Sysvol share compatibilityID: oval:org.secpod.oval:def:18958 | Date: (C)2014-05-29 (M)2023-07-04 |
Class: COMPLIANCE | Family: windows |
The Sysvol share compatibility machine setting should be configured correctly.
This setting controls whether or not the Sysvol share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. When this setting is enabled, the Sysvol share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission. When this setting is disabled or not configured, the Sysvol share will grant shared read access to files on the share when exclusive access is requested and the caller has only read permission. If this setting is enabled, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator.
Fix:
(1) GPO: Computer Configuration\Administrative Templates\System\Net Logon\Sysvol share compatibility
(2) KEY: HKLM\Software\Policies\Microsoft\Netlogon\Parameters\AllowExclusiveSysvolShareAccess
Platform: |
Microsoft Windows Server 2008 R2 |