Administrative shares on XP Pro machines in an SBS 2003 R2 domain - what should they be and why are mine missing?
I am trying out an RMM and they tell me they can't get to some of the machines because the admin$ share doesn't exist on some machines.
Looking at each machine on the network from the SBS server management panel, I checked the shares on several machines. I know I didn't (intentionally) cancel shares (I didn't think you could even cancel the drive letter shares if you wanted to). As you see, I am getting a wide range of combinations of shares:
PC1:IPC$
PC2: ADMIN$, C$, IPC$
PC3: ADMIN$, C$, IPC$
PC4: print$, IPC$
PC5: ADMIN$, C$, IPC$
PC6: print$, IPC$
PC7: IPC$
PC8: print$, IPC$
PC9: ADMIN$, C$, IPC$, print$
PC10: IPC$, print$, D (without a $)
PC11: IPC$
PC12: IPC$
Any thoughts on how this happened (that there's not a consistent set of shares on all the machines)? And any thoughts on the best way to restore the full set? (and what IS the full set of shares on a member xp pro desktop PC that's on all the time in an SBS 2003 R2 network?)
Looking at each machine on the network from the SBS server management panel, I checked the shares on several machines. I know I didn't (intentionally) cancel shares (I didn't think you could even cancel the drive letter shares if you wanted to). As you see, I am getting a wide range of combinations of shares:
PC1:IPC$
PC2: ADMIN$, C$, IPC$
PC3: ADMIN$, C$, IPC$
PC4: print$, IPC$
PC5: ADMIN$, C$, IPC$
PC6: print$, IPC$
PC7: IPC$
PC8: print$, IPC$
PC9: ADMIN$, C$, IPC$, print$
PC10: IPC$, print$, D (without a $)
PC11: IPC$
PC12: IPC$
Any thoughts on how this happened (that there's not a consistent set of shares on all the machines)? And any thoughts on the best way to restore the full set? (and what IS the full set of shares on a member xp pro desktop PC that's on all the time in an SBS 2003 R2 network?)
p.s.
I was going to mention ShareEnum - It is a great free tool from Microsoft to enumerate all the shares and permissions on the network. http://technet.microsoft.com/en-us/sysinternals/bb897442.aspx
Definitely worth running in you case...
F.
I was going to mention ShareEnum - It is a great free tool from Microsoft to enumerate all the shares and permissions on the network. http://technet.microsoft.com/en-us/sysinternals/bb897442.aspx
Definitely worth running in you case...
F.
ASKER
I think the d drive is a cd drive - they are sharing the cd drive for install of apps / netbooks with no cd drives to install apps?
c$? If they ahve a CD drive shoudl there be a D$ or just hard drives get shared?
so many are not correct! I am thinkign the login script might cause it? But then all the machiens would be messed up the same way? so that's not it....
c$? If they ahve a CD drive shoudl there be a D$ or just hard drives get shared?
so many are not correct! I am thinkign the login script might cause it? But then all the machiens would be messed up the same way? so that's not it....
Hi,
OK the D share is OK for a CD drive, this is not a default setting.
An administrative share is created by default for each hard drive at start up.
A start up script *could* be it if it being applied by group policy.
You could test this by using the group policy modeling to see the resultant policy set on one of the machines. http://technet.microsoft.com/en-us/library/cc780305.aspx
Although, if it is something you are not aware of it is much more likely to be something malicious I'm afraid...
F.
OK the D share is OK for a CD drive, this is not a default setting.
An administrative share is created by default for each hard drive at start up.
A start up script *could* be it if it being applied by group policy.
You could test this by using the group policy modeling to see the resultant policy set on one of the machines. http://technet.microsoft.com/en-us/library/cc780305.aspx
Although, if it is something you are not aware of it is much more likely to be something malicious I'm afraid...
F.
ASKER
I'm on site and looking at this problem. I found this page:
http://support.microsoft.com/kb/842715
that tells you to change 2 registry settings to 1. Looking at a machine with no admin$ and no c$, PC4 above, the reg values for those 2 keys were 0).
Changed them to 1 and rebooted. got admin$ c$, ipc$ and print$ along with a shared printer. so that looks good on that machine.
machine 2 seems OK and has the 2 reg keys set to 1 already.
so a) do I care why those keys changed - they have up to date trend Worry free and not infected according to that (maybe they were at some point in the past - not sure when these shares disappeared).
b) how to fix this / push a registry change to all machines on an sbs 2003 R2 network? I am used to .reg files, but they usually ask for permission to run and I was thinking of putting it in the login script for the domain?
http://support.microsoft.com/kb/842715
that tells you to change 2 registry settings to 1. Looking at a machine with no admin$ and no c$, PC4 above, the reg values for those 2 keys were 0).
Changed them to 1 and rebooted. got admin$ c$, ipc$ and print$ along with a shared printer. so that looks good on that machine.
machine 2 seems OK and has the 2 reg keys set to 1 already.
so a) do I care why those keys changed - they have up to date trend Worry free and not infected according to that (maybe they were at some point in the past - not sure when these shares disappeared).
b) how to fix this / push a registry change to all machines on an sbs 2003 R2 network? I am used to .reg files, but they usually ask for permission to run and I was thinking of putting it in the login script for the domain?
Hi,
1) Yes you should care why the keys have changed. As it says on the MS link
If the administrative shares are not listed, the computer may be running a malicious program that removes the shares during start-up.
2) Use the following code and save it as a vbs file. It will make the changes. If you push it out as a computer start-up script then it will run with the necessary permissions to make make the changes. You could do this via group policy easily.
1) Yes you should care why the keys have changed. As it says on the MS link
If the administrative shares are not listed, the computer may be running a malicious program that removes the shares during start-up.
2) Use the following code and save it as a vbs file. It will make the changes. If you push it out as a computer start-up script then it will run with the necessary permissions to make make the changes. You could do this via group policy easily.
Const HKEY_LOCAL_MACHINE = &H80000002
Dim objRegistry, objNetwork
strComputer = "."
Set objRegistry = GetObject _
("winmgmts:\\" & strComputer & "\root\default:StdRegProv")
Set objNetwork = CreateObject _
("WScript.Network")
strKeyPath = "System\CurrentControlSet\Services\lanmanserver\parameters"
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, "AutoShareWks", 1
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, "AutoShareServer", 1
Ooops, sorry the code snippet I just posted has an error. "SetStringValue" should be "SetDWORDValue".
Here is the correct code...
Here is the correct code...
Const HKEY_LOCAL_MACHINE = &H80000002
Dim objRegistry, objNetwork
strComputer = "."
Set objRegistry = GetObject _
("winmgmts:\\" & strComputer & "\root\default:StdRegProv")
Set objNetwork = CreateObject _
("WScript.Network")
strKeyPath = "System\CurrentControlSet\Services\lanmanserver\parameters"
objRegistry.SetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath, "AutoShareWks", 1
objRegistry.SetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath, "AutoShareServer", 1
ASKER
thanks for the script. Let me ask you this.... as the KB article said, and as I saw, those machines that are running correctly (have admin$ and c$), don't have those registry keys at all.
What would you think the pros / cons of deleting the 0 keys vs. changing the value to 1?!
I remotely loaded the problem PCs registries (aboug 10 machines in total) and manually deleted the 2 keys on 1/2 the machines and on the other half, changed the 0 to 1....
I noted which I did what to. we'll see if 1 way lets the problem come back?
What would you think the pros / cons of deleting the 0 keys vs. changing the value to 1?!
I remotely loaded the problem PCs registries (aboug 10 machines in total) and manually deleted the 2 keys on 1/2 the machines and on the other half, changed the 0 to 1....
I noted which I did what to. we'll see if 1 way lets the problem come back?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
As all the admin ($) shares are (re)created at computer start up I would imagine that there is something (bat, vbs, etc) that is disabling the shares.
There are many viruses/Trojans that do this and I would strongly suggest that you do a full scan on the offending machines. (FYI: Hackers tend to disable these shares to stop anyone else exploiting them once they are in...)
The default shares should be:
C$ (for each logical drive)
ADMIN$
IPC$
Regards,
Fraser
P.S. The machine PC10 has the whole of the D drive shared, this is probably not intended...