+ Post New Thread
Results 1 to 7 of 7
Windows Thread, Can I stop local admins accessing C$ default shares? in Technical; I find the default admin shares extremely useful, use them all the time, so cant really disable them alltogether. What ...
  1. #1

    Join Date
    Jul 2006
    Location
    London
    Posts
    2,962
    Thank Post
    159
    Thanked 152 Times in 116 Posts
    Rep Power
    49

    Can I stop local admins accessing C$ default shares?

    I find the default admin shares extremely useful, use them all the time, so cant really disable them alltogether.

    What I'd like though, is for only domain admins to be able to access them. The reason I ask is that I am setting up some standalone machines which still need some network access.

    Any local admin user I create can directly access any PC's C$ share as long as they know the name, and that is a bit of a security problem

    Is there a way to restrict access to these shares to just domain admins?

  2. #2

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Can I stop local admins accessing C$ default shares?

    Disable administrative shares in group policies.
    Recreate the shares manually with whatever share level permissions you want.

  3. #3

    Join Date
    Feb 2006
    Posts
    1,187
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Re: Can I stop local admins accessing C$ default shares?

    Quote Originally Posted by Geoff
    Disable administrative shares in group policies.
    Recreate the shares manually with whatever share level permissions you want.
    The problem is that a localadmin has the power whatever access they ahve been denied. So they can just take ownership of a resource and add themelves to the permissions list.

  4. #4

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Can I stop local admins accessing C$ default shares?

    I said use share level permissions, not NTFS permissions.

  5. #5
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Re: Can I stop local admins accessing C$ default shares?

    Given what NetworkGeezer has said, the only way around this may be to not give out local Admin level access. Is it possible to synthesize a level of access which is 'admin enough' without actually being admin? What exactly do you give out local admin rights for?

  6. #6

    Join Date
    Feb 2006
    Posts
    1,187
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Re: Can I stop local admins accessing C$ default shares?

    Quote Originally Posted by Geoff
    I said use share level permissions, not NTFS permissions.
    Splitting hairs really. They could just create themselves some new shares when they next have physical access.

    The problem here is that we have users who have deliberately been given deliberately local admin rights.

  7. #7

    Join Date
    Jul 2006
    Location
    London
    Posts
    2,962
    Thank Post
    159
    Thanked 152 Times in 116 Posts
    Rep Power
    49

    Re: Can I stop local admins accessing C$ default shares?

    As it seems fairly difficult its a good job ive thought of a solution that doesnt require me to have standalone machines

    We do still have users that are local admin but they are office and admin staff that I trust. I was worrying here really because they were going to be student machines

    We did actually use to have students as local admin but they were locked down enough with GP that they couldnt get to these shares as I remember

    Thanks though everyone

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 7
    Last Post: 26th February 2010, 10:00 AM
  2. Non-domain Laptops accessing user home shares.
    By RockIt in forum How do you do....it?
    Replies: 3
    Last Post: 30th August 2007, 10:37 PM
  3. Local admins and Mandatory Profiles
    By Bobo in forum Windows
    Replies: 21
    Last Post: 2nd April 2007, 03:02 PM
  4. Set Default Printer to Machines with Local Printers
    By Heebeejeebee in forum Windows
    Replies: 15
    Last Post: 5th February 2007, 03:00 PM
  5. admins and domain admins
    By browolf in forum Windows
    Replies: 25
    Last Post: 1st November 2006, 03:29 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •