Re: Share Permissions on NETLOGON and SYSVOL

• Previous message: Research Services: "Re: Share Permissions on NETLOGON and SYSVOL"
• In reply to: Research Services: "Share Permissions on NETLOGON and SYSVOL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 30 Dec 2004 20:21:54 -0600

I would suggest leaving it with everyone and authenticated users for read
permissions to the shares as recommended. Computer accounts are also in the
everyone and authenticated users groups. You might be able to remove
everyone, but I would suggest leaving it as I don't see a risk doing such
and it may break something someday at a time when you long forgot about
removing the everyone group. I have read quite a few books/docs on Windows
security and sysvol "share" permissions were never listed as a concern. ---
Steve

"Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message
news:uHAKS8O7EHA.2600@TK2MSFTNGP09.phx.gbl...
> Share Permissions on NETLOGON and SYSVOL
>
>
>
> We have been tightening down the security on our Windows 2003 and Windows
> 2000 Domain Controllers, we are a Child Domain within an Active Directory
> Forest.
>
>
>
> We are looking at the default share permissions on the NETLOGON and SYSVOL
> shares on the DCs and noticed that 'Everyone' has Read on both shares, and
> Authenticated Users has Full Control on SYSVOL.
>
> According to the Microsoft KB article below, Authenticated Users should
> only have Read access to SYSVOL.
>
> Authenticated Users Group Has Too Many Permissions to the SYSVOL Network
> Share
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;812538
>
>
>
> However, we are wondering if we can safely remove 'Everyone' from both
> shares, and remove 'Authenticated Users' from SYSVOL, and substitute
> 'Domain Users' with Read on both shares instead.
>
> If this "safe" as far as NOT breaking AD Replication, user logons, startup
> scripts, GPOs, etc.?
>
>
>
> Considering that we have set RestrictAnonymous to '2' (Anonymous users
> have no access without explicit anonymous permissions) AND
> everyoneincludesanonymous to '0' (The local Everyone group does not
> include anonymous users) on all of our Windows 2000 and Windows 2003
> Domain Controllers (within our own Child Domain).
>
>
>
> Thank you for any input or feedback.
>
>
>
>

• Previous message: Research Services: "Re: Share Permissions on NETLOGON and SYSVOL"
• In reply to: Research Services: "Share Permissions on NETLOGON and SYSVOL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Share Permissions on NETLOGON and SYSVOL ... to the SYSVOL share for replication or something else... ... >permissions to the shares as recommended. ... >everyone and authenticated users groups. ... >> Share Permissions on NETLOGON and SYSVOL ... (microsoft.public.windows.server.security) Share Permissions on NETLOGON and SYSVOL ... 2000 Domain Controllers, we are a Child Domain within an Active Directory ... shares on the DCs and noticed that 'Everyone' has Read on both shares, ... Authenticated Users has Full Control on SYSVOL. ... According to the Microsoft KB article below, Authenticated Users should only ... (microsoft.public.windows.server.security) Re: Share Permissions on NETLOGON and SYSVOL ... > to the SYSVOL share for replication or something else... ... >>permissions to the shares as recommended. ... >>everyone and authenticated users groups. ... >>> 2000 Domain Controllers, we are a Child Domain within an Active ... (microsoft.public.windows.server.security) RE: Event Id 1000 every 5 minutes ... Make absolutely certain that at least Authenticated Users have Read on both the NTFS and share level permissions throughout Sysvol. ... (microsoft.public.win2000.group_policy) Re: Share Permissions on NETLOGON and SYSVOL ... precisely Authenticated Users. ... >>> Share Permissions on NETLOGON and SYSVOL ... >>> shares, and Authenticated Users has Full Control on SYSVOL. ... (microsoft.public.windows.server.security)