Hi, The security permissions that are applied to files/folders when running dcpromo are in a template file on your DC in %systemroot%\security\templates. The "DC security.inf" template is what is used by secedit during the DCPromo process to re-ACL files/folders on your new DC.
C$ is a share - not a folder/file/drive. You can't set the permissions on this normally. It should be restricted to those in the Administrators group. Permissions on the root folder of the C: drive are different to C$ permissions. Everyone (or Authenticated User) should have Read+Execute and List Folder Contents permission by default. Check the inf file for more info, or use secedit to re-ACL your box if you need to. Cheers Ken -----Original Message----- From: Jon D [mailto:[email protected]] Sent: Tuesday, 30 December 2008 8:53 AM To: NT System Admin Issues Subject: C$ Permissions on a Domain Controller???? Anyone know what the proper permissions are on the C: drive of a Domain Controller? Are they special or no? I'm doing a security audit and I came across 2 domain controllers that do not require a password to access their C$ share. You can't view the permissions of the share itself, but the permissions on the C drive have authenicated users with full control. That can't be right..... Anyone see anything like that before? Anyone know how dangerous it is to change the permissions(once I determine the correct permissions)? Thanks in advance, Jon ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
