Microsoft KB Archive/812538

= Authenticated Users Group Has Too Many Permissions to the SYSVOL Network Share =

Article ID: 812538

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Small Business Server 2003 Premium Edition
 * Microsoft Windows Small Business Server 2003 Standard Edition

-





SYMPTOMS
When you view the share-level permissions of the SYSVOL network share on a Windows Server 2003-based server, the Authenticated Users group may be assigned Full Control permissions to access this folder over the network. This may occur although you expect the Authenticated Users group to be restricted to Read and Execute permissions for this network resource.



CAUSE
This problem occurs because the default installation of Windows Server 2003 unnecessarily provides too many permissions to the SYSVOL share for the Authenticated Users group.



RESOLUTION
To resolve this problem, restrict the Authenticated Users to the Read share-level permission for the SYSVOL share:
 * 1) Start Windows Explorer, and then locate the C:\Windows\Sysvol\Sysvol folder.
 * 2) Right-click the shared Sysvol folder, and then click Sharing and Security.
 * 3) Click Permissions, click Authenticated Users, and then click to clear the Full Control and Change check boxes in the Allow column.
 * 4) Click OK, and then click OK.



STATUS
Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article.



MORE INFORMATION
The share-level permissions do not have to be greater than the permissions that are assigned in the Access Control Lists (ACLs) for the items in the SYSVOL share. Non-administrative users should not have write access to items in the SYSVOL share.

The ACLs of items in the SYSVOL share do not allow Full Control access to members of the Authenticated Users group. However, if these permissions are inadvertently changed, members of the Authenticated Users group might have Full Control permissions in the default installation of Windows Server 2003.

Delegated users will not be able to create Group Policy if you give Authenticated Users Read permission on the SYSVOL share. You must add the Group Policy Creator Owners group to the SYSVOL share with Full Control.

Keywords: kbprb kbbug KB812538

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.