[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 492
  • Last Modified:

Administrative shares on XP Pro machines in an SBS 2003 R2 domain - what should they be and why are mine missing?

I am trying out an RMM and they tell me they can't get to some of the machines because the admin$ share doesn't exist on some machines.

Looking at each machine on the network from the SBS server management panel, I checked the shares on several machines.  I know I didn't (intentionally) cancel shares (I didn't think you could even cancel the drive letter shares if you wanted to).  As you see, I am getting a wide range of combinations of shares:

PC1:IPC$
PC2: ADMIN$, C$, IPC$
PC3: ADMIN$, C$, IPC$
PC4: print$, IPC$
PC5: ADMIN$, C$, IPC$
PC6: print$, IPC$
PC7: IPC$
PC8: print$, IPC$
PC9: ADMIN$, C$, IPC$, print$
PC10: IPC$, print$, D (without a $)
PC11: IPC$
PC12: IPC$

Any thoughts on how this happened (that there's not a consistent set of shares on all the machines)?  And any thoughts on the best way to restore the full set?  (and what IS the full set of shares on a member xp pro desktop PC that's on all the time in an SBS 2003 R2 network?)
0
babaganoosh
Asked:
babaganoosh
  • 6
  • 3
1 Solution
 
frasercCommented:
Hi,

As all the admin ($) shares are (re)created at computer start up I would imagine that there is something (bat, vbs, etc) that is disabling the shares.

There are many viruses/Trojans that do this and I would strongly suggest that you do a full scan on the offending machines. (FYI: Hackers tend to disable these shares to stop anyone else exploiting them once they are in...)

The default shares should be:

C$ (for each logical drive)
ADMIN$
IPC$

Regards,

Fraser

P.S. The machine PC10 has the whole of the D drive shared, this is probably not intended...

0
 
frasercCommented:
p.s.

I was going to mention ShareEnum - It is a great free tool from Microsoft to enumerate all the shares and permissions on the network.  http://technet.microsoft.com/en-us/sysinternals/bb897442.aspx
Definitely worth running in you case...

F.
0
 
babaganooshAuthor Commented:
I think the d drive is a cd drive - they are sharing the cd drive for install of apps / netbooks with no cd drives to install apps?

c$?  If they ahve a CD drive shoudl there be a D$ or just hard drives get shared?

so many are not correct!  I am thinkign the login script might cause it?  But then all the machiens would be messed up the same way?  so that's not it....

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
frasercCommented:
Hi,

OK the D share is OK for a CD drive, this is not a default setting.
An administrative share is created by default for each hard drive at start up.

A start up script *could* be it if it being applied by group policy.
You could test this by using the group policy modeling to see the resultant policy set on one of the machines. http://technet.microsoft.com/en-us/library/cc780305.aspx

Although, if it is something you are not aware of it is much more likely to be something malicious I'm afraid...

F.
0
 
babaganooshAuthor Commented:
I'm on site and looking at this problem.  I found this page:

http://support.microsoft.com/kb/842715

that tells you to change 2 registry settings to 1.  Looking at a machine with no admin$ and no c$,  PC4 above, the reg values for those 2 keys were 0).

Changed them to 1 and rebooted.  got admin$ c$, ipc$ and print$ along with a shared printer.  so that looks good on that machine.

machine 2 seems OK and has the 2 reg keys set to 1 already.

so a) do I care why those keys changed - they have up to date trend Worry free and not infected according to that (maybe they were at some point in the past - not sure when these shares disappeared).

b) how to fix this / push a registry change to all machines on an sbs 2003 R2 network?  I am used to .reg files, but they usually ask for permission to run and I was thinking of putting it in the login script for the domain?
0
 
frasercCommented:
Hi,

1) Yes you should care why the keys have changed. As it says on the MS link
If the administrative shares are not listed, the computer may be running a malicious program that removes the shares during start-up.

2) Use the following code and save it as a vbs file. It will make the changes. If you push it out as a computer start-up script then it will run with the necessary permissions to make make the changes. You could do this via group policy easily.

Const HKEY_LOCAL_MACHINE = &H80000002
Dim objRegistry, objNetwork
 
strComputer = "."
 
Set objRegistry = GetObject _
    ("winmgmts:\\" & strComputer & "\root\default:StdRegProv")
Set objNetwork = CreateObject _
	("WScript.Network") 
 
strKeyPath = "System\CurrentControlSet\Services\lanmanserver\parameters"
 
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, "AutoShareWks", 1
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, "AutoShareServer", 1

Open in new window

0
 
frasercCommented:
Ooops, sorry the code snippet I just posted has an error. "SetStringValue" should be "SetDWORDValue".
Here is the correct code...
Const HKEY_LOCAL_MACHINE = &H80000002
Dim objRegistry, objNetwork
 
strComputer = "."
 
Set objRegistry = GetObject _
    ("winmgmts:\\" & strComputer & "\root\default:StdRegProv")
Set objNetwork = CreateObject _
	("WScript.Network") 
 
strKeyPath = "System\CurrentControlSet\Services\lanmanserver\parameters"
 
objRegistry.SetDWORDValue  HKEY_LOCAL_MACHINE, strKeyPath, "AutoShareWks", 1
objRegistry.SetDWORDValue  HKEY_LOCAL_MACHINE, strKeyPath, "AutoShareServer", 1

Open in new window

0
 
babaganooshAuthor Commented:
thanks for the script.  Let me ask you this....  as the KB article said, and as I saw, those machines that are running correctly (have admin$ and c$), don't have those registry keys at all.

What would you think the pros / cons of deleting the 0 keys vs. changing the value to 1?!

I remotely loaded the problem PCs registries (aboug 10 machines in total) and manually deleted the 2 keys on 1/2 the machines and on the other half, changed the 0 to 1....

I noted which I did what to.  we'll see if 1 way lets the problem come back?  



0
 
frasercCommented:
Hi,

Setting the keys to 1 or deleting the 0 entries has the exact same functionality because 1 (or on) is the default value.

The main thing for you to do is to find what has created the key and set it to 0 if the first place.
Setting some to 1 and  deleting some others could be a good way to diagnose the problem.
If on any machine the issue returns then a good free tool to use to help track this down the cause would be AutoRuns: http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
It will let you see *all* the things that a computer runs at start up.

Hope that helps,

F.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now