SYSVOL and NETLOGON shares on domain controllers

pma111 used Ask the Experts™
we are doing some risk assessment security work of our domain controllers. On each there are shares named SYSVOL and NETLOGON. Both of which are accesible to everyone/authenticated users. Is there a reason why this is set that way, or do these shares contain any sensitive informaiton which should not be shared to global groups like everyone?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Solutions Architect
SYSVOL and netlogon are created by default when domain controller is installed and yes they do have sensitive information. Security permissions are set by default, so do not alter anythings on these folders.
Distinguished Expert 2018
Any admin should know these shares. They hold the group policies for example and everyone needs read access, yes, no way around and default setting.
One correction to what has been stated here:

Do they contain sensitive information?  It depends on your definition of sensitive information and whether or not what you deem as sensitive information has been added to the shares that are being scrutinized.

As stated by the other Experts, NETLOGON and SYSVOL are created by the Active Directory Domain Controller promotion process, by default.  The primary purpose of these shares are:

SYSVOL - A shared directory that stores the server copy of the domain's public files that must be shared for common access and replication throughout a domain. - Source

NETLOGON - Is used to deliver domain/user login scripts (not group policy login scripts).

These are administrative shares and are usually only use for Active Directory purposes.  These are also replicated shares.  This way all users that are authenticating can have access to the same policies and login scripts.

An uncommon practice is for these shares to be used as data storage facilities (although some system administrators [and even Microsoft] will publish executables from the NETLOGON location).


Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial