This article was previously published under Q319808
If you run the Dcpromo tool, you can specify a different drive and a different path for the SYSVOL folder. The Dcpromo process sets special NTFS file system permissions on SYSVOL and its subfolders except for the following two junction points:
The junction target is %SystemRoot%\Sysvol\Domain.
The junction target is %SystemRoot%\Sysvol\Staging.
Both junctions inherit the NTFS permissions from the parent of the SYSVOL path that you specified in the Dcpromo user interface, which is typically the drive root. If you change the NTFS permissions on the drive root before you run Dcpromo, the junctions inherit the changed permission only.
The File Replication service (FRS) and the Group Policy object (GPO) are not affected if the changed NTFS permissions are inherited from the drive root.
Winnt\Sysvol\Staging areas\Mydomain.com is used only by FRS. FRS uses the NTBackup function and does not need explicit permissions to access the required folders.
The inherited NTFS permissions on %SystemRoot%\Sysvol\Sysvol\Mydomain.com do not affect how a GPO is applied. After the client computer's Group Policy dynamic-link library (DLL) file connects to the SYSVOL, the Group Policy DLL uses SMB NT create against Mydomain.com\Policies\GUID (where GUID is the globally unique identifier [GUID]) to read the appropriate policy setting from the GUID folder. Because the bypass traverse checking policy setting does not step through all the subfolders explicitly, it allows access to the target folder (by default, this policy setting is turned on; Microsoft recommends that you use this policy setting). Therefore, the inherited NTFS permissions on Winnt\Sysvol\Sysvol\Mydomain.com have no effect on the GPO.
NETLOGON Share Access
The %SystemRoot%\Sysvol\Sysvol\Mydomain.com\scripts folder is not affected by the inherited NTFS permissions. The settings are the same as the settings of a default installation. The NETLOGON share can be accessed.
By default, the following NTFS permissions are set on junctions. Microsoft recommends that you use these settings.