 'Domain Users' with Read on both shares instead.
>>
>> If this "safe" as far as NOT breaking AD Replication, user logons,
>> startup scripts, GPOs, etc.?
>>
>>
>>
>> Considering that we have set RestrictAnonymous to '2' (Anonymous users
>> have no access without explicit anonymous permissions) AND
>> everyoneincludesanonymous to '0' (The local Everyone group does not
>> include anonymous users) on all of our Windows 2000 and Windows 2003
>> Domain Controllers (within our own Child Domain).
>>
>>
>>
>> Thank you for any input or feedback.
>>
>>
>>
>>
>
>

Relevant Pages

  • Re: Share Permissions on NETLOGON and SYSVOL
    ... to the SYSVOL share for replication or something else... ... >permissions to the shares as recommended. ... >everyone and authenticated users groups. ... >> Share Permissions on NETLOGON and SYSVOL ...
    (microsoft.public.windows.server.security)
  • Re: Share Permissions on NETLOGON and SYSVOL
    ... I would suggest leaving it with everyone and authenticated users for read ... permissions to the shares as recommended. ... security and sysvol "share" permissions were never listed as a concern. ...
    (microsoft.public.windows.server.security)
  • Re: Share Permissions on NETLOGON and SYSVOL
    ... > to the SYSVOL share for replication or something else... ... >>permissions to the shares as recommended. ... >>everyone and authenticated users groups. ... >>> 2000 Domain Controllers, we are a Child Domain within an Active ...
    (microsoft.public.windows.server.security)
  • RE: Sysvol and Netlogon Security Permissions
    ... You need to consider the effective permissions of the SYSVOL directory / ... When combining Share + NTFS permissions, ... only domain authenticated users will be granted read ...
    (microsoft.public.windows.server.active_directory)
  • Re: Share Permissions on NETLOGON and SYSVOL
    ... precisely Authenticated Users. ... >>> Share Permissions on NETLOGON and SYSVOL ... >>> shares, and Authenticated Users has Full Control on SYSVOL. ...
    (microsoft.public.windows.server.security)
Quantcast