NETLOGON share is READ-ONLY by default and should definitely be kept this way, both on the file permissions and the share permissions.
The Directory Replicator accound requires full access and Domain Administrators should have full access at least to the export directory on the Primary Domain Controller. They do not require full access to NETLOGON since script updates are performed through the export directory.
_________________________
There are two types of vessels, submarines and targets.
