Default domain policy

[pdk]

The default domain policy sets security settings on the
sysvol directory on a given DC, however this triggers
staging files to grow excessivly as it alters ACL
information.
If you alter the Default Domain Policy not to replace any
security setting on the sysvol directory + subfolders
everything runs smootly and FRSDiag stops reporting errors.

1. Are these settings intended by Microsoft in this case
why ??
2. Why does the Default Domain Policy specify the path
c:\winnt\*** insted of %systemroot%??

 

[Gary Mudgett [MSFT]]

None of the default policies specify any permission settings.

In the Default Domain Policy the only things defined by default are the
password policies.
In the Default Domain Controllers policy the only things defined by default
are UserRights and a couple of Security Options.

Any other settings would have been added to the policies after the fact
manually (accidentally) or by importing a security template.

So if you don't need them then they can be removed from the policy.

Please look at the following articles for FRS information pertaining to the
events you were seeing:
315045 FRS Event 13567 Is Recorded in the File Replication Service Event Log
http://support.microsoft.com/?id=315045
284947 Antivirus programs may modify security descriptors and cause
excessive
http://support.microsoft.com/?id=284947
279156 The Effects of Setting the File System Policy on a Disk Drive or
Folder
http://support.microsoft.com/?id=279156

--
Gary Mudgett, MCSE, MCSA
Windows 2000/2003 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[pdk]

Is it possible that this alteration came with SMS
implemented by my college, we run Advanced clients.

 

[Gary Mudgett [MSFT]]

I don't believe that SMS puts any policy settings in place, so I would say
not likely. I am not that familiar with it so I cannot say with 100%
certainty.

--
Gary Mudgett, MCSE, MCSA
Windows 2000/2003 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[pdk]

Thanks for your help

I have read the mentioned articles before this and found
some help. But it puzzles me how these settings has been
made.
Do you know about some documents / books that describes
the default settings for the security templates.

 

[Gary Mudgett [MSFT]]

It is puzzling how those settings were made.

I don't know of any books but there is an article that gives the default
gpttmpl.inf file for the Default Domain Policy.
226243 How to reset security settings in the default Domain GPO in
Windows 2000
http://support.microsoft.com/?id=226243

--
Gary Mudgett, MCSE, MCSA
Windows 2000/2003 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[pdk]

You have been very helpfull

Thanks and have a nice weekend

/Philip