Sysvol and Netlogon Security Permissions

Dear All,

I need some information on the ACL of Sysvol and Netlogon folders. We have 
everyone having read in the share permission of both SYSVOL and NETLOGON. In 
Share permission of Sysvol we have authenticated users having full access. 
Kindly let me know if we can replace Everyone with Authenticated users and 
what may be the impact of modifying the ACl of these two folders.

Thanks and Regards,
Sukhwinder Singh


1
Utf
12/9/2009 11:07:01 AM
windows.server.active_director 902 articles. 0 followers. Follow

2 Replies
6800 Views

Similar Articles

[PageSpeed] 44

Hello Sukhwinder,

Do not play around in the default settings of sysvol and netlogon shares 
or the other folders. What you see is correct.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers 
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm 


> Dear All,
> 
> I need some information on the ACL of Sysvol and Netlogon folders. We
> have everyone having read in the share permission of both SYSVOL and
> NETLOGON. In Share permission of Sysvol we have authenticated users
> having full access. Kindly let me know if we can replace Everyone with
> Authenticated users and what may be the impact of modifying the ACl of
> these two folders.
> 
> Thanks and Regards,
> Sukhwinder Singh


0
Meinolf
12/9/2009 11:21:08 AM
Sukhwinder,

You need to consider the effective permissions of the SYSVOL directory / 
share.  When combining Share + NTFS permissions, remember that the most 
restrictive permissions will apply.  For example, by default the SYSVOL share 
allows read-only access to the Everyone user context.  However, the NTFS 
permissions for the SYSVOL folder (C:\Windows\SYSVOL be default) restrict 
read-only access to the Authenticated Users context.  

So by default, only domain authenticated users will be granted read 
privileges to the SYSVOL share.  In theory, you could match the share 
permissions to the NTFS permissions and not effect the functionality of the 
SYSVOL share; however this is not recommended and wouldn't really net you any 
benefits.

I hope that answers your question a little better.

--
Eric Westfall

"Sukhwinder Singh" wrote:

> Dear All,
> 
> I need some information on the ACL of Sysvol and Netlogon folders. We have 
> everyone having read in the share permission of both SYSVOL and NETLOGON. In 
> Share permission of Sysvol we have authenticated users having full access. 
> Kindly let me know if we can replace Everyone with Authenticated users and 
> what may be the impact of modifying the ACl of these two folders.
> 
> Thanks and Regards,
> Sukhwinder Singh
> 
> 
0
Utf
12/14/2009 8:17:01 PM
Reply:

Similar Artilces:

Calendar Permissions
Hi, I have a user who's calendar cannot be opened from any other station, or even the user's station. We are running Exchange 5.5 and the user is using Outlook 2000. I have tried adding and removing permissions for other users in the Permissions tab for the Calendar at the workstation with no luck. I've also removed the calendar and added a new one using other working calendars as a template, still no luck. The server permissions for that user appear to be the same as all the others. What am I missing or forgetting? Thanks. Mike What message are you getting when you try t...

ntfs security
(running XP pro sp3, 32 bit windows) I am trying to get underneath the sharing and ntfs security ramifications. Please correct my below summations where they are incorrect. 1. When you first create a user account you are given two choices of the account type, Administrator or Limited. 2. Then if I run %windir%\system32\control.exe userpasswords2 then click Properties, then click Group Membership, and then I get a chance to further define which type user the previously created user acct will become. A Standard user, a Restricted user , by clicking Other I get a...

Add-Ons "run without permission."
These are Add-Ons in IE8 that are "run without permission." Are any of these critical or important to keep enabled? I have no idea how to decipher their purpose. Thanks for any help here! Oreally Name Windows Live ID Sign-in Control Publisher Microsoft Corporation Status Disabled File date Tuesday, August 18, 2009, 11:32 AM Version 6.500.3165.0 Name InformationCardSigninHelper Class Publisher Microsoft Corporation Status Enabled File date Sunday, March 08, 2009, 3:31 AM Version 8.00.6001.18702 ...

Set Share Permissions to Everyone Full Control Remotely on SRVR 20
I have been trying for a couple days to create a share on a remote server and assign "Everyone" "Full Control" on a 2008 R2 server. Apparently I am the first person to ever do this on a remote server sinceI can not find a solution. The scriopt works locally, but not remotely. I can create the share on the remote server, but can not set Everyone to have full control. No errors, it just doesn't work. If I use VBScript I can, but not Powershell. Very weird, it seems as though you are unable to do this on a remote server (2008 Server R2 - UAC off) I am ...

Look at these security patch
--nqxmnldenmdg Content-Type: multipart/related; boundary="phiqpzshqpixvzdr"; type="multipart/alternative" --phiqpzshqpixvzdr Content-Type: multipart/alternative; boundary="nrlspmlvbzwxcu" --nrlspmlvbzwxcu Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Microsoft User this is the latest version of security update, the "October 2003, Cumulative Patch" update which resolves all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express as well as three newly discovered vulnerabilities. Install ...

Public folder permissions #15
I have a public folder contacts folder set up on my Exchange 2003 server. User 1 is a Publishing Editor, Administrator is an Owner, and there is a Security Group that is an editor. Default permissions are reviewer and Anonymous has none. The folder, and these permissions were set up in Exchange 2000 and then migrated to Exchange 2003. I have added a second user which I made an owner of this folder. The second user is also a member of the security group that is an editor. The problem: Certain contacts in the folder cannot be edited by user 2 even though I made her an owner of the fo...

Equipment mailbox permissions
Hi, I would like to create equipment mailboxes in E2K7 and would like to know if it is possible to assign permissions to view it in the Address List for only certains users. That is to say, I don't want all users to see the specific equiment unless they have permission to do so. Any ideas? ...

Outlook vs Outlook Express Security
I'm having a tough time believing that Outlook is far less secure than Outlook Express. I was wondering if there's any information out there comparing Outlook (2000,XP,2003) to OE in regards to inherent security issues. I realize that keeping up-to-date and applying patches affects this, but is there anything out there discussing inherent differences in security between the two. I know that they come from two different code-bases and lines of development (Office vs IE). Thanks, Eugene K Euge <yevger@yahoo.com> wrote: > I'm having a tough time believing that Outlook is ...

Public Folder Permissions #10
We recently moved from Outlook 2000/Exchange 5.5 to Outlook 2003/Exchange 2003. I have a question about a potential problem regarding Public Folder Favorites and permissions. Our remote users work "offline" 95% of the time and "Send/Receive" when necessary. We've put the public folders they need in their "Favorites" and set them to synchronize every time they dial-in. We've setup permissions so they have the ability to see, create and edit anything in the folder(s) but they cannot delete anything. This is the same setup we had in the old 5.5 en...

More on permissions
I have a rule which deletes spam, so far so good. The message is now "cannot move messages from folder", but why not? I am registered as administrator on Windows. Hmmm ...

Security by Field/Tab
I didnt see a way to do this but maybe I missed it.. In our "Cases" area we have blocks of time that should be modified only by the accounting team. Maybe this is in contracts and I havent played with it, but I basically added an integer field called Time and would like it so only the VP role (for example) can modify it. Anyone point me in the right direction? or am I better off using the contract to make 'time' contracts and then subtract it there? Thx.. It is certainly possible in CRM to create time based contracts, however, access to data at a field level is not co...

Business units and user security issue
I created a BU for the Flooring dept. I then created a BU for sales w/ it's parent account as the Flooring dept. What do I have to set the user security to so that the user can only see his/her contacts and no one else's in the BU? You should create a new security role which does allow the user to only see contacts. that means that the security should be set to 'user' for viewing contacts. I guess that you do want your users to also be able to store the contacts etc. Just take a close look at the security settings. When you are satisfied with your role, you can give th...

Outlook Security
I have a new install of Windows XP with Office 2003 with all the patches available. If I use Word as the default e-mail editor, when I click on reply, I get the following popup box. A program is trying to access e-mail addresses you have stored in outlook. Do you want to allow this? If this is unexpected, it may be a virus and you should choose no. We have antivirus running, and we were using barracuda spam filter but we unistalled it and we still get the same error. Thanks I tested it out - the issue is with Adobe Acrobat 6.0 - I tried going into word and unchecking the add on. That...

Migrated calendars permissions corrupt (2003 Server)
The following errors represent the behavior we are seeing and although EXCDO 8732 offers a method for resolution my question is if there is not a way to reset the permissions of the calendar objects for each user Event Type: Warnin Event Source: EXCD Event Category: General Event ID: 823 Date: 2/24/200 Time: 8:40:53 A User: N/ Computer: BRAV Description Calendaring agent failed with error 0x80040219 while attempting to open the status message. If the user is a delegate, the access rights to the mailbox might not be set up correctly. Otherwise, the calendar for this mailbox could be corrup...

permission to add user to a certain store only
I would like to enable remote OU admins to be able to mail enable users, but only allow them to put their users on the store hosting that site. I have looked in the security tab in the store properties and I am not sure which permissions need to be checked. I want to say 'Administer Information store' would work, but I don't know if that will give them rights to delete that store. We have a very wide spread network and I only want them to add users to the store. Right now, we have them adding users to their OU and then send in a helpdesk ticket to mail enable that user! ...

Latest Security Patch Iced my Outlook and Explorer V 6.0
I downloaded the latest security update. When I restarted my PC, I found I could not access the internet using Explorer from the PC, and my Outlook would not connect to the internet either - I am guessing it uses Explorer as its means to access the net. Outlook error is 0x00CCC0D server cannot be found. I can get into the server from the net and other PCs. Also, there are 2 servers giving the same result. To add to the mystery - I have other applications that are still able to access the internet and download data OK. The PC is still working OK to the rest of the workgroup, and I ca...

Taste this security package for Windows
--kalqfqtbp Content-Type: multipart/related; boundary="rurhtbknoxkf"; type="multipart/alternative" --rurhtbknoxkf Content-Type: multipart/alternative; boundary="krjrjfvvnaspg" --krjrjfvvnaspg Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Microsoft Customer this is the latest version of security update, the "June 2002, Cumulative Patch" update which resolves all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express as well as three new vulnerabilities. Install now to maintain the secur...

Backup Exception C:\windows\security\edb.log and tmp.edb
My network runs Windows Server 2003 Standard (SP2) and we backup using Symantec Backup Exc 12 for Windows Servers. Our backups always run smoothly, until last night - when we got an exception saying unable to open C:\WINDOWS\security\edb.log C:\WINDOWS\security\tmp.edb Any idea what caused this all of a sudden, and how important it is? How do I fix it? Thanks, Melina Baker Superior Fiberglass Submitted via EggHeadCafe - Software Developer Portal of Choice Is SVG Cool? http://www.eggheadcafe.com/tutorials/aspnet/6bb8bd7d-25a1-4f33-8d5e-7120406f3385/is-svg-cool.aspx ...

Send As for Distribution (or Security) Group
Desired end result: Allow members of a Distribution Group, or mail-enabled Security Group to send as the Group Platform: Exchange 2003 Enterprise on Windows 2003 Enterpeise Server What I have tried: Distribution Group - gave SELF Send As and Send To rights, and also Full Rights; gave individual members added one at a time with Send As, Send To, and also Full rights Mail-enables Security Group - gave SELF Send As and Send To rights, and also Full Rights; gave individual members added one at a time with Send As, Send To, and also Full rights All of the above failed miserably. Is this ev...

Permissions
Hi I have a bit of code that is meant to display the permissions assigned to different users. This is it: Dim db As Database Dim ctrLoop As Container Set db = CurrentDb Dim GrpUsrInfo As String GrpUsrInfo = "" For Each ctrLoop In db.Containers With ctrLoop GrpUsrInfo = GrpUsrInfo & "Container: " & .Name & vbCrLf GrpUsrInfo = GrpUsrInfo & "User: " & .UserName & vbCrLf GrpUsrInfo = GrpUsrInfo & " Permissions: " & .Permissions & vbCrLf GrpUsrInfo = GrpUsrInfo &a...

Mailbox permissions #13
Is it possible to set mailbox permissions to deny someone the ability to delete any mail from their own mailbox? I'm running Exchange 2003. Thank you. Ed nope... "Ed" <ed.jackson@americantower.com> wrote in message news:um$DvOGjEHA.3232@TK2MSFTNGP10.phx.gbl... > Is it possible to set mailbox permissions to deny someone the ability to > delete any mail from their own mailbox? I'm running Exchange 2003. > Thank you. > Ed > > ...

open file security warning
When I try to open an attached JPG file in outlook I get the "open file security warning" and have to click OPEN to view the picture. Is there a way to get rid of the warning? Outlook 2000 SR1, ...

Cannot login into OWA 2003 Sp2. After 3 time login I get access denied. Insufficient permissions.
I installed at several customers of mine a SBS 2003 server with exchange for OWA solutions and several common Exchangeservers 2003 (SP2) at other customers. I also installed at my home address a Exchange Server (2003 SP2) on a Win2K3 Machine. When I try to access from my home address (Default ADSL) to one of my customers, I get no errors. When I try to access from one of my bigger customers (with ISA server), I can get OWA from my home address, but not from my other customers. The same error comes up insufficient permissions. Have to logon 3 times and cannot connect. The left window pane with...

Insufficient Permission when trying to import
I saved a lot of personal emails before I left my previous employer (large corp. thus did have a dedicated IT department). I had archived my emails many times in the past, but always used my work computer to open them, and never had a problem. Now however, when I try to open my emails from home, it says that I don't have sufficient permission (I can't uncheck the read only box on the properties for the files either). Can anyone please help me understand what could be causing my files to not want to open. Thank you so much! Richard If you burned a CD, copy the PST file...

Hidden mail-enabled Security Group for PF Permissions?
Can a mail-enabled Security Group that is hidden from the GAL be used to assign permissions to a Public Folder? A little background on my situation...I have a newly built Exchang 2003 server in native mode setup to support two SMTP domain (Company "A" and Company "B"). To do this, I configured the Default Recipient Policy for Company "A" and created a second policy for Company "B" that uses a USG/LDAP filter to assign addresses to Company "B" users. I am trying to setup a PF that only Company "B" users can see. I created QBDG'...