Link to home
Start Free TrialLog in
Avatar of RowdyOne078
RowdyOne078

asked on

Prompting for login when trying to connect to C$

How do you make it so that when a domain admin tries to connect to C$ on a pc, it prompts for a login and password, that they cannot login to?
Avatar of KingHollis
KingHollis
Flag of United States of America image

I don't think this is possible in a domain environment as it defeats the purpose of the single sign-on feature of Kerberos. What is the net effect of what you are trying to achieve? Are you trying to monitor who accesses the default share? Or, are you trying to restrict them?

You could remove the default shares altogether:
Load this into your registry (save between the lines as a .reg file and "run" it)

-------------------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareWks"=dword:00000000
"AutoShareServer"=dword:00000000
---------------------------------------------------------------
Then, recreate the shares however you want e.g. CEE$ then set the desired share permissions.

Again, without knowing what your expected net result is to be, this is an awkward workaround.
Avatar of RowdyOne078
RowdyOne078

ASKER

Someone has done this on my network... Im trying to figure out what they did...  I go to \\ComputerName\C$ and it prompts me.  Im the Domain Admin so I cant figure out how they locked me out.
ASKER CERTIFIED SOLUTION
Avatar of trywaredk
trywaredk
Flag of Denmark image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
How can I make it so that users CANNOT ever remove domain admins from the administrator group
?

Thanks!
Good call trywaredk!
In a domain environment, you would be able to use Restricted Groups configuration in Group Policies, but Local Policies don't have that as a configuration option. Sometime ago, I wrote an ADSI script in VB that allowed me to remotely reset the Administrator's password on all local machines. You could do that and ensure that no one had the local Admin's password and make sure no one has administrative rights on the local workstations.
>>>>>>How can I make it so that users CANNOT ever remove domain admins from the administrator group?

As KingHollis has touched on above make sure the local user is not a member of the local administrators group and make sure you are the only one who knows the local administrators password to all local machines. If they are not in the local administrators group they can not remove you and if they don't know the password they can't access it either. Create one which can be set on all local pc's in your network and that way you will be able to control who does what and when.

I hope this helps
Thanks Guys
:o) Glad I could help you - thank you for the points

About removing domain admins from the local administrators group, it has already been answered, but remember the following:

1. Anybody being member of the local administrators group on a specific workstation, can remove anybody else (including the domain admins) from the local admin group, and he/she does'nt even have to walk to the workstation, but can do it remote from his/hers own workstation.

2. If the local administrators password is equal on all your workstations, anybody breaking the password on one of the workstations, has broken all of them. Maybe consider making different password for local adminstrator on your workstations.

You can read more about this issue in my thread here:
https://www.experts-exchange.com/questions/20576959/Domain-Users-in-Local-Admin-Group.html

AND ALLWAYS REMEMBER: You must NEVER NEVER add a Domain User Group to the Local Admin Group on each workstation.

And You must NEVER add the same Domain User to the Local Admin Group on more than his/hers own workstation

If You add a Domain User Group to the Local Admin Group, every member of this Domain User Group gets unlimited REMOTE access power of every workstation on Your network.

The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. Computer Management (Control Panel)


IF YOU WANT TO KNOW MORE ABOUT THIS ISSUE:
https://www.experts-exchange.com/questions/20506528/DomainUsers-in-LocalAdminGroup.html
http://www.tryware.dk/English/W2kLocalGroupPolicy/TotalAdminPower.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/evaluate/featfunc/07w2kadc.asp
http://support.microsoft.com/?kbid=182734



IF YOU WANT TO TEST IT:
You have to grant a Domain User Group to the Local Admin Group on BOTH test-workstations, AND logout and logon again.

Important: You have to make a new logon after creating the credentials, because they are given in W2k in the second where You press ENTER to password when logging on.