Re: Share Permissions on NETLOGON and SYSVOL
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 01/04/05
- Next message: Clayton Sutton: "Can a member server be a Global Catalog server?"
- Previous message: Death n Rebirth: "Disabling 2003 Server SMB Signing lost ACL effectiveness"
- In reply to: Research Services: "Re: Share Permissions on NETLOGON and SYSVOL"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 3 Jan 2005 18:54:01 -0700
Enterprise Domain Controllers group contains accounts of
all DCs in the forest.
Let us know how you come out, OK?
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message news:ege2cfa8EHA.4028@TK2MSFTNGP15.phx.gbl... > We may try this in our test environment. > > We are hoping that we can get away with Removing 'Everyone' and Replacing > 'Authenticated Users' with both 'Domain Users' and 'Domain Computers' - but > then we were wondering if other DCs in the forest will need to have access > to the SYSVOL share for replication or something else... > > Thank you all for your feedback. > > > > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message > news:OeJ599t7EHA.1404@TK2MSFTNGP11.phx.gbl... > >I would suggest leaving it with everyone and authenticated users for read > >permissions to the shares as recommended. Computer accounts are also in the > >everyone and authenticated users groups. You might be able to remove > >everyone, but I would suggest leaving it as I don't see a risk doing such > >and it may break something someday at a time when you long forgot about > >removing the everyone group. I have read quite a few books/docs on Windows > >security and sysvol "share" permissions were never listed as a concern. --- > >Steve > > > > > > > > "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message > > news:uHAKS8O7EHA.2600@TK2MSFTNGP09.phx.gbl... > >> Share Permissions on NETLOGON and SYSVOL > >> > >> > >> > >> We have been tightening down the security on our Windows 2003 and Windows > >> 2000 Domain Controllers, we are a Child Domain within an Active Directory > >> Forest. > >> > >> > >> > >> We are looking at the default share permissions on the NETLOGON and > >> SYSVOL shares on the DCs and noticed that 'Everyone' has Read on both > >> shares, and Authenticated Users has Full Control on SYSVOL. > >> > >> According to the Microsoft KB article below, Authenticated Users should > >> only have Read access to SYSVOL. > >> > >> Authenticated Users Group Has Too Many Permissions to the SYSVOL Network > >> Share > >> > >> http://support.microsoft.com/default.aspx?scid=kb;en-us;812538 > >> > >> > >> > >> However, we are wondering if we can safely remove 'Everyone' from both > >> shares, and remove 'Authenticated Users' from SYSVOL, and substitute > >> 'Domain Users' with Read on both shares instead. > >> > >> If this "safe" as far as NOT breaking AD Replication, user logons, > >> startup scripts, GPOs, etc.? > >> > >> > >> > >> Considering that we have set RestrictAnonymous to '2' (Anonymous users > >> have no access without explicit anonymous permissions) AND > >> everyoneincludesanonymous to '0' (The local Everyone group does not > >> include anonymous users) on all of our Windows 2000 and Windows 2003 > >> Domain Controllers (within our own Child Domain). > >> > >> > >> > >> Thank you for any input or feedback. > >> > >> > >> > >> > > > > > >
- Next message: Clayton Sutton: "Can a member server be a Global Catalog server?"
- Previous message: Death n Rebirth: "Disabling 2003 Server SMB Signing lost ACL effectiveness"
- In reply to: Research Services: "Re: Share Permissions on NETLOGON and SYSVOL"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
