Securing the Sysvol Share - Active Directory 2012

Posted on 2013-01-02
Medium Priority
Last Modified: 2013-01-02

I was wondering if there is a way to secure or Remove the Sysvol share from Windows 2012 Active Directory.  My end users are not tech savy, but it is pretty scary to see that anyone in my network can \\Myserver\sysvol and see the share, access and change.

Are there any recommendations that I can use so that my end users can not see this share without impacting my brand new installation of windows 2012 active directory?

Thank you
Question by:RandallVillalobos
LVL 18

Accepted Solution

Sarang Tinguria earned 800 total points
ID: 38737512
Sysvol holds the policies and logon scripts defined for domain
It should be shared on DC's However only Read only access should be give on shares which is required in order to get policies applied

There are no security breaches if the sysvol is shared with default permissions and normal users are not given administative rights

Assisted Solution

waleeda earned 800 total points
ID: 38737531
no one can change anything in the sysvol folder as all authenticated user has read/execute permission only.

please see the below MS KB

Author Comment

ID: 38737555

In order to understand correctly, my authenticated users will have read and execute access to the Sysvol folder?  No way around it?

LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38737576
Yes, its mandatory to have it in order AD & FRS replication to work correctly ....to policy to get applied on clients successfuly
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 400 total points
ID: 38737641
They shouldn't be able to change anything.   This is why it is critical to not store passwords in scripts in sysvol.  I've seen scripts that contain passwords of admin accounts.    Like you said most users are not savvy enough to even know that sysvol exists but we worry about the smart attackers.



Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Windows Server 2003 introduced persistent Volume Shadow Copies and made 2003 a must-do upgrade.  Since then, it's been a must-implement feature for all servers doing any kind of file sharing.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

619 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question