Article ID: 319808 - View products that this article applies to.
This article was previously published under Q319808
If you run the Dcpromo tool, you can specify a different drive and a different path for the SYSVOL folder. The Dcpromo process sets special NTFS file system permissions on SYSVOL and its subfolders except for the following two junction points:
The File Replication service (FRS) and the Group Policy object (GPO) are not affected if the changed NTFS permissions are inherited from the drive root.
FRSWinnt\Sysvol\Staging areas\Mydomain.com is used only by FRS. FRS uses the NTBackup function and does not need explicit permissions to access the required folders.
GPOThe inherited NTFS permissions on %SystemRoot%\Sysvol\Sysvol\Mydomain.com do not affect how a GPO is applied. After the client computer's Group Policy dynamic-link library (DLL) file connects to the SYSVOL, the Group Policy DLL uses SMB NT create against Mydomain.com\Policies\GUID (where GUID is the globally unique identifier [GUID]) to read the appropriate policy setting from the GUID folder. Because the bypass traverse checking policy setting does not step through all the subfolders explicitly, it allows access to the target folder (by default, this policy setting is turned on; Microsoft recommends that you use this policy setting). Therefore, the inherited NTFS permissions on Winnt\Sysvol\Sysvol\Mydomain.com have no effect on the GPO.
NETLOGON Share AccessThe %SystemRoot%\Sysvol\Sysvol\Mydomain.com\scripts folder is not affected by the inherited NTFS permissions. The settings are the same as the settings of a default installation. The NETLOGON share can be accessed.
Default PermissionsBy default, the following NTFS permissions are set on junctions. Microsoft recommends that you use these settings.
Article ID: 319808 - Last Review: March 1, 2007 - Revision: 3.2