Sysvol and Netlogon Security Permissions

Dear All,

I need some information on the ACL of Sysvol and Netlogon folders. We have
everyone having read in the share permission of both SYSVOL and NETLOGON. In
Share permission of Sysvol we have authenticated users having full access.
Kindly let me know if we can replace Everyone with Authenticated users and
what may be the impact of modifying the ACl of these two folders.

Thanks and Regards,
Sukhwinder Singh

Hello Sukhwinder,

Do not play around in the default settings of sysvol and netlogon shares
or the other folders. What you see is correct.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Dear All,
>
> I need some information on the ACL of Sysvol and Netlogon folders. We
> have everyone having read in the share permission of both SYSVOL and
> NETLOGON. In Share permission of Sysvol we have authenticated users
> having full access. Kindly let me know if we can replace Everyone with
> Authenticated users and what may be the impact of modifying the ACl of
> these two folders.
>
> Thanks and Regards,
> Sukhwinder Singh

Sukhwinder,

You need to consider the effective permissions of the SYSVOL directory /
share. When combining Share + NTFS permissions, remember that the most
restrictive permissions will apply. For example, by default the SYSVOL share
allows read-only access to the Everyone user context. However, the NTFS
permissions for the SYSVOL folder (C:\Windows\SYSVOL be default) restrict
read-only access to the Authenticated Users context.

So by default, only domain authenticated users will be granted read
privileges to the SYSVOL share. In theory, you could match the share
permissions to the NTFS permissions and not effect the functionality of the
SYSVOL share; however this is not recommended and wouldn't really net you any
benefits.

I hope that answers your question a little better.

--
Eric Westfall

"Sukhwinder Singh" wrote:

> Dear All,
>
> I need some information on the ACL of Sysvol and Netlogon folders. We have
> everyone having read in the share permission of both SYSVOL and NETLOGON. In
> Share permission of Sysvol we have authenticated users having full access.
> Kindly let me know if we can replace Everyone with Authenticated users and
> what may be the impact of modifying the ACl of these two folders.
>
> Thanks and Regards,
> Sukhwinder Singh
>
>