win 2008 DC - sysvol permissions

KratosDefense
KratosDefense used Ask the Experts™
on
I have an admin who has rights to log into a Windows 2008 DC. However, he cannot edit any of the scripts/or copy them out of the sysvol folder. He gets permissions denied. Where do I set the permissions for that?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Is he a domain Admin?

Author

Commented:
no
Top Expert 2012
Commented:
If he doesn't have access to the Domain Admin role then you would have to manually add the permission to the file by going to properties of the script to add permissions
In my experience, especially with something as critical as the netlogon share, you shouldn't adjust security via NTFS unless you know exactly why/how the permissions adjustments will impact future needs.

In order to allow a user to logon to a DC, you must have modified the Domain Controllers security policy or the Default Domain Policy, including the permission to allow logon locally.   While, in theory, you SHOULD be able to adjust these permissions to your needs, in general, I'd highly advise AGAINST placing anything other than defaults on the ACLs for these highly specialized privileges.

Grant the user membership into Domain Admins and your troubles/complexity will be greatly reduced.

Author

Commented:
thxs

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial