I have a corporate Inventory application installed on Windows Server 2008 R2 and I need to deploy some Agents to Windows 7 Desktops.
This app requires having access to C$ and Admin$ in the Desktops, from the Server. Also the agent is installed in C:\Windows\ from a BAT Script but can be installed in C:\ or Program Files too. The agent also comes with a Service related with the processes being executed when the agent is running.
Usually I can deploy the agents from the server using Local (Desktop) or Domain Admin Account, but this time our AD Admin told me he can't provide that kind of access. It has to be a non-Admin account. When I ask him what is the right permission / mapping I should have to request to Security team in order to install the agents, he doesn't know! (It seems is not a legit AD Admin ¬¬)
In Windows 2003 I used to mitigate that scenario by requesting Power Users to our AD Admin, but that permission is not able in Windows 2008. What kind of permissions do I need to request in the Windows Server 2008 R2 account, for viewing Admin Shares in the Desktops and installing the agent remotely? Also I understand User Access Control (UAC) plays some role here (I don't know if I have to request disabling UAC in the Desktops for installing the agent, for instance)
Based on my tests on Windows Server 2008 machines, I can only use Domain Admin account to access admin$ file on a domain controller.
After I input the admin share’s path, I was asked to input credentials to connect to the DC, if I input a domain user’s credentials, then a logon unsuccessful error message appears, even after I granted read permission on the C drive of the DC.
Do you need further assistance on this issue?
We can locate the admin share via computer management tool, it is under System Tools/Share Folders/Shares.
When we click on the Properties of this share, a prompt window saying “This has been shared for administrative purposes. The share permissions and file security cannot be set” pops up.
Therefore this share’s permissions can’t be modified.
- Edited by Amy Wang_Microsoft contingent staff, Moderator Wednesday, February 05, 2014 9:07 AM
I disagree with the comment that "it seems is not a legit AD Admin". Your application should provide this information. Application developers should support normal security requirements and build applications that can run in a secure manner. They should also provide specific information for the install and support of their application. Your admin isn't responsible for knowing every kludge app out there and what permissions it needs...
Just my thoughts, and no, I'm not an AD admin.
It can be done like this.
Note : Members of local administrators can access the admin share.
You need to get a Group created In AD Say Admin_Share_Group, add all users in it who require access to admin share.
Ask AD Admin to Create a Group Policy in which this Admin_Share_Group will be added to the systems local admin group.
Once done you will be able to access the admin shares of the systems.
Feel free to post in case of doubts.