Default Domain Policy

[pDK]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

The default domain policy sets security settings on the
sysvol directory on a given DC, however this triggers
staging files to grow excessivly as it alters ACL
information.
If you alter the Default Domain Policy not to replace any
security setting on the sysvol directory + subfolders
everything runs smootly and FRSDiag stops reporting errors.

1. Are these settings intended by Microsoft in this case
why ??
2. Why does the Default Domain Policy specify the path
c:\winnt\*** insted of %systemroot%??

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi Pdk,

Thanks for your posting here.

We should not use file system policy to apply anything to files in the
sysvol share. This is replicated and can cause a replication storm when the
policy is applianced on all the DCs and replicated form all the DC.

Please refer to the following documents for more information about this
issue.

284947 Antivirus programs may modify security descriptors and cause
excessive
http://support.microsoft.com/?id=284947

279156 The Effects of Setting the File System Policy on a Disk Drive or
Folder
http://support.microsoft.com/?id=279156

"%SystemRoot%" means the folder including Windows files, typically, the
Winnt or Windows folder. Take a look in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\Environment.

Wish it helps.

Regards,
Bob Qin
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.