Thanks everyone. After reading everyones advise that the permissions were okay I looked further and found that the problem was that a special group was added to the local administrators groups on most of the servers.
Ends up, an administrator added code to the users login scripts to do add this group locally, and another administrator had the users login script in his super user account. Thanks everyone! On Tue, Dec 30, 2008 at 6:04 AM, Ken Schaefer <[email protected]> wrote: > Hi, > > The security permissions that are applied to files/folders when running > dcpromo are in a template file on your DC in %systemroot%\security\templates. > The "DC security.inf" template is what is used by secedit during the DCPromo > process to re-ACL files/folders on your new DC. > > C$ is a share - not a folder/file/drive. You can't set the permissions on > this normally. It should be restricted to those in the Administrators group. > > Permissions on the root folder of the C: drive are different to C$ > permissions. Everyone (or Authenticated User) should have Read+Execute and > List Folder Contents permission by default. Check the inf file for more info, > or use secedit to re-ACL your box if you need to. > > Cheers > Ken > > -----Original Message----- > From: Jon D [mailto:[email protected]] > Sent: Tuesday, 30 December 2008 8:53 AM > To: NT System Admin Issues > Subject: C$ Permissions on a Domain Controller???? > > Anyone know what the proper permissions are on the C: drive of a > Domain Controller? > Are they special or no? > > I'm doing a security audit and I came across 2 domain controllers that > do not require a password to access their C$ share. > You can't view the permissions of the share itself, but the > permissions on the C drive have authenicated users with full control. > > That can't be right..... > Anyone see anything like that before? > Anyone know how dangerous it is to change the permissions(once I > determine the correct permissions)? > > > > > Thanks in advance, > Jon > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
