Best practice in securing SYSVOL custom directories without breaking the AD replication?

EnterpriseArchitect 4,721 Reputation points
2021-06-17T07:14:38.283+00:00

People,

I need some confirmation whether the default SYSVOL folder content does not include Scripts directory?

This location: \myADDomain.com\SYSVOL\myADDomain.com\scripts

Because I can see this directory in one of my Domain Controllers is Full Control for all Authenticated Users.

Does changing this into Read & Execute to all Authenticated Users is recommended?

106521-image.png

Thanks in advance.

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,739 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,842 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,752 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,721 questions
0 comments
Accepted answer
  1. Dave Patrick 426.1K Reputation points MVP
    2021-06-17T12:22:46.473+00:00

    Yes, the scripts are within the sysvol directory. It isn't recommended to modify permissions of sysvol or its contents.

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    1 person found this answer helpful.
    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 18,701 Reputation points Microsoft Vendor
    2021-06-18T01:40:46.97+00:00

    Hello @EnterpriseArchitect ,

    Thank you for posting here.

    Hope the information provided by DSPatrick is helpful to you.

    Here is my suggestion for your reference.

    Q: I need some confirmation whether the default SYSVOL folder content does not include Scripts directory?
    This location: \myADDomain.com\SYSVOL\myADDomain.com\scripts
    A: Yes, it includes.

    106813-sy1.png

    Q: Does changing this into Read & Execute to all Authenticated Users is recommended?
    A: We do not recommend any changes to the permissions of the SYSVOL folder, because any changes to the permissions of the SYSVOL folder may cause various SYSVOL replication problems or GPO application problems, and these problems are very difficult to repair/fix or possible unable to repair/fix.

    Hope the information above is also helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    1 person found this answer helpful.
  2. Dave Patrick 426.1K Reputation points MVP
    2021-06-18T01:41:43.127+00:00

    Just checking if there's any progress or updates?

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    1 person found this answer helpful.
    0 comments
  3. EnterpriseArchitect 4,721 Reputation points
    2021-06-18T02:12:35.733+00:00

    That's great explanation, many thanks @Dave Patrick and @Daisy Zhou