Hi there, let's break down your question and get this sorted out for you.

Default Share Permissions for NETLOGON and SYSVOL #

First, it's important to distinguish between share permissions (what you modified) and NTFS permissions—since both control access but work differently. Here are the out-of-the-box share permissions for these critical AD shares in Windows Server 2012:

NETLOGON

• Administrators: Full Control
• Everyone: Read

SYSVOL

• Administrators: Full Control
• Authenticated Users: Read
• Everyone: Read (this is often redundant with Authenticated Users, but it's part of the default setup)

Safely Configuring Permissions Without Breaking Scripts #

The key here is to ensure all domain users can read these shares—since things like password expiration notifications, group policy scripts, and other AD-dependent processes rely on this access. Here's how to fix and maintain a safe, functional setup:

1. Restore Default Share Permissions

   • Use the command line for quick adjustments:
     • For NETLOGON: net share NETLOGON /grant:Everyone,Read /grant:Administrators,Full
     • For SYSVOL: net share SYSVOL /grant:"Authenticated Users",Read /grant:Administrators,Full
   • Alternatively, via the GUI: Right-click the shared folder → Properties → Share → Advanced Sharing → Permissions, then add/set the permissions listed above.

2. Verify NTFS Permissions (Just to Be Safe)
   While you mentioned modifying share permissions, it's worth checking NTFS permissions too—they can also block access if misconfigured. The default NTFS permissions for SYSVOL include:

   • Domain Admins: Full Control
   • Authenticated Users: Read & Execute, List Folder Contents, Read
   • System: Full Control
     Make sure these aren't overly restricted—Authenticated Users need at least read access to traverse the folder structure and access scripts.

3. Why This Fixes Your Password Expiration Notifications
   Password expiration alerts are typically pushed via scripts stored in the NETLOGON share, or enforced via group policy that pulls settings from SYSVOL. If regular users can't read these shares, their machines can't retrieve the notification scripts or policy settings, hence no alerts show up. Restoring the default read permissions for all authenticated users should resolve this.

Final Notes #

Avoid removing read access for Everyone or Authenticated Users from these shares—this is the most common mistake that breaks AD-related client functionality. As long as you keep these base read permissions intact, and restrict full control only to admins, you'll maintain a secure setup that doesn't interfere with script execution or AD operations.

备注：内容来源于stack exchange，提问作者G.Carlos