We help IT Professionals succeed at work.

Local admins of domain computers can access ANY machine in domain

potworny
potworny asked
on
343 Views
Last Modified: 2010-04-21
Hi there,

There is an interesting discovery we have made...
A local administrator on a domain computer can access the C$ share on ANY domain computer in our domain.

The simple question is... How do we prevent this from happening?

Sincerely,
The Terrible Johnny
Comment
Watch Question

Commented:
weird.... is that local admin account administrator?

with all machines having the same local administrator password?

you grant a standard domain user local admin, and all of a sudden they can access everything, maybe your Domain Admins group has local admins as a member.... try removing it and see if they can still...

PberSolutions Architect
CERTIFIED EXPERT

Commented:
This is pass through authentication.  As long as the local username and password match, this will occur.  This is by design.

thus if you have the same administrator password on all machines, they will inherit admin rights via pass-through authentication.  

To prevent this, change the password on the machines.

Also make sure your domain's Administrator password is different.
PberSolutions Architect
CERTIFIED EXPERT

Commented:

Author

Commented:
Does this mean that the only solution is to change the passwords?
The same password on all machines is the best way to access computers that for any reason cannot access the domain controller, for example.

Maybe there is a GPO? :)

Commented:
The question is.... is this ONLY happening when you log in as ADMINISTRATOR locally?

if so, you can keep that all the same.... I would advise you do not log your users in as local administrator.....

Set them up with a different username.... and if you need to give them local admin access.... on the machine they are using.... then they will not be able to access other machines C$
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
a better practice is to place Groups in the local admins.

Say your have a sales group that needs admins on 5 computers.  Only put the sales group in local admins on those 5 computers.  They will not be able to connect to the admin shares of computers they are not a local admin on.

Author

Commented:
Thanks a million :)

Placing the admins in the local admins group may not be correct in our domain.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.