Microsoft KB Archive/319808

= SYSVOL junction inherits NTFS permissions from the drive root =

Article ID: 319808

Article Last Modified on 3/1/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-



This article was previously published under Q319808



SUMMARY
If you run the Dcpromo tool, you can specify a different drive and a different path for the SYSVOL folder. The Dcpromo process sets special NTFS file system permissions on SYSVOL and its subfolders except for the following two junction points:
 * %SystemRoot%\Sysvol\Sysvol\

The junction target is %SystemRoot%\Sysvol\Domain.
 * %SystemRoot%\Sysvol\Staging areas\

The junction target is %SystemRoot%\Sysvol\Staging.

Both junctions inherit the NTFS permissions from the parent of the SYSVOL path that you specified in the Dcpromo user interface, which is typically the drive root. If you change the NTFS permissions on the drive root before you run Dcpromo, the junctions inherit the changed permission only.



MORE INFORMATION
The File Replication service (FRS) and the Group Policy object (GPO) are not affected if the changed NTFS permissions are inherited from the drive root.

FRS
Winnt\Sysvol\Staging areas\ is used only by FRS. FRS uses the NTBackup function and does not need explicit permissions to access the required folders.

GPO
The inherited NTFS permissions on %SystemRoot%\Sysvol\Sysvol\ do not affect how a GPO is applied. After the client computer's Group Policy dynamic-link library (DLL) file connects to the SYSVOL, the Group Policy DLL uses SMB NT create against \Policies\  (where   is the globally unique identifier [GUID]) to read the appropriate policy setting from the GUID folder. Because the bypass traverse checking policy setting does not step through all the subfolders explicitly, it allows access to the target folder (by default, this policy setting is turned on; Microsoft recommends that you use this policy setting). Therefore, the inherited NTFS permissions on Winnt\Sysvol\Sysvol\ have no effect on the GPO.

NETLOGON Share Access
The %SystemRoot%\Sysvol\Sysvol\ \scripts folder is not affected by the inherited NTFS permissions. The settings are the same as the settings of a default installation. The NETLOGON share can be accessed.

Default Permissions
By default, the following NTFS permissions are set on junctions. Microsoft recommends that you use these settings.
 * \ : Full Control
 * System: Full Control
 * \Users: Read & Edit, Read

Additional query words: NTFRS replication NTFS permissions inheritance GPO

Keywords: kbinfo KB319808

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.