non-domain client access to shares & server root c$

Just noticed a client image we have (not on domain) can access server shares c$ etc..
Seem to have less security that standard users on the domain..

Domain 2012, most server shares are on 2008 r2 boxes.  
Clients Windows 7 Pro.  Have the local admin account a member of the administrators group.  The administrators group has admin, domain\domain admins\ and domain\localadminsgroup\ added.  
An example server share doesn't have any of these groups added to c$ or the shares.

Ideas?
LVL 1
CHI-LTDAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

CHI-LTDAuthor Commented:
To add.  The image network settings are showing the domain.local however the computer properties are showing its tied to a workgroup...
My dev server which doesn't have any shares (essentially default 2008 r2 box), is on the domain can also be accessed by these win7 maegs as local admin..
0
McKnifeCommented:
Open credential manager and delete the (presumably saved) admin credentials.
0
CHI-LTDAuthor Commented:
on the client right?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

CHI-LTDAuthor Commented:
if so, there arent any saved on the clients or servers
0
McKnifeCommented:
This sounds odd. You know, the security restrictions for access to c$ are at the server, not at the client. So it won't be possible without access to different credentials.
0
CHI-LTDAuthor Commented:
im thinking GPO..
0
David Johnson, CD, MVPOwnerCommented:
you may have used the same password for the local administrator account on these other machines.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CHI-LTDAuthor Commented:
yes, so would that be it?
I've just noticed that dameware shows the root shares with everyone group with full control.   its different in MMC.
Deleting everyone fixed the problem.
rebooting re-enabled the group...

Default Domain Controllers Policy - Computer - policies - Windows Settings - Local policies/User Rights Assignment - Access this computer from the network - every is in there..
Is this the problem..?
0
McKnifeCommented:
"Permission        Everyone, FULL" is the default share permission for c$. But: no one but local admins can access c$ anyway, so it should not matter.
"Is this the problem..?" - no, definitely not, as this is the default.
Did you check what David wrote?
0
CHI-LTDAuthor Commented:
im confused then.
Just deploying an image (base win7) from MDT with same local admin password to see if this machine can access servers too...
The default c$ - everyone group is the problem though..
0
CHI-LTDAuthor Commented:
guess the GPO isnt at fault:
https://support.microsoft.com/en-us/kb/257346
0
McKnifeCommented:
"the GPO isnt at fault" - what should that mean?
Again: check what David wrote.
0
CHI-LTDAuthor Commented:
Was response to my previous thought on GPO being the issue.

Not 100% sure what he means.  Every client local admin account has the same password as each other, but this shouldn't mean they should be able to access every c$ share on the network?
0
McKnifeCommented:
Oh yes, it does! And that's your problem.
Honestly, don't use such a setup.
0
CHI-LTDAuthor Commented:
Sure, just changed the PW on the client and its now asking for a PW...
0
David Johnson, CD, MVPOwnerCommented:
Finally you got it.. once you create a new user on any of these machines the 'administrator' account is disabled.
0
CHI-LTDAuthor Commented:
guess ill read best practice guide...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.