You are currently offline, waiting for your internet to reconnect

SYSVOL junction inherits NTFS permissions from the drive root

This article was previously published under Q319808
SUMMARY
If you run the Dcpromo tool, you can specify a different drive and a different path for the SYSVOL folder. The Dcpromo process sets special NTFS file system permissions on SYSVOL and its subfolders except for the following two junction points:
  • %SystemRoot%\Sysvol\Sysvol\Mydomain.com

    The junction target is %SystemRoot%\Sysvol\Domain.
  • %SystemRoot%\Sysvol\Staging areas\Mydomain.com

    The junction target is %SystemRoot%\Sysvol\Staging.
Both junctions inherit the NTFS permissions from the parent of the SYSVOL path that you specified in the Dcpromo user interface, which is typically the drive root. If you change the NTFS permissions on the drive root before you run Dcpromo, the junctions inherit the changed permission only.
MORE INFORMATION
The File Replication service (FRS) and the Group Policy object (GPO) are not affected if the changed NTFS permissions are inherited from the drive root.

FRS

Winnt\Sysvol\Staging areas\Mydomain.com is used only by FRS. FRS uses the NTBackup function and does not need explicit permissions to access the required folders.

GPO

The inherited NTFS permissions on %SystemRoot%\Sysvol\Sysvol\Mydomain.com do not affect how a GPO is applied. After the client computer's Group Policy dynamic-link library (DLL) file connects to the SYSVOL, the Group Policy DLL uses SMB NT create against Mydomain.com\Policies\GUID (where GUID is the globally unique identifier [GUID]) to read the appropriate policy setting from the GUID folder. Because the bypass traverse checking policy setting does not step through all the subfolders explicitly, it allows access to the target folder (by default, this policy setting is turned on; Microsoft recommends that you use this policy setting). Therefore, the inherited NTFS permissions on Winnt\Sysvol\Sysvol\Mydomain.com have no effect on the GPO.

NETLOGON Share Access

The %SystemRoot%\Sysvol\Sysvol\Mydomain.com\scripts folder is not affected by the inherited NTFS permissions. The settings are the same as the settings of a default installation. The NETLOGON share can be accessed.

Default Permissions

By default, the following NTFS permissions are set on junctions. Microsoft recommends that you use these settings.
  • Domain\Administrators: Full Control
  • System: Full Control
  • Domain\Users: Read & Edit, Read
NTFRS replication NTFS permissions inheritance GPO
Properties

Article ID: 319808 - Last Review: 03/01/2007 23:52:53 - Revision: 3.2

Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced Server

  • kbinfo KB319808
Feedback
utoFirePV = 1; var varClickTracking = 1; var varCustomerTracking = 1; var Route = "76500"; var Ctrl = ""; document.write(" rLargeScreens track by $index" class="col-sm-6 col-xs-24 ng-scope"> Paraguay - Español
Venezuela - Español
0&did=1&t=">amp;did=1&t=">html> var varCustomerTracking = 1; var Route = "76500"; var Ctrl = ""; document.write(" ame('head')[0].appendChild(m);" onload="var m=document.createElement('meta');m.name='ms.dqp0';m.content='false';document.getElementsByTagName('head')[0].appendChild(m);" src="http://c1.microsoft.com/c.gif?">