Solved

Securing the Sysvol Share - Active Directory 2012

Posted on 2013-01-02
5
958 Views
Last Modified: 2013-01-02
Experts,

I was wondering if there is a way to secure or Remove the Sysvol share from Windows 2012 Active Directory.  My end users are not tech savy, but it is pretty scary to see that anyone in my network can \\Myserver\sysvol and see the share, access and change.

Are there any recommendations that I can use so that my end users can not see this share without impacting my brand new installation of windows 2012 active directory?

Thank you
0
Comment
Question by:RandallVillalobos
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 18

Accepted Solution

by:
Sarang Tinguria earned 200 total points
ID: 38737512
Sysvol holds the policies and logon scripts defined for domain
It should be shared on DC's However only Read only access should be give on shares which is required in order to get policies applied

There are no security breaches if the sysvol is shared with default permissions and normal users are not given administative rights
0
 
LVL 7

Assisted Solution

by:waleeda
waleeda earned 200 total points
ID: 38737531
no one can change anything in the sysvol folder as all authenticated user has read/execute permission only.

please see the below MS KB
http://support.microsoft.com/kb/812538
0
 

Author Comment

by:RandallVillalobos
ID: 38737555
Hello,

In order to understand correctly, my authenticated users will have read and execute access to the Sysvol folder?  No way around it?

Thanks!
0
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38737576
Yes, its mandatory to have it in order AD & FRS replication to work correctly ....to policy to get applied on clients successfuly
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 100 total points
ID: 38737641
They shouldn't be able to change anything.   This is why it is critical to not store passwords in scripts in sysvol.  I've seen scripts that contain passwords of admin accounts.    Like you said most users are not savvy enough to even know that sysvol exists but we worry about the smart attackers.


Thanks

Mike
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question