Re: Restrict access to administrative shares?

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 03/09/04

• Next message: TDM: "Re: Locked out by old Passwords"
• Previous message: iams115: "RE: Locked out of computer!"
• In reply to: Brian: "Restrict access to administrative shares?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 09 Mar 2004 21:28:18 GMT

Are they able to access other computers than their own? If so you may have a problem
with users knowing administrator passwords that they should not. You can not change
the permissions on those shares and only those in the local administrators group
[which would include the domain admins group] on domain members can gain access. What
you could try is to modify the user right for access this computer from the network
to only include the domain admins group of those domain member machines that you want
to restrict access to assuming that other users have no need to access shares on the
computer. You could move the computers you want to restrict into their own OU and set
the more restrictive user right in a GPO for that OU. Otherwise you will need to
disable the admin shares all together and create a new hidden admin share [append $
to the share name] with permission to just the domain admins group. --- Steve

"Brian" <anonymous@discussions.microsoft.com> wrote in message
news:92f101c40588$1c53ed90$a301280a@phx.gbl...
> I work on a school network, and were starting to get
> problems with people figuring out how to use the
> automatic administrative shares (drive letter$, admin$,
> ipc$). My problem is how do I restrict access to these
> shares to say only domain admins. I know how to disable
> them entirely using regedit, but they are a good tool.
> If possible I want to keep them intact but restricted.
> Thanks.

---

• Next message: TDM: "Re: Locked out by old Passwords"
• Previous message: iams115: "RE: Locked out of computer!"
• In reply to: Brian: "Restrict access to administrative shares?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages ADMT - 2000 to 2003 ... server to a dc. ... I am also unable to add the domain admins group from the newdomain into the ... connect to shares on other servers in the old domain. ... (microsoft.public.win2000.active_directory) Some users unable to log into domain. ... Testing to slowly move over 40-50 computers to a domain.. ... I can switch back to the reduced access account and it does work ... Ive tried two logins featured under the domain admins group, ... (microsoft.public.windows.server.active_directory) Re: Right to add computers to a domain ... Domain Admins group? ... the right to join computers to a domain. ... It all began with Adam. ... (microsoft.public.windows.server.security) Re: Windows 2000 and GPO ... controller/DNS and a collection of computers with windows XP ... The problem arises when I try to apply user group policy linked to ... If the user is not member of Domain Admins Group, ... (microsoft.public.win2000.active_directory) Re: How to audit who adds computers to domain ... start browsing their computers. ... > Enable auditing of acount managment events in your Domain Controller ... > configured for only domain admins group as by default it is authenicated ... (microsoft.public.win2000.networking)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)