I find the default admin shares extremely useful, use them all the time, so cant really disable them alltogether.
What I'd like though, is for only domain admins to be able to access them. The reason I ask is that I am setting up some standalone machines which still need some network access.
Any local admin user I create can directly access any PC's C$ share as long as they know the name, and that is a bit of a security problem
Is there a way to restrict access to these shares to just domain admins?
Disable administrative shares in group policies.
Recreate the shares manually with whatever share level permissions you want.
The problem is that a localadmin has the power whatever access they ahve been denied. So they can just take ownership of a resource and add themelves to the permissions list.Originally Posted by Geoff
I said use share level permissions, not NTFS permissions.
Given what NetworkGeezer has said, the only way around this may be to not give out local Admin level access. Is it possible to synthesize a level of access which is 'admin enough' without actually being admin? What exactly do you give out local admin rights for?
Splitting hairs really. They could just create themselves some new shares when they next have physical access.
The problem here is that we have users who have deliberately been given deliberately local admin rights.
As it seems fairly difficult its a good job ive thought of a solution that doesnt require me to have standalone machines
We do still have users that are local admin but they are office and admin staff that I trust. I was worrying here really because they were going to be student machines
We did actually use to have students as local admin but they were locked down enough with GP that they couldnt get to these shares as I remember
Thanks though everyone
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote