This tip was submitted to the searchWin2000 Tip Exchange by member Alan Warren. Let other users know how useful it is by rating the tip below.
Removing the "everyone" group NTFS permissions from the root of a drive is a standard security policy. When you try this with an Active Directory domain controller, however, it may lead to a system that cannot be rebooted. If the NTDS files for the system were installed to any partition other than the system partition (recommended in a multi-drive install), the "SYSTEM" account has no permissions to the root of the drive. Removing the group everyone without adding the "SYSTEM" account to the permissions list of the drive will deny the operating system access to the files at the next re-boot. (The administrative accounts and groups are inaccessible until after the AD has loaded, the AD cannot load until the NTDS files have been read, so the administrator account having root permissions does not prevent this error.) If this happens, the system will indicate that the Active Directory is corrupt and re-boot automatically.
To fix the problem, go in to the Directory Restore mode under the advanced boot menu and log in using the Directory Services restore account. Locate the drive/folder containing the NTDS files and add the account "SYSTEM" to the permissions list with full control. You should then be able to re-boot and resume normal operations.
This was first published in March 2002