none
All Domain users have access to Domain Controller Admin Shares RRS feed

  • Question

  • I just discovered that all of our domain users can access our domain controller C$ drive shares.  I am unsure how long this has been like this, but I do know I (even as network admin) would be prompted for my domain admin credentials to access those shares in the past.

    All of our member servers prompt for username & password if we attempt to connect to those admin shares.

    I am hoping this was an inadvertant change from our end.  Any ideas on what settings might allow for this activity, and where I can find them?

    Our environment:
    Windows 2003 SP2
    Win 2003 Forest & Domain level.

    Thanks!
    Matt

    Matt Miller
    Wednesday, November 25, 2009 8:31 PM

All replies

  • I have found that my DCs have the setting "Trust this computer for delegation for any service" enabled.  Only our DCs have this setting enabled.  All other servers are set to "Do not trust..."

    I must admit, I am unfamiliar with this setting.  It is not one I have had to enable or disable for any purpose.  I have read about the need for turning it on for Citrix Kerberose authentication, but also read that it added security risks on our citrix servers, no I never did anything with it.

    Should this setting be enabled on the DC? Is this required for client logon processes? What would happen if I disable it?

    Thanks
    Matt
    Matt Miller
    Wednesday, November 25, 2009 8:50 PM
  • We have this setting disabled and everyting works good, users cant access the C$ Shares but can normaly login by using the \\DC\Netlogon.

    You could check those Setting of your Default Domain Controller Policy:



    Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

    Enable computer and user accounts to be trusted for delegation

    Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

    Description

    Determines which users can set the Trusted for Delegation setting on a user or computer object.

    The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using a client's delegated credentials, as long as the client's account does not have the Account cannot be delegated account control flag set.


    Maybe something is wrong at your setup over here.

    BTW there are ways to disable C$ Shares on a Domain Controller but that is not very useful, cause backup software and other services need those shares

    http://support.microsoft.com/kb/842715/en-us ( Overview of problems that may occur when administrative shares are missing )
    Thursday, November 26, 2009 2:11 AM
  • Thanks for the reply.

    I have that setting enabled in the DC policies.  The only account granted that permision is the Administrators.  None of our member servers have that policy configured. I removed the Administrators from the policy list, but it did not appear to affect our setup.  I have since added it back in.

    Thanks for the notes on disabling the admin shares.  I would like to keep the admin shares active, for backups and for admin access; but I do not wish that all domain users be able to access these shares.


    Matt
    Matt Miller
    Friday, November 27, 2009 3:35 PM
  • Hi Matt,

    Have you resolv your issue?, because i have the same issue. Could you please tell me how you resolv this problem?

    Thanks

    Wednesday, July 3, 2013 1:40 PM
  • Hi Matt,

    Have you resolv your issue?, because i have the same issue. Could you please tell me how you resolv this problem?

    Thanks

    In case someone else has the same issue. The problem is caused by using the built-in domain users group. The DC GPO allows access to domain users implicitly, not just to access the administrative shares, but to remote desktop into them. Create another group to contain regular users.

    Cheers,

    Vlad


    -- Austin Arrowsmith, Ebor Administrator



    Wednesday, June 10, 2015 6:31 AM