Windows 7 Enable access to C$ share

[bart21]

Hi

I have just started rolling windows 7 machines out on our network.

My office machine being the first!

I know you are supposed to be able tio enable the C$ share by turning file and printer sharing on then adding the reg key LocalAccountTokenFilterPolicy as a DWORD with a value of 1.

I have tried the above with no luck.

A colleague at another school said he did the above changes and it worked great. But not for us.

Anyone any ideas as to what more i can do to enable these. (a way with group policy if poss)

Thanks peeps
nick

[FN-GM]

I thought it was on by defualt? I use this lots and i never changed anything.

Do you have the firewall enabled?

[Gatt]

What about UAC?

[pritchardavid]

It believe (not sure) it enabled by default on computers that are joined to a domain

[srochford]

Pretty sure that @p-dave is right. @bart21 - is your machine connected to a domain? If not, try joining it and see what happens.

I've found something which says that you can't use the admin shares (c$ etc) if you've set up a homegroup - have you done that?

The other possibility is that firewall rules are blocking access. Can you access any shares on the machine? If not, then check the firewall settings - by default, Windows 7 does not allow inbound SMB connections.

[bart21]

Hi People, thanks for your replys

The computer is on the domain, and no homegroup, UAC is off.

thanks for your help
nick

[superfletch]

Turn the firewall off and try again, if it works then you know it's definately firewall.

That way you just need to find the right exceptions.

[qcomer]

If it's a machine on an internal ip range behind a hardware firewall why not just turn UAC on and disable the built in firewall?

[SYNACK]

If it's a machine on an internal ip range behind a hardware firewall why not just turn UAC on and disable the built in firewall?

Eek, asking for trouble with no firewall.

What you want to do is just enable "Remote administration exceptions" as well as file and print shareing in group policy under the domain profile. You will need to specify what IP ranges you want to allow but this should push it to all machines. Nice and easy.

[qcomer]

We run no firewalls on our machines and have had mo issues for years now. It adds an additional peice to manage IMHO. This is coming from someone known as the "network Nazi" at work due to my desire for a secure network.

[SYNACK]

We run no firewalls on our machines and have had mo issues for years now. It adds an additional peice to manage IMHO. This is coming from someone known as the "network Nazi" at work due to my desire for a secure network.

You may have got away with it fine but all it needs is one worm to slip past and your network is hosed, lots of the most verilent worms would have been mostly harmless if everyone had bothered to use the built in firewalls rather than disabling them for save a small bit of effort. Most of the exceptions are there anyway its just a case of enabling them and at least it actually lets you know what is running over your network. You find out which weird app needed port 3600 open to spew status updates at a server and choke bandwidth pointlessly etc.

I stand by my statment and opinion that running the built in firewall is the best course of action and the extra work it may cause is trivial compared to the hell it can save you from. Really most stuff is just a few clicks in group policy (as you can define custom firewall rules, all of them, port and application based). Actually having to know a little bit about how the software you are installing works is not a bad thing, I would actually class it as a benifit.

[zag]

There seriously is no need for a local firewall at all, the last time that was a problem was the i love you virus in the year 2000

Things have moved on since then.

[Arthur]

Things have moved on since then.

Now we have Conficker.

[jsnetman]

I must admit we don't run the local firewall either. Have experimented with turning it on but ran in to all sorts of connection issues for apps, we have hundreds here and the thought of applying exceptions to them all is daunting, maybe this is bad practice but we have only been hit with two major viruses, blaster and conficker. Blaster was a bit of a sod to remove but conficker less so and they don't happen that often. But in win 7 and 2008 I think you can allow certain machines/servers to be fully trusted and have all ports open so may have another go since we have moved to 2008 and 7 clients.