Re: Admin share not accessible when user removed from domain admins

Tech-Archive recommends: Fix windows errors by optimizing your registry

is w$ a real admin share, i.e. created automatically by the os, or is it
just a 'hidden' share that you created at some point for his use? the $
does not always mean 'administrative share', all it really means is that the
share is 'hidden' and won't show on listings of shares on the network.

<Centra@xxxxxxxxxxxxxxxxx> wrote in message
news:OcgZmesZGHA.508@xxxxxxxxxxxxxxxxxxxxxxx
Thanks for the advice, it is a historical requirement in that the network
I am talking about has always had an IT manager logging in as a member of
the domain admins group in his own name. He decided to knock his
permissions back down to user level only as he was worried about security.
The admin account is still enabled and in domain admins by the way.

Also historically, he has accessed a drive containing all his databases
via the admin share W$ and a side affect of removing his aco*** from the
admin group has been that he no longer can. I agree that a specific share
is probably the best way to to do this as good practice. However I wa
curious to see if this was normal behaviour as I have never noticed in the
past and he was asking why it was happening. Personally I have always
fround the admin share very useful when working on the network to check
root level drives etc. every now and again.

I will advise creating a seperate share anyway but would have been good to
get back to him with some specific reasons... hence the post.

Kind Regards

Rich

"Lanwench [MVP - Exchange]"
<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:uG9HfYiZGHA.4688@xxxxxxxxxxxxxxxxxxxxxxx


In news:OiKUOQgZGHA.3832@xxxxxxxxxxxxxxxxxxxx,
msnews.microsoft.com <Centra@xxxxxxxxxxxxxxxxx> typed:
Hi,

Quick question, we have removed all users from the administrators/
domain admin groups for security reasons.

Surely not ALL users. You've left the built-in Administrator account in
there, I trust.

However one side affect of
this has been that we can no longer brows to unc admin shares eg:
\\server1\c$ even when we use the administrator username and password
and with the domain prefix eg: domain\administrator as the user when
prompted for an authorised user.

Who are you logging in as when you try to do this?

Does anybody know if this is standard behaviour and if it is is there
a way round it? Or is is down to s Group policy setting that we may
have added in the past for example?

Any help greatly appreciated.

I agree with the other reply you got - don't connect to the admin share.
Why would you need to? I personally don't explicitly share anything on
the system volume on a server - set up the shares you wish, but unless
there is some urgent and compelling reason you haven't provided here,
don't use the admin shares, and don't set up another share at the root.

Cheers

Rich






.

Quantcast