What happens if you scan the sysvol and netlogon?

K

Ken Nichols

We had a worm come through. I had symantec scan drives
and it scanned the sysvol and netlogon. I received 2
items in the eventviewer Event ID: 1000 userenv. Now
there are a couple of new folders in a share that is on
that same drive that I did not create.

What is going on?

Ken
 
C

Chriss3 [MVP]

SYSVOL should only be scanned with trusted anti-virus software. Symantec is
okay so far I know. How ever what files or folders are created. SYSVOL are
used to store Group Policies for example. The content will be modify by
Active Directory behavior and group policy creation and removal within the
domain, that's common.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
 
K

Ken Nichols

New folders that were created only have numbers for the
folder names 448dc3c4be1fc7ba7fa523be8ba509c. Should I
be able to delete these folders? They appeared to be
created at the time the scan was happening.

The item of most concern is the eventview item userenv
which says windows cannot obtain the domain controller
name for your network. This is on the domain
controller. This only happened twice and the scan was
stopped. I don't believe Microsoft would corrupt an
entire active directory on a simple mistake. I have not
restarted the server since and no other errors have been
logged.

Any thoughts?

Ken
 
C

Chriss3 [MVP]

Folders should be named 448dc3c4be1fc7ba7fa523be8ba509c within the Policies
folder within SYSVOL, its the GUID of stored group policy objects. If threes
exist in the root of the SYSVOL it's not created by the Directory Service,
and you may have to check your anti-virus software.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
 
G

Guest

Chris,

Thanks for the help so far. The 448 folder does not exist in the sysvol policies folder. It currently exist in another shared folder (private) which is located on a different disk. There are only 2 folders inside the sysvol\domain name\policies. The 448 folder that is visable is private has no files in it.

Any ideas?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

NETLOGONS and SYSVOL shares missing 2
Sysvol/Netlogon problems 1
SCRIPT in SYSVOL folder... 1
sysvol and netlogon folders not shared 1
Sysvol Netlogon missing 1
ntfrs is not creating sysvol and netlogon shares 1
Lost NETLOGON Share 1
Event ID 1000 Sysvol Access 2

Top