SYSVOL share permission sets default "everyone:read" and "authenticated users:full" when you promote server to domain controller. Windows Server 2003 domain controller unnecessarily provides too many permissions to the SYSVOL share for the Authenticated Users group. This situation is described in KB812538.

The ACLs (NTFS permissions) of items in the SYSVOL share do not allow Full Control access to members of the Authenticated Users group. However, if these permissions are inadvertently changed, members of the Authenticated Users group might have Full Control permissions in the default installation of Windows Server 2003.

I am managing 46 dc at different sites. I used RMTShare.exe to decrease share permissions. The command is;

RMTShare.exe \\DC1\SYSVOL /GRANT "Authenticated Users":R /REMOVE Everyone

You can use this command with bacth file or wbscritp.

Microsoft has placed the RMTShare.exe program on their FTP site at ftp://ftp.microsoft.com/bussys/winnt/winnt-public/reskit/nt40/i386/RMTSHAR.EXE.