Local admins of domain computers can access ANY machine in domain
Hi there,
There is an interesting discovery we have made...
A local administrator on a domain computer can access the C$ share on ANY domain computer in our domain.
The simple question is... How do we prevent this from happening?
Sincerely,
The Terrible Johnny
There is an interesting discovery we have made...
A local administrator on a domain computer can access the C$ share on ANY domain computer in our domain.
The simple question is... How do we prevent this from happening?
Sincerely,
The Terrible Johnny
This is pass through authentication. As long as the local username and password match, this will occur. This is by design.
thus if you have the same administrator password on all machines, they will inherit admin rights via pass-through authentication.
To prevent this, change the password on the machines.
Also make sure your domain's Administrator password is different.
thus if you have the same administrator password on all machines, they will inherit admin rights via pass-through authentication.
To prevent this, change the password on the machines.
Also make sure your domain's Administrator password is different.
ASKER
Does this mean that the only solution is to change the passwords?
The same password on all machines is the best way to access computers that for any reason cannot access the domain controller, for example.
Maybe there is a GPO? :)
The same password on all machines is the best way to access computers that for any reason cannot access the domain controller, for example.
Maybe there is a GPO? :)
The question is.... is this ONLY happening when you log in as ADMINISTRATOR locally?
if so, you can keep that all the same.... I would advise you do not log your users in as local administrator.....
Set them up with a different username.... and if you need to give them local admin access.... on the machine they are using.... then they will not be able to access other machines C$
if so, you can keep that all the same.... I would advise you do not log your users in as local administrator.....
Set them up with a different username.... and if you need to give them local admin access.... on the machine they are using.... then they will not be able to access other machines C$
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
a better practice is to place Groups in the local admins.
Say your have a sales group that needs admins on 5 computers. Only put the sales group in local admins on those 5 computers. They will not be able to connect to the admin shares of computers they are not a local admin on.
Say your have a sales group that needs admins on 5 computers. Only put the sales group in local admins on those 5 computers. They will not be able to connect to the admin shares of computers they are not a local admin on.
ASKER
Thanks a million :)
Placing the admins in the local admins group may not be correct in our domain.
Placing the admins in the local admins group may not be correct in our domain.
with all machines having the same local administrator password?
you grant a standard domain user local admin, and all of a sudden they can access everything, maybe your Domain Admins group has local admins as a member.... try removing it and see if they can still...