Authenticated Users Group Has Too Many Permissions to the SYSVOL Network Share

When you view the share-level permissions of the SYSVOL network share on a Windows Server 2003-based server, the Authenticated Users group may be assigned Full Control permissions to access this folder over the network. This may occur although you expect the Authenticated Users group to be restricted to Read and Execute permissions for this network resource.

This problem occurs because the default installation of Windows Server 2003 unnecessarily provides too many permissions to the SYSVOL share for the Authenticated Users group.

To resolve this problem, restrict the Authenticated Users to the Read share-level permission for the SYSVOL share:

1. Start Windows Explorer, and then locate the C:\Windows\Sysvol\Sysvol folder.
2. Right-click the shared Sysvol folder, and then click Sharing and Security.
3. Click Permissions, click Authenticated Users, and then click to clear the Full Control and Change check boxes in the Allow column.
4. Click OK, and then click OK.

Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article.

The share-level permissions do not have to be greater than the permissions that are assigned in the Access Control Lists (ACLs) for the items in the SYSVOL share. Non-administrative users should not have write access to items in the SYSVOL share.

The ACLs of items in the SYSVOL share do not allow Full Control access to members of the Authenticated Users group. However, if these permissions are inadvertently changed, members of the Authenticated Users group might have Full Control permissions in the default installation of Windows Server 2003.

Delegated users will not be able to create Group Policy if you give Authenticated Users Read permission on the SYSVOL share. You must add the Group Policy Creator Owners group to the SYSVOL share with Full Control.