Tuesday, July 24, 2007


Many people may overlook this very important folder. By default, Windows 2003 Server gives "authenticated users" full control of this folder. Patches will automatically adjust the security settings to accommodate for it, but you can easily do it yourself after installation of a new 2003 server machine.

The System Volume (Sysvol) is a shared directory that stores the server copy of the domain's public files that must be shared for common access and replication throughout a domain. The Sysvol folder on a domain controller contains the following items:

  • Net Logon shares. These typically host logon scripts and policy objects for network client computers.
  • User logon scripts for domains where the administrator uses Active Directory Users and Computers.
  • Windows Group Policy.
  • File replication service (FRS) staging folder and files that must be available and synchronized between domain controllers.
  • File system junctions.

Best Practices for Sysvol Maintenance

Authenticated Users Group Has Too Many Permissions to the SYSVOL Network Share

Group Policy - Notes

Workstations check with Active Directory every 60 to 120 minutes to see if there are any new policies. If there are, then the workstations apply them - both user and machine policies.

If you are using group policies, local policy is always processed before site, domain, or OU group policies

Policies are reapplied every 90 minutes, with a 30-minute "randomization" to keep the domain controller from getting hit by many computers at once

Policies on DCs are refreshed every 5 minutes

Order in which policies are applied: local > site > domain > OU
If multiple GPOs attempt to set a setting to conflicting values, the GPO with the highest precedence sets the setting

GPO-links that are enforced cannot be blocked from the parent container


Managing inheritence of Group Policy:

Referenced from "Mastering Windows Server 2003" by Mark Minasi