RE: Sysvol perms in 2008

Tue, 15 Mar 2011 06:39:14 -0700 

I had a bizarre problem  somewhat like this when I upgraded my test domain. 
Domain controllers lost the ability to apply machine group policy. User policy 
applied fine.

It turns out that “bypass traverse checking” had somehow gotten turned off in 
the domain controller default policy. This didn’t affect the DCs when they were 
server 2003 because computers had permissions all the way down the SYSVOL path 
to the “policies” folder.

However, Server 2008 R2 (don’t know about 2008) makes SYSVOL\{YourDomainFQDN} a 
reparse point to “c:\Windows\SYSVOL\domain”, and the permissions along the new 
path are more restrictive than in previous versions of windows.

The moral of the story is that there are now two sets of permissions that 
control access to the stuff under SYSVOL , and make sure you haven’t turned off 
“bypass traverse checking”.

Ken Cornetet 812.482.8499
To err is human - to moo, bovine.

From: Richard Stovall [mailto:[email protected]]
Sent: Monday, March 14, 2011 6:15 PM
To: NT System Admin Issues
Subject: Re: Sysvol perms in 2008

From what I can tell it shouldn't be applicable to the issue you're seeing, but 
out of curiosity did you run "adprep32 /domainprep /gpprep" when you upgraded 
the domain?
On Mon, Mar 14, 2011 at 1:39 PM, Kennedy, Jim 
<[email protected]<mailto:[email protected]>> wrote:

I am having GPO weirdness. Desktops are getting denied on accessing my Software 
Policies. I THINK this started with our upgrade to 2008 R2 DC’s.  Did perms 
change somewhere along the way and I missed it…it almost seems as if computer 
accounts are no longer members of Authenticated Users. I have always had my 
basic software installs like flash and whatnot in sysvol/netlogon. That is what 
is failing now.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
[email protected]<mailto:[email protected]>
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
[email protected]<mailto:[email protected]>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin

Reply via email to