Authenticated Users Group Has Too Many Permissions to the SYSVOL Network Share (812538)


The information in this article applies to:

  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, 64-Bit Enterprise Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows Small Business Server 2003, Premium Edition
  • Microsoft Windows Small Business Server 2003, Standard Edition

SYMPTOMS

When you view the share-level permissions of the SYSVOL network share on a Windows Server 2003-based server, the Authenticated Users group may be assigned Full Control permissions to access this folder over the network. This may occur although you expect the Authenticated Users group to be restricted to Read and Execute permissions for this network resource.

CAUSE

This problem occurs because the default installation of Windows Server 2003 unnecessarily provides too many permissions to the SYSVOL share for the Authenticated Users group.

RESOLUTION

To resolve this problem, restrict the Authenticated Users to the Read share-level permission for the SYSVOL share:
  1. Start Windows Explorer, and then locate the C:\Windows\Sysvol\Sysvol folder.
  2. Right-click the shared Sysvol folder, and then click Sharing and Security.
  3. Click Permissions, click Authenticated Users, and then click to clear the Full Control and Change check boxes in the Allow column.
  4. Click OK, and then click OK.

STATUS

Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

The share-level permissions do not have to be greater than the permissions that are assigned in the Access Control Lists (ACLs) for the items in the SYSVOL share. Non-administrative users should not have write access to items in the SYSVOL share.

The ACLs of items in the SYSVOL share do not allow Full Control access to members of the Authenticated Users group. However, if these permissions are inadvertently changed, members of the Authenticated Users group might have Full Control permissions in the default installation of Windows Server 2003.

Delegated users will not be able to create Group Policy if you give Authenticated Users Read permission on the SYSVOL share. You must add the Group Policy Creator Owners group to the SYSVOL share with Full Control.
Modification Type:MinorLast Reviewed:3/30/2004
Keywords:kbprb kbBug KB812538
©2004 Microsoft Corporation. All rights reserved.