Update security on the new SYSVOL

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

This procedure applies the default security settings to the new SYSVOL folders. The settings will be the equivalent of those set by default during Active Directory installation. If additional security settings have been applied to the system volume since Active Directory was installed, you must reapply those settings after completing this procedure.

Warning

Failure to reapply security changes made after Active Directory was installed might result in unauthorized access to logon and logoff scripts and Group Policy objects.

Administrative Credentials

To perform this procedure, you must be a member of the Domain Admins group in Active Directory.

To update security on the new SYSVOL

  1. Click Start, click Run, type regedit and then press ENTER.

  2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\Netlogon\Parameters.

    Note the path stored under SysVol.

  3. In Control Panel, double-click System.

  4. On the Advanced tab, click Environment Variables.

  5. Under System Variables, click New.

  6. For Variable name, type sysvol.

  7. For Variable value, type the path that you noted in step 2.

  8. Click OK twice. Click OK again to close Properties.

  9. Open Notepad and enter the following information:

    [Unicode]

    Unicode=yes

    [Version]

    signature="$CHICAGO$"

    Revision=1

    [Profile Description]

    Description=default perms for sysvol

    [File Security]

    ;"%SystemRoot%\SYSVOL",0,"D:AR(A;OICI;FA;;;BA)"

    "%Sysvol%",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO) (A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"

    "%Sysvol%\domain\policies",2,"D:P(A;CIOI;GRGX;;;AU) (A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY) (A;CIOI;GA;;;CO)(A;CIOI;GRGWGXSD;;;PA)"

    Use this file to apply the security settings to the new SYSVOL folders. Save this file as Sysvol.inf.

    Note

    Do not include a space after (A;CIOI;GRGX;;;SO), (A;CIOI;GRGX;;;AU), or (A;CIOI;GA;;;SY).

  10. Open a new Command Prompt. Do not use an existing command prompt that has been open on your desktop because it will not have the proper environment settings. Change the directory to the folder where you saved the Sysvol.inf file.

  11. Type the following command all on one line and then press ENTER:

    SECEDIT /Configure /cfg sectemplatepath**\sysvol.inf /db** sectemplatepath**\sysvol.db /overwrite**

    where sectemplatepath specifies the path to where you saved Sysvol.inf.