Accessing MMC snap in to remote computer and accessing the C$ share

Hello Everyone,

I have a question but first I want to lay out or environment.
We have Windows 2012 R2 and have a mixture of Windows 7 and Windows 8.1 computers as clients.

I'm having remote connectivity issues with MMC snap-in and accessing the remote C$ share.  Basically cannot access the computer:

I cannot connect to some client computers using the MMC snap in tool.  Specifically the Computer Management part.
On some I can and some I cannot.  These client computers are all the Domain and not a workgroup.
When trying the MMC snap-in I get the message "Computer \\xyz cannot be managed.  The network path was not found."
Note * I can ping the machine and I can remote desktop into the machine, as I have set those rules up in the Firewall.
I'm a Domain admin and figured out the settings to allow me to do that  for ICMP ping-inbound IPv4

Steps taken to try and resolve this mmc snap in issue:  I  started the service Winrm to Automatic when the computer starts up as a services but still no luck.

Also when I try to access the C$ share I get the same message that this computer is not accessible.
This is a new machine I'm currently testing with so there is no current anti-virus on the machine. I also turned of Windows Defender.

I know it's a firewall setting because I turned off the firewall on this particular machine I'm trouble shooting and I was able to get in.

Can someone please assist with what rules need to be enabled or created.

Thank you very much
grizrulesAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

grizrulesAuthor Commented:
this is a great article.   However, I will do this on the group policy when I apply it to the test environment.

However the computer I'm using now is does not have this policy so I can change the firewall via the client side computer.

However, why wont the Winrm services running on the machine allow this to work?   I mean it's basically the same thing you have listed in your post however you are showing via group policy, which is the road I will go down.
But for testing I simply enabled the Winrm service on this computer and it's not working.  However it should be since that services is running.?
0
chuck-williamsCommented:
You enabled the service but it may have not configured the windows firewall. You don't have to do it through group policy just the article shows you what is needed. You need to enable Windows Remote Management in windows firewall.WindowsRemoteManagement.jpg
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

grizrulesAuthor Commented:
I think I answered my own question.  For testing purposes I would go to a client / firewall / and enable Windows Remote Management (HTTP-in) on Domain.   However I see there are other tabs such as computers and users to allow.

I enabled this for testing and still cannot access the C$ share.  Is there something I'm missing?

Remember I doing this at the computer level for now not at the Domain Group Policy level.

I just want to test on a computer that is in the Domain by editing the Firewall locally on that computer.   Now it is the Domain Firewall I'm editing but it's just not through group policy yet.

Thank you for your help
0
chuck-williamsCommented:
Yea sorry I didn't read the C4 share part. I'm pretty sure that is File and Print sharing. Which should be on by default for domain joined computers.
WindowsFirewall-file-sharing.jpgWindowsFirewall-file-sharing2.jpg
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
chuck-williamsCommented:
You may want to verify if the computer is using the domain firewall profile.

netsh advfirewall show currentprofile
0
grizrulesAuthor Commented:
Yes it is using the Domain Firewall.  

I was just wanting to know what services and/or firewall rules needed to be opened for MMC console and Admin share accessibility.

So your link above http://www.grouppolicy.biz/2014/05/enable-winrm-via-group-policy/ 
is a great link.

However just to clarify, I'm just trying this on a test computer that is using the Domain Firewall but I'm changing the settings locally on the computer to ensure that they work.  This way I know what rules to imply when I do create a group policy rule.

so to recap on those screen shots for File and Print sharing.   Do all those need to be enabled.  Your screen shot left out if that was Domain, Private, or Public .   I will assume it is for Domain :-)

Question is then:   Should I follow the link to apply those rules to the test computer or can I just do it via the firewall on this test computer by Enabling rules before pushing out a GP.

Thanks !!!
0
chuck-williamsCommented:
Yes those rules are all domain. You will get all those enabled by using the Predefined File and Print Sharing Template in Windows Firewall Advanced Security. I just feel like it is strange that the default domain firewall profile prohibits file and print sharing access.
0
grizrulesAuthor Commented:
Yeah I thought it was strange also.  I'm in the process of modifying some policies.   I took over for something that just knew enough to be dangerous so I'm in the process of redoing a lot of policies.
0
chuck-williamsCommented:
Maybe in the case of testing you get a test machine and put it in an OU and block inheritance to the OU and see if you can see any other differences in your setup. This is not directly related to your issue today just a suggestion.
0
grizrulesAuthor Commented:
Okay I'm done testing.
What I found out what that the Firewall rule for INBOUND
only File and Printer Sharing (SMB-IN) needs to be enabled for an admin to see the c$ share by going to windows explorer or a command prompt and going to \\computerxyz\C$
0
chuck-williamsCommented:
good to know. I have only used the templates in that case and have never tested each rule individually.
0
grizrulesAuthor Commented:
However, this does involve the testing of the MMC snap-in too.  I did not get to test that yet.  However, let me test that also so we can get a definite answer on this matter to close this question.
So we know that:
" Firewall rule for INBOUND
 only File and Printer Sharing (SMB-IN) needs to be enabled for an admin to see the c$ share by going to windows explorer or a command prompt and going to \\computerxyz\C$  "

However, we still need to test if that will let the mmc snap in work also.
Thanks
0
chuck-williamsCommented:
That part would be the remote administration firewall template I believe. If you were to do it through GPO it would be:

(from Microsoft https://technet.microsoft.com/en-us/library/cc738900(v=ws.10).aspx) Should also work for Windows 7 and 8.

To enable or disable the Remote administration exception  1.
Open the Group Policy Object Editor snap-in to edit the Group Policy object (GPO) that is used to manage Windows Firewall settings in your organization.

2.
Open Computer Configuration, open Administrative Templates, open Network, open Network Connections, open Windows Firewall, and then open either Domain Profile or Standard Profile, depending on which profile you want to configure.

3.
In the details pane, double-click Windows Firewall: Allow remote administration exception.

4.
In the Windows Firewall: Allow remote administration exception properties dialog box, on the Settings tab, click Enabled or Disabled.


When it comes to remote administration of 2012 servers it is a bit more involved, but I think you are just asking about clients.
0
grizrulesAuthor Commented:
Yes just clients for now.
Thank you for your help on this matter.
0
grizrulesAuthor Commented:
Great feedback in a timely matter.  Got the information I needed quickly.   I believe we both learned from each other on some items.
Thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.