Re: Share Permissions on NETLOGON and SYSVOL
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 12/31/04
- Next message: Karl Levinson, mvp: "Re: NTFS Delete right is needed to save Office documents"
- Previous message: Roger Abell: "Re: FTP setup nightmare on windows 2003"
- In reply to: Research Services: "Re: Share Permissions on NETLOGON and SYSVOL"
- Next in thread: Steven L Umbach: "Re: Share Permissions on NETLOGON and SYSVOL"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 31 Dec 2004 05:32:56 -0700
I have not tried that, and thinking quickly I can only see
where that would cause problem if you have GPOs linked
across domains. There may be other problems . . .
Authenticated Users differs from Domain Users and
Domain Computers only in the absence of accounts of
other domains in the forest if anonymous access is not
enabled. In a single domain forest where anonymous
access is not allowed it seems these two together are
precisely Authenticated Users.
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message news:%23XDLpQt7EHA.128@TK2MSFTNGP15.phx.gbl... > So then would it be safe to Remove 'Authenticated Users' and it replace it > with both 'Domain Users' AND 'Domain Computers'? > > > > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message > news:uYkBROp7EHA.2788@TK2MSFTNGP15.phx.gbl... > > Domain Users does not include machine accounts > > while Authenticated Users does. Machines need > > access (startup script, computer policies, replication, . . ) > > > > -- > > Roger Abell > > Microsoft MVP (Windows Server System: Security) > > MCDBA, MCSE W2k3+W2k+Nt4 > > "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message > > news:uHAKS8O7EHA.2600@TK2MSFTNGP09.phx.gbl... > >> Share Permissions on NETLOGON and SYSVOL > >> > >> > >> > >> We have been tightening down the security on our Windows 2003 and Windows > >> 2000 Domain Controllers, we are a Child Domain within an Active Directory > >> Forest. > >> > >> > >> > >> We are looking at the default share permissions on the NETLOGON and > >> SYSVOL shares on the DCs and noticed that 'Everyone' has Read on both > >> shares, and Authenticated Users has Full Control on SYSVOL. > >> > >> According to the Microsoft KB article below, Authenticated Users should > >> only have Read access to SYSVOL. > >> > >> Authenticated Users Group Has Too Many Permissions to the SYSVOL Network > >> Share > >> > >> http://support.microsoft.com/default.aspx?scid=kb;en-us;812538 > >> > >> > >> > >> However, we are wondering if we can safely remove 'Everyone' from both > >> shares, and remove 'Authenticated Users' from SYSVOL, and substitute > >> 'Domain Users' with Read on both shares instead. > >> > >> If this "safe" as far as NOT breaking AD Replication, user logons, > >> startup scripts, GPOs, etc.? > >> > >> > >> > >> Considering that we have set RestrictAnonymous to '2' (Anonymous users > >> have no access without explicit anonymous permissions) AND > >> everyoneincludesanonymous to '0' (The local Everyone group does not > >> include anonymous users) on all of our Windows 2000 and Windows 2003 > >> Domain Controllers (within our own Child Domain). > >> > >> > >> > >> Thank you for any input or feedback. > >> > >> > >> > >> > > > > > >
- Next message: Karl Levinson, mvp: "Re: NTFS Delete right is needed to save Office documents"
- Previous message: Roger Abell: "Re: FTP setup nightmare on windows 2003"
- In reply to: Research Services: "Re: Share Permissions on NETLOGON and SYSVOL"
- Next in thread: Steven L Umbach: "Re: Share Permissions on NETLOGON and SYSVOL"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
