Removing the "everyone" group in AD

What you have to remember if you remove the everyone group from drive permissions under Active Directory.

This tip was submitted to the searchWin2000 Tip Exchange by member Alan Warren. Let other users know how useful it is by rating the tip below.


Removing the "everyone" group NTFS permissions from the root of a drive is a standard security policy. When you try this with an Active Directory domain controller, however, it may lead to a system that cannot be rebooted. If the NTDS files for the system were installed to any partition other than the system partition (recommended in a multi-drive install), the "SYSTEM" account has no permissions to the root of the drive. Removing the group everyone without adding the "SYSTEM" account to the permissions list of the drive will deny the operating system access to the files at the next re-boot. (The administrative accounts and groups are inaccessible until after the AD has loaded, the AD cannot load until the NTDS files have been read, so the administrator account having root permissions does not prevent this error.) If this happens, the system will indicate that the Active Directory is corrupt and re-boot automatically.

To fix the problem, go in to the Directory Restore mode under the advanced boot menu and log in using the Directory Services restore account. Locate the drive/folder containing the NTDS files and add the account "SYSTEM" to the permissions list with full control. You should then be able to re-boot and resume normal operations.


This was first published in March 2002
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close