Removing the "everyone" group in AD

This tip was submitted to the searchWin2000 Tip Exchange by member Alan Warren. Let other users know how useful it is by rating the tip below.

Removing the "everyone" group NTFS permissions from the root of a drive is a standard security policy. When you try this with an Active Directory domain controller, however, it may lead to a system that cannot be rebooted. If the NTDS files for the system were installed to any partition other than the system partition (recommended in a multi-drive install), the "SYSTEM" account has no permissions to the root of the drive. Removing the group everyone without adding the "SYSTEM" account to the permissions list of the drive will deny the operating system access to the files at the next re-boot. (The administrative accounts and groups are inaccessible until after the AD has loaded, the AD cannot load until the NTDS files have been read, so the administrator account having root permissions does not prevent this error.) If this happens, the system will indicate that the Active Directory is corrupt and re-boot automatically.

To fix the problem, go in to the Directory Restore mode under the advanced boot menu and log in using the Directory Services restore account. Locate the drive/folder containing the NTDS files and add the account "SYSTEM" to the permissions list with full control. You should then be able to re-boot and resume normal operations.

    Requires Free Membership to View

This was first published in March 2002

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.