We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

Administrative shares on XP Pro machines in an SBS 2003 R2 domain - what should they be and why are mine missing?

babaganoosh
babaganoosh asked
on
Medium Priority
504 Views
Last Modified: 2012-05-06
I am trying out an RMM and they tell me they can't get to some of the machines because the admin$ share doesn't exist on some machines.

Looking at each machine on the network from the SBS server management panel, I checked the shares on several machines.  I know I didn't (intentionally) cancel shares (I didn't think you could even cancel the drive letter shares if you wanted to).  As you see, I am getting a wide range of combinations of shares:

PC1:IPC$
PC2: ADMIN$, C$, IPC$
PC3: ADMIN$, C$, IPC$
PC4: print$, IPC$
PC5: ADMIN$, C$, IPC$
PC6: print$, IPC$
PC7: IPC$
PC8: print$, IPC$
PC9: ADMIN$, C$, IPC$, print$
PC10: IPC$, print$, D (without a $)
PC11: IPC$
PC12: IPC$

Any thoughts on how this happened (that there's not a consistent set of shares on all the machines)?  And any thoughts on the best way to restore the full set?  (and what IS the full set of shares on a member xp pro desktop PC that's on all the time in an SBS 2003 R2 network?)
Comment
Watch Question

Commented:
Hi,

As all the admin ($) shares are (re)created at computer start up I would imagine that there is something (bat, vbs, etc) that is disabling the shares.

There are many viruses/Trojans that do this and I would strongly suggest that you do a full scan on the offending machines. (FYI: Hackers tend to disable these shares to stop anyone else exploiting them once they are in...)

The default shares should be:

C$ (for each logical drive)
ADMIN$
IPC$

Regards,

Fraser

P.S. The machine PC10 has the whole of the D drive shared, this is probably not intended...

Commented:
p.s.

I was going to mention ShareEnum - It is a great free tool from Microsoft to enumerate all the shares and permissions on the network.  http://technet.microsoft.com/en-us/sysinternals/bb897442.aspx
Definitely worth running in you case...

F.

Author

Commented:
I think the d drive is a cd drive - they are sharing the cd drive for install of apps / netbooks with no cd drives to install apps?

c$?  If they ahve a CD drive shoudl there be a D$ or just hard drives get shared?

so many are not correct!  I am thinkign the login script might cause it?  But then all the machiens would be messed up the same way?  so that's not it....

Commented:
Hi,

OK the D share is OK for a CD drive, this is not a default setting.
An administrative share is created by default for each hard drive at start up.

A start up script *could* be it if it being applied by group policy.
You could test this by using the group policy modeling to see the resultant policy set on one of the machines. http://technet.microsoft.com/en-us/library/cc780305.aspx

Although, if it is something you are not aware of it is much more likely to be something malicious I'm afraid...

F.

Author

Commented:
I'm on site and looking at this problem.  I found this page:

http://support.microsoft.com/kb/842715

that tells you to change 2 registry settings to 1.  Looking at a machine with no admin$ and no c$,  PC4 above, the reg values for those 2 keys were 0).

Changed them to 1 and rebooted.  got admin$ c$, ipc$ and print$ along with a shared printer.  so that looks good on that machine.

machine 2 seems OK and has the 2 reg keys set to 1 already.

so a) do I care why those keys changed - they have up to date trend Worry free and not infected according to that (maybe they were at some point in the past - not sure when these shares disappeared).

b) how to fix this / push a registry change to all machines on an sbs 2003 R2 network?  I am used to .reg files, but they usually ask for permission to run and I was thinking of putting it in the login script for the domain?

Commented:
Hi,

1) Yes you should care why the keys have changed. As it says on the MS link
If the administrative shares are not listed, the computer may be running a malicious program that removes the shares during start-up.

2) Use the following code and save it as a vbs file. It will make the changes. If you push it out as a computer start-up script then it will run with the necessary permissions to make make the changes. You could do this via group policy easily.

Const HKEY_LOCAL_MACHINE = &H80000002
Dim objRegistry, objNetwork
 
strComputer = "."
 
Set objRegistry = GetObject _
    ("winmgmts:\\" & strComputer & "\root\default:StdRegProv")
Set objNetwork = CreateObject _
	("WScript.Network") 
 
strKeyPath = "System\CurrentControlSet\Services\lanmanserver\parameters"
 
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, "AutoShareWks", 1
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, "AutoShareServer", 1

Open in new window

Commented:
Ooops, sorry the code snippet I just posted has an error. "SetStringValue" should be "SetDWORDValue".
Here is the correct code...
Const HKEY_LOCAL_MACHINE = &H80000002
Dim objRegistry, objNetwork
 
strComputer = "."
 
Set objRegistry = GetObject _
    ("winmgmts:\\" & strComputer & "\root\default:StdRegProv")
Set objNetwork = CreateObject _
	("WScript.Network") 
 
strKeyPath = "System\CurrentControlSet\Services\lanmanserver\parameters"
 
objRegistry.SetDWORDValue  HKEY_LOCAL_MACHINE, strKeyPath, "AutoShareWks", 1
objRegistry.SetDWORDValue  HKEY_LOCAL_MACHINE, strKeyPath, "AutoShareServer", 1

Open in new window

Author

Commented:
thanks for the script.  Let me ask you this....  as the KB article said, and as I saw, those machines that are running correctly (have admin$ and c$), don't have those registry keys at all.

What would you think the pros / cons of deleting the 0 keys vs. changing the value to 1?!

I remotely loaded the problem PCs registries (aboug 10 machines in total) and manually deleted the 2 keys on 1/2 the machines and on the other half, changed the 0 to 1....

I noted which I did what to.  we'll see if 1 way lets the problem come back?  



Commented:
Hi,

Setting the keys to 1 or deleting the 0 entries has the exact same functionality because 1 (or on) is the default value.

The main thing for you to do is to find what has created the key and set it to 0 if the first place.
Setting some to 1 and  deleting some others could be a good way to diagnose the problem.
If on any machine the issue returns then a good free tool to use to help track this down the cause would be AutoRuns: http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
It will let you see *all* the things that a computer runs at start up.

Hope that helps,

F.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.