+ Post New Thread
Results 1 to 12 of 12
Windows Server 2000/2003 Thread, Hiding Sysvol and Netlogon shares? in Technical; Hi there, Is it possible to hide the sysvol and netlogon shares on our windows domain network? We have a ...
  1. #1

    Join Date
    Mar 2007
    Location
    Liverpool, UK
    Posts
    89
    Thank Post
    3
    Thanked 6 Times in 4 Posts
    Rep Power
    17

    Hiding Sysvol and Netlogon shares?

    Hi there,

    Is it possible to hide the sysvol and netlogon shares on our windows domain network?

    We have a windows domain on a subnet and another standalone server on the same subnet that will be managed by someone else. I am just carrying out some tests and from the standalone server and they are able to browse the shares and write files to the sysvol share!!

    Is there anyway i can secure these two shares? is it possible to put a $ on the end of the share to hide it?

    Anyone any ideas on what is possible? I don't want to come in one day to find that the domain has gone down because someone has messed up the sysvol share!

    Thanks

  2. #2
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,464
    Thank Post
    10
    Thanked 496 Times in 436 Posts
    Rep Power
    113
    The only way they could write to the sysvol share is if the username/password is the same as an existing user with permissions to write.

    Do NOT alter the shares, many things will break.

  3. #3

    Join Date
    Mar 2007
    Location
    Liverpool, UK
    Posts
    89
    Thank Post
    3
    Thanked 6 Times in 4 Posts
    Rep Power
    17
    The odd thing is the standalone server - under an admin account - can write to the sysvol share. SUrely this isn't correct?

  4. #4

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,600
    Thank Post
    109
    Thanked 769 Times in 598 Posts
    Rep Power
    181
    Quote Originally Posted by fox1977 View Post
    The odd thing is the standalone server - under an admin account - can write to the sysvol share. SUrely this isn't correct?
    I've noticed odd things like this if the username/password combinations are the same on each machine.

  5. #5

    Join Date
    Mar 2007
    Location
    Liverpool, UK
    Posts
    89
    Thank Post
    3
    Thanked 6 Times in 4 Posts
    Rep Power
    17
    Possibly. I might try with a different username and pw combination later.

  6. #6
    mjs_mjs's Avatar
    Join Date
    Jan 2009
    Location
    bexleyheath, london
    Posts
    1,020
    Thank Post
    37
    Thanked 111 Times in 95 Posts
    Rep Power
    37
    Quote Originally Posted by Ric_ View Post
    I've noticed odd things like this if the username/password combinations are the same on each machine.
    I've seen this many times. I think it's something to do with kerbros auth.

    The system volume sysvol and netlogon shares are shares sharing files required for computers on the domain. The shares contains group policies, packages and scripts i think. You WILL break windows if you remove the shares.

  7. #7

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,572 Times in 1,252 Posts
    Rep Power
    340
    As mentioned above, I wouldn't look at the shares as the problem, but the users and their access rights. In theory all users require read access to these shares in some form anyway to process logon scripts and GPOs. I wouldn't change anything on either of these shares!

  8. #8

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,713
    Thank Post
    667
    Thanked 1,636 Times in 1,462 Posts
    Rep Power
    424
    Your domain will cease to function properly if you mess with either of those shares, the username/password combo used to logon to the member server must be the same as some domain credentials that have write access to sysvol and netlogon.

    Ben

  9. #9

    Join Date
    Mar 2007
    Location
    Liverpool, UK
    Posts
    89
    Thank Post
    3
    Thanked 6 Times in 4 Posts
    Rep Power
    17
    The seperate server i am trying to access them from use to be part of the domain. It looks like i have the same admin user locally as my domain admin account and possible something to do with cached credentials or something weird with kerbos.

    When I create a new local admin users I cannot see anything and things are fine!

  10. #10
    Cools's Avatar
    Join Date
    Jan 2009
    Location
    Bedfordshire
    Posts
    498
    Thank Post
    24
    Thanked 62 Times in 57 Posts
    Rep Power
    25
    Does the standalone server have the same username and password as the other server that you are accessing SYSVOL folder on? if so change the standalone username and password.

    you can hide the servers by turning off netbios i did.. all works fine still.

  11. #11

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,713
    Thank Post
    667
    Thanked 1,636 Times in 1,462 Posts
    Rep Power
    424
    Isn't that exactly what he said the problem was in the post above yours Cools?

    Ben

  12. #12
    mjs_mjs's Avatar
    Join Date
    Jan 2009
    Location
    bexleyheath, london
    Posts
    1,020
    Thank Post
    37
    Thanked 111 Times in 95 Posts
    Rep Power
    37
    As i understand it;

    When you auth using kerberos the machine creates a ticket, and the server has a matching ticket. The tickets are stored on the machines for a set period of time. The ticket is generated using the username, password and computer name i think, so changing one of these means the tickets are no longer valid.

    A key point i should make is you do not have to be part of a domain or on a domain to auth using kerberos. Anyone can, but it's the sharing and NTFS properties ''security'' that tie's down which users/attempts are allowed access.

SHARE:
+ Post New Thread

Similar Threads

  1. Finder browsing the SYSVOL and NETLOGON folder
    By networkmanager in forum Mac
    Replies: 9
    Last Post: 31st January 2010, 10:07 PM
  2. NETLogon Folder
    By Chuckster in forum Windows
    Replies: 9
    Last Post: 21st August 2008, 12:36 PM
  3. Replies: 8
    Last Post: 16th June 2008, 06:21 PM
  4. Remove NETLOGON folder
    By robbied69 in forum Windows
    Replies: 7
    Last Post: 15th February 2008, 11:50 AM
  5. Netlogon error
    By dezt in forum Wireless Networks
    Replies: 20
    Last Post: 9th February 2006, 04:01 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •