Prompting for login when trying to connect to C$

How do you make it so that when a domain admin tries to connect to C$ on a pc, it prompts for a login and password, that they cannot login to?
RowdyOne078Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

KingHollisCommented:
I don't think this is possible in a domain environment as it defeats the purpose of the single sign-on feature of Kerberos. What is the net effect of what you are trying to achieve? Are you trying to monitor who accesses the default share? Or, are you trying to restrict them?

You could remove the default shares altogether:
Load this into your registry (save between the lines as a .reg file and "run" it)

-------------------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareWks"=dword:00000000
"AutoShareServer"=dword:00000000
---------------------------------------------------------------
Then, recreate the shares however you want e.g. CEE$ then set the desired share permissions.

Again, without knowing what your expected net result is to be, this is an awkward workaround.
0
RowdyOne078Author Commented:
Someone has done this on my network... Im trying to figure out what they did...  I go to \\ComputerName\C$ and it prompts me.  Im the Domain Admin so I cant figure out how they locked me out.
0
trywaredkCommented:
They have removed you from the local admin group on the workstation. Not you, but the domain admins group of your domain.

Walk to the workstation, logon as local administrator, and add the domain admins gropu again, and remove the user, doing this to you.

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Webinar: Miercom Evaluates Wi-Fi Security

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom how WatchGuard's Wi-Fi security stacks up against the competition in our upcoming webinar!

RowdyOne078Author Commented:
How can I make it so that users CANNOT ever remove domain admins from the administrator group
?

Thanks!
0
KingHollisCommented:
Good call trywaredk!
In a domain environment, you would be able to use Restricted Groups configuration in Group Policies, but Local Policies don't have that as a configuration option. Sometime ago, I wrote an ADSI script in VB that allowed me to remotely reset the Administrator's password on all local machines. You could do that and ensure that no one had the local Admin's password and make sure no one has administrative rights on the local workstations.
0
mhambridgeCommented:
>>>>>>How can I make it so that users CANNOT ever remove domain admins from the administrator group?

As KingHollis has touched on above make sure the local user is not a member of the local administrators group and make sure you are the only one who knows the local administrators password to all local machines. If they are not in the local administrators group they can not remove you and if they don't know the password they can't access it either. Create one which can be set on all local pc's in your network and that way you will be able to control who does what and when.

I hope this helps
0
RowdyOne078Author Commented:
Thanks Guys
0
trywaredkCommented:
:o) Glad I could help you - thank you for the points

About removing domain admins from the local administrators group, it has already been answered, but remember the following:

1. Anybody being member of the local administrators group on a specific workstation, can remove anybody else (including the domain admins) from the local admin group, and he/she does'nt even have to walk to the workstation, but can do it remote from his/hers own workstation.

2. If the local administrators password is equal on all your workstations, anybody breaking the password on one of the workstations, has broken all of them. Maybe consider making different password for local adminstrator on your workstations.

You can read more about this issue in my thread here:
http://www.experts-exchange.com/Security/Win_Security/Q_20576959.html

AND ALLWAYS REMEMBER: You must NEVER NEVER add a Domain User Group to the Local Admin Group on each workstation.

And You must NEVER add the same Domain User to the Local Admin Group on more than his/hers own workstation

If You add a Domain User Group to the Local Admin Group, every member of this Domain User Group gets unlimited REMOTE access power of every workstation on Your network.

The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. Computer Management (Control Panel)


IF YOU WANT TO KNOW MORE ABOUT THIS ISSUE:
http://www.experts-exchange.com/Security/Win_Security/Q_20506528.html
http://www.tryware.dk/English/W2kLocalGroupPolicy/TotalAdminPower.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/evaluate/featfunc/07w2kadc.asp
http://support.microsoft.com/?kbid=182734



IF YOU WANT TO TEST IT:
You have to grant a Domain User Group to the Local Admin Group on BOTH test-workstations, AND logout and logon again.

Important: You have to make a new logon after creating the credentials, because they are given in W2k in the second where You press ENTER to password when logging on.



0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.