Granting Write Permission to a group for the SYSVOL

Hello all,
I have a requirement to provide a group of OU Administrators with the ability to create scripts.  Of course this entails granting that group write permission to the scripts directory.  I do not see a problem with this but would like to hear other's thoughts on this.  I would really appreciate hearing from anyone on this. Especially if you can think of a negative impact from doing this.

Thank you in advance.
LVL 1
Jim StivesonSr. Systems AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Henrik JohanssonSystems engineerCommented:
Better to only grant write access to NETLOGON share as it's the same as the scripts folder.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jim StivesonSr. Systems AdministratorAuthor Commented:
henjoh09,

Thank you.  I should have clarified that. The NETLOGON share is what I was refering to.  Sometimes when I use that term it seems to make people think of NT 4.0.
I assume you do not see a problem with this?
0
Henrik JohanssonSystems engineerCommented:
The only pure NT4-term I'm aware of is BDC that alot of people incorrectly talks about when referring to multiple DCs in AD.

If you trust them, it shouldn't be a problem.
Just place the users in a group "NETLOGON Script Admins" or similar and set the share permission on the NETLOGON-share.
Also verify they have NTFS-write access to scripts-folder.
If you want to isolate the OU-Admins to not write to other OU's scripts, create subfolders under NETLOGON for each OU and grant the separate OU-Admin groups NTFS-write to the subfolder instead of the parent. Point the logon-scripts for the users to be OU-folder\logon.cmd instead of just logon.cmd or handle it dynamically inside logon.cmd
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Jim StivesonSr. Systems AdministratorAuthor Commented:
henjoh09,
Oh, I wasn't implying it was. Just an observation.  Anyhow, I thank you very much for your input. That sounds like a great idea and I think that is what I am going to go with.
0
Henrik JohanssonSystems engineerCommented:
My line about NT4-terms was just meaning that I don't see why some people missunderstand you as talking about NT4 when NETLOGON exist in all versions, and it would had been more confusing if talking about BDC in AD-environment as that is old NT4-term.

It sounds like your satisified with the answer, so please click 'Accept as solution' to close the question.
0
Jim StivesonSr. Systems AdministratorAuthor Commented:
Thank you for your input.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.