Re: Share Permissions on NETLOGON and SYSVOL
From: Research Services (key_at_lamar.n0-sp@m.colostate.edu.NO)
Date: 01/03/05
- Previous message: Roger Abell: "Re: NTFS Delete right is needed to save Office documents"
- Next in thread: Steven L Umbach: "Re: Share Permissions on NETLOGON and SYSVOL"
- Reply: Steven L Umbach: "Re: Share Permissions on NETLOGON and SYSVOL"
- Reply: Roger Abell: "Re: Share Permissions on NETLOGON and SYSVOL"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 3 Jan 2005 08:22:28 -0700
We may try this in our test environment.
We are hoping that we can get away with Removing 'Everyone' and Replacing
'Authenticated Users' with both 'Domain Users' and 'Domain Computers' - but
then we were wondering if other DCs in the forest will need to have access
to the SYSVOL share for replication or something else...
Thank you all for your feedback.
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:OeJ599t7EHA.1404@TK2MSFTNGP11.phx.gbl...
>I would suggest leaving it with everyone and authenticated users for read
>permissions to the shares as recommended. Computer accounts are also in the
>everyone and authenticated users groups. You might be able to remove
>everyone, but I would suggest leaving it as I don't see a risk doing such
>and it may break something someday at a time when you long forgot about
>removing the everyone group. I have read quite a few books/docs on Windows
>security and sysvol "share" permissions were never listed as a concern. ---
>Steve
>
>
>
> "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message
> news:uHAKS8O7EHA.2600@TK2MSFTNGP09.phx.gbl...
>> Share Permissions on NETLOGON and SYSVOL
>>
>>
>>
>> We have been tightening down the security on our Windows 2003 and Windows
>> 2000 Domain Controllers, we are a Child Domain within an Active Directory
>> Forest.
>>
>>
>>
>> We are looking at the default share permissions on the NETLOGON and
>> SYSVOL shares on the DCs and noticed that 'Everyone' has Read on both
>> shares, and Authenticated Users has Full Control on SYSVOL.
>>
>> According to the Microsoft KB article below, Authenticated Users should
>> only have Read access to SYSVOL.
>>
>> Authenticated Users Group Has Too Many Permissions to the SYSVOL Network
>> Share
>>
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;812538
>>
>>
>>
>> However, we are wondering if we can safely remove 'Everyone' from both
>> shares, and remove 'Authenticated Users' from SYSVOL, and substitute
>> 'Domain Users' with Read on both shares instead.
>>
>> If this "safe" as far as NOT breaking AD Replication, user logons,
>> startup scripts, GPOs, etc.?
>>
>>
>>
>> Considering that we have set RestrictAnonymous to '2' (Anonymous users
>> have no access without explicit anonymous permissions) AND
>> everyoneincludesanonymous to '0' (The local Everyone group does not
>> include anonymous users) on all of our Windows 2000 and Windows 2003
>> Domain Controllers (within our own Child Domain).
>>
>>
>>
>> Thank you for any input or feedback.
>>
>>
>>
>>
>
>
- Previous message: Roger Abell: "Re: NTFS Delete right is needed to save Office documents"
- Next in thread: Steven L Umbach: "Re: Share Permissions on NETLOGON and SYSVOL"
- Reply: Steven L Umbach: "Re: Share Permissions on NETLOGON and SYSVOL"
- Reply: Roger Abell: "Re: Share Permissions on NETLOGON and SYSVOL"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
