Prompting for login when trying to connect to C$

How do you make it so that when a domain admin tries to connect to C$ on a pc, it prompts for a login and password, that they cannot login to?
Who is Participating?
trywaredkConnect With a Mentor Commented:
They have removed you from the local admin group on the workstation. Not you, but the domain admins group of your domain.

Walk to the workstation, logon as local administrator, and add the domain admins gropu again, and remove the user, doing this to you.

Many Regards
Jorgen Malmgren

:o) Your brain is like a parachute. It works best when it's open
I don't think this is possible in a domain environment as it defeats the purpose of the single sign-on feature of Kerberos. What is the net effect of what you are trying to achieve? Are you trying to monitor who accesses the default share? Or, are you trying to restrict them?

You could remove the default shares altogether:
Load this into your registry (save between the lines as a .reg file and "run" it)

Windows Registry Editor Version 5.00

Then, recreate the shares however you want e.g. CEE$ then set the desired share permissions.

Again, without knowing what your expected net result is to be, this is an awkward workaround.
RowdyOne078Author Commented:
Someone has done this on my network... Im trying to figure out what they did...  I go to \\ComputerName\C$ and it prompts me.  Im the Domain Admin so I cant figure out how they locked me out.
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

RowdyOne078Author Commented:
How can I make it so that users CANNOT ever remove domain admins from the administrator group

Good call trywaredk!
In a domain environment, you would be able to use Restricted Groups configuration in Group Policies, but Local Policies don't have that as a configuration option. Sometime ago, I wrote an ADSI script in VB that allowed me to remotely reset the Administrator's password on all local machines. You could do that and ensure that no one had the local Admin's password and make sure no one has administrative rights on the local workstations.
>>>>>>How can I make it so that users CANNOT ever remove domain admins from the administrator group?

As KingHollis has touched on above make sure the local user is not a member of the local administrators group and make sure you are the only one who knows the local administrators password to all local machines. If they are not in the local administrators group they can not remove you and if they don't know the password they can't access it either. Create one which can be set on all local pc's in your network and that way you will be able to control who does what and when.

I hope this helps
RowdyOne078Author Commented:
Thanks Guys
:o) Glad I could help you - thank you for the points

About removing domain admins from the local administrators group, it has already been answered, but remember the following:

1. Anybody being member of the local administrators group on a specific workstation, can remove anybody else (including the domain admins) from the local admin group, and he/she does'nt even have to walk to the workstation, but can do it remote from his/hers own workstation.

2. If the local administrators password is equal on all your workstations, anybody breaking the password on one of the workstations, has broken all of them. Maybe consider making different password for local adminstrator on your workstations.

You can read more about this issue in my thread here:

AND ALLWAYS REMEMBER: You must NEVER NEVER add a Domain User Group to the Local Admin Group on each workstation.

And You must NEVER add the same Domain User to the Local Admin Group on more than his/hers own workstation

If You add a Domain User Group to the Local Admin Group, every member of this Domain User Group gets unlimited REMOTE access power of every workstation on Your network.

The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. Computer Management (Control Panel)


You have to grant a Domain User Group to the Local Admin Group on BOTH test-workstations, AND logout and logon again.

Important: You have to make a new logon after creating the credentials, because they are given in W2k in the second where You press ENTER to password when logging on.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.