+ Post New Thread
Results 1 to 10 of 10
Mac Thread, Finder browsing the SYSVOL and NETLOGON folder in Technical; Hello, I wonder if someone can help me. We've just installed the Xserve and a couple of iMacs. The iMacs ...
  1. #1
    networkmanager's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    38
    Thank Post
    3
    Thanked 4 Times in 2 Posts
    Rep Power
    15

    Finder browsing the SYSVOL and NETLOGON folder

    Hello,

    I wonder if someone can help me.

    We've just installed the Xserve and a couple of iMacs.

    The iMacs were bound to Open and Active Directories such that users can use their Windows logon account to get authenticated on the iMacs, all properly locked down just like on the PCs.

    However in Simple Finder in OS X, there is a link to Network where users can browse the list of all PCs and Servers along with Shared Folders on them, as such the SYSVOL and NETLOGON folders are visible as shares on the DCs. This network link becomes visible when users open up the 'Storage Area' used for storing common files for users.

    I just wondered if there's a way to hide such shares from users' view?

    The SYSVOL and NETLOGON folders have got the default permissions on, which is Everyone - Modify, can this be altered without screwing up the DCs? Probably define the User group to have READ ONLY access?

    Really confused about this, just hope someone will help out.

    Thanks.

  2. #2

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,859
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    Quote Originally Posted by networkmanager View Post
    I just wondered if there's a way to hide such shares from users' view?
    Not at the server end, I don't know if you can configure Finder to ignore them.

    Quote Originally Posted by networkmanager View Post
    The SYSVOL and NETLOGON folders have got the default permissions on, which is Everyone - Modify, can this be altered without screwing up the DCs? Probably define the User group to have READ ONLY access?
    Err... if that's the case, you probably have a bigger problem. Only server operators should have write permission to these shares. (Do you mean share permission or NTFS permission?)

  3. #3
    networkmanager's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    38
    Thank Post
    3
    Thanked 4 Times in 2 Posts
    Rep Power
    15
    Thanks for your prompt response.

    The share and NTFS permissions on the SYSVOL folder is as follows;

    SHARES
    Admin - Full control
    Auth. Users - Full control
    Everyone - Read

    NTFS
    Admin - Full control
    Creator Owner - Full control
    Everyone - Modify
    System - Full control
    Users - Read & Execute, List Folders and Read.

    On the NETLOGON is as follows;

    SHARES
    Admin - Full control
    Everyone - Read

    NTFS

    All permissions here inherited from the SYSVOL folder above.

    I'll appreciate if you can suggest a better alternative to these, we've got a global security group defined for each type of user in AD if that will help.

    Thanks.

  4. #4

    Join Date
    Mar 2007
    Location
    Liverpool, UK
    Posts
    89
    Thank Post
    3
    Thanked 6 Times in 4 Posts
    Rep Power
    16
    Did you have any luck with this? Ive got the same problem!

  5. #5
    tosca925's Avatar
    Join Date
    Aug 2005
    Location
    Midlands
    Posts
    1,547
    Thank Post
    4
    Thanked 4 Times in 4 Posts
    Rep Power
    22
    Does anyone know how to lock Finder down so they can't browse the network or see any PC's? We have just had a MAC server put in and we are experiencing this problem from our iMac's


  6. #6

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    9,720
    Thank Post
    3,248
    Thanked 1,049 Times in 971 Posts
    Rep Power
    364
    What version of OS X are the clients and the server running ?

    possibly the below

    http://www.windowsnetworking.com/kba...dBrowsing.html
    Last edited by mac_shinobi; 28th January 2010 at 11:20 AM.

  7. #7
    tosca925's Avatar
    Join Date
    Aug 2005
    Location
    Midlands
    Posts
    1,547
    Thank Post
    4
    Thanked 4 Times in 4 Posts
    Rep Power
    22
    Snow Leopard 10.6

  8. #8
    gybe78's Avatar
    Join Date
    May 2008
    Location
    Aylesbury
    Posts
    142
    Thank Post
    24
    Thanked 30 Times in 20 Posts
    Rep Power
    18
    It was a long time ago but I think we resolved this issue by customising a com.apple.sidebarlists plist and applying it against student and staff user groups.

  9. #9
    AntonioRocco's Avatar
    Join Date
    Oct 2008
    Location
    South Yorkshire
    Posts
    262
    Thank Post
    9
    Thanked 112 Times in 95 Posts
    Rep Power
    39
    Hi

    Disable "NetBIOS over TCP/IP" in the DHCP Service's Advanced Section. When was the last time you had to support NetBIOS aware client workstations?

    Customizing the Sidebar's plist is one way of doing this although by itself it still won't stop users from re-enabling the view by accessing the Finder Preferences. The trick is to deny them access to this Setting as well. However this may cause more problems than it solves.

    Why is it such a problem? Surely if authentication and authorisation along with permissions has been correctly set on server and client workstations what difference would it make? Should you not be storing SYSVOL on another volume for performance reasons anyway? One that is not being shared. Hard drives are not expensive.

    Antonio Rocco (ACSA)
    Last edited by AntonioRocco; 28th January 2010 at 08:30 PM.

  10. #10
    TomH's Avatar
    Join Date
    Jan 2010
    Location
    Nottingham
    Posts
    47
    Thank Post
    0
    Thanked 5 Times in 5 Posts
    Rep Power
    11
    The SYSVOL has to be shared its required for file based replication between domain controllers and holds things like group policy. Removing it as a share would be VERY bad.

    As far as permissions go this is where your Group Policy is stored so users need read access when logging onto a Windows Client. The modify on the NTFS permissions is irrelevant for network access, because of the Everyone - Read at the shares level, i wouldn't modify these permissions as it can have some serious repercussions.

    There is no real way or need to properly hide it on the server side, and as such there is always going to be a way to find this on a Mac or indeed a PC the sidebar lists will go some way to removing it from the view of a casual mac user but not anyone who has an real mac experience.

    Disabling NetBios is a nice tip, but you also have to tell the clients to be compliant with the DHCP servers settings which is a pain to implement in a large environment.

    I wouldnt worry about it, its aesthetically annoying at most

SHARE:
+ Post New Thread

Similar Threads

  1. NETLogon Folder
    By Chuckster in forum Windows
    Replies: 9
    Last Post: 21st August 2008, 12:36 PM
  2. Replies: 8
    Last Post: 16th June 2008, 06:21 PM
  3. NETLOGON folder opens when admin logs on
    By FN-GM in forum Windows
    Replies: 28
    Last Post: 13th March 2008, 10:35 AM
  4. Remove NETLOGON folder
    By robbied69 in forum Windows
    Replies: 7
    Last Post: 15th February 2008, 11:50 AM
  5. Replies: 4
    Last Post: 24th January 2007, 11:39 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •