asked on
Admin shares accessible to domain users
We recently upgraded our SBS 2003 server to SBS 2008. Since then we've discovered that all admin shares on all machines (servers and workstations) are accessible to all domain users from any other machine.
I've confirmed that the domain user group isn't in the administrator or domain admin groups or anything silly like that. Also all of our domain users do NOT have local admin privileges.
As far as I can tell there isn't anywhere to specifically modify admin share permissions.
Any idea what's causing this & how to fix it?
I've confirmed that the domain user group isn't in the administrator or domain admin groups or anything silly like that. Also all of our domain users do NOT have local admin privileges.
As far as I can tell there isn't anywhere to specifically modify admin share permissions.
Any idea what's causing this & how to fix it?
Windows Server 2008SBS
Last Comment
tcrtech
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Check that the guest account has not been enabled or anything crazy like that maybe.
Are you speaking of the C$ admin shares?
ASKER
no guest accounts.
yes, all of the <drive>$ shares.
yes, all of the <drive>$ shares.
I can't even find official documentation for the default share ACEs or permissions.
Maybe disable the shares and re-enable?
Double check what groups the domain users are in.. and double check local user groups..
Maybe disable the shares and re-enable?
Double check what groups the domain users are in.. and double check local user groups..
use gpresult on a client while logged in as a normal user.
this will tell you what group policies are applying.
alternatively use the group policy results wizard on the server to see what is applied.
One of the settings in your group policies is assigning admin rights to all users.
alternatively, open a user in active directory and check what groups they are members of. follow each group to see which groups they are members of too, right up to the top level. one of the groups may be nested and effectively be an administrator.
this will tell you what group policies are applying.
alternatively use the group policy results wizard on the server to see what is applied.
One of the settings in your group policies is assigning admin rights to all users.
alternatively, open a user in active directory and check what groups they are members of. follow each group to see which groups they are members of too, right up to the top level. one of the groups may be nested and effectively be an administrator.
ASKER
ok, it's definitely a problem with the NTFS shares, but I'm not sure how to fix it.
On the domain computers the group "Domain Users" is in the local "Users" group. Then on the NTFS permission of each computer, the local "Users" group has read access. So that tells me that every user on the domain has access.
I assume that this setup is necessary for domain users to have access to the drive when they login to the machine, but how do I prevent remote domain users from accessing those drives via the <drive>$ shares?
On the domain computers the group "Domain Users" is in the local "Users" group. Then on the NTFS permission of each computer, the local "Users" group has read access. So that tells me that every user on the domain has access.
I assume that this setup is necessary for domain users to have access to the drive when they login to the machine, but how do I prevent remote domain users from accessing those drives via the <drive>$ shares?
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
ok, so you were technically correct, just not complete. The permissions were all correct and the groups were all correct. But walking through all of those & the process of elimination led me to the solution.
Even though they are called "Admin Shares," anyone in the Backup Operators group also has access to them, not just administrators. In our case most of our users have Acronis Backup & Recovery installed which requires users to be in either the local Administrators group or the Backup Operators group. So we have a GPO that adds all domain users to the local Backup Operators group.
Removing the users from that group fixes the Admin shares problem, but prevents them from using Acronis.
Even though they are called "Admin Shares," anyone in the Backup Operators group also has access to them, not just administrators. In our case most of our users have Acronis Backup & Recovery installed which requires users to be in either the local Administrators group or the Backup Operators group. So we have a GPO that adds all domain users to the local Backup Operators group.
Removing the users from that group fixes the Admin shares problem, but prevents them from using Acronis.
ASKER
The information was mostly accurate, but incomplete. Administrators are not the only group with access to the Admin shares. And anyone in the Backup Operators group super-cedes individual drive permissions.
On the Security tab I have:
Authenticated Users - Allow Special Permission
System - Allow All
Local Administrators - Allow All
Local Users - Allow Read & execute, Allow List folder contents, Allow Read.
I'm not sure I understand "special permissions" for the authenticated users. What is that, where did it come from, & do I need it?