Admin share not accessible when user removed from domain admins

Hi,

Quick question, we have removed all users from the administrators/ domain
admin groups for security reasons. However one side affect of this has been
that we can no longer brows to unc admin shares eg: \\server1\c$ even when
we use the administrator username and password and with the domain prefix
eg: domain\administrator as the user when prompted for an authorised user.

Does anybody know if this is standard behaviour and if it is is there a way
round it? Or is is down to s Group policy setting that we may have added in
the past for example?

Any help greatly appreciated.

Cheers

Rich

the better question is, why would you want to do this?? you remove the
users from the admin accounts, then want them to know an admin password to
get to the admin shares?? the better thing to do would be to create regular
shares so they can have access to only the stuff you want non-admins to get
to.

"msnews.microsoft.com" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
>
> Quick question, we have removed all users from the administrators/ domain
> admin groups for security reasons. However one side affect of this has
> been that we can no longer brows to unc admin shares eg: \\server1\c$ even
> when we use the administrator username and password and with the domain
> prefix eg: domain\administrator as the user when prompted for an
> authorised user.
>
> Does anybody know if this is standard behaviour and if it is is there a
> way round it? Or is is down to s Group policy setting that we may have
> added in the past for example?
>
> Any help greatly appreciated.
>
> Cheers
>
> Rich
>

In news:(E-Mail Removed),
msnews.microsoft.com <(E-Mail Removed)> typed:
> Hi,
>
> Quick question, we have removed all users from the administrators/
> domain admin groups for security reasons.

Surely not ALL users. You've left the built-in Administrator account in
there, I trust.

> However one side affect of
> this has been that we can no longer brows to unc admin shares eg:
> \\server1\c$ even when we use the administrator username and password
> and with the domain prefix eg: domain\administrator as the user when
> prompted for an authorised user.

Who are you logging in as when you try to do this?
>
> Does anybody know if this is standard behaviour and if it is is there
> a way round it? Or is is down to s Group policy setting that we may
> have added in the past for example?
>
> Any help greatly appreciated.

I agree with the other reply you got - don't connect to the admin share. Why
would you need to? I personally don't explicitly share anything on the
system volume on a server - set up the shares you wish, but unless there is
some urgent and compelling reason you haven't provided here, don't use the
admin shares, and don't set up another share at the root.
>
> Cheers
>
> Rich

Thanks for the advice, it is a historical requirement in that the network I
am talking about has always had an IT manager logging in as a member of the
domain admins group in his own name. He decided to knock his permissions
back down to user level only as he was worried about security. The admin
account is still enabled and in domain admins by the way.

Also historically, he has accessed a drive containing all his databases via
the admin share W$ and a side affect of removing his acocunt from the admin
group has been that he no longer can. I agree that a specific share is
probably the best way to to do this as good practice. However I wa curious
to see if this was normal behaviour as I have never noticed in the past and
he was asking why it was happening. Personally I have always fround the
admin share very useful when working on the network to check root level
drives etc. every now and again.

I will advise creating a seperate share anyway but would have been good to
get back to him with some specific reasons... hence the post.

Kind Regards

Rich

"Lanwench [MVP - Exchange]"
<(E-Mail Removed) ahoo.com> wrote in message
news:(E-Mail Removed)...
>
>
> In news:(E-Mail Removed),
> msnews.microsoft.com <(E-Mail Removed)> typed:
>> Hi,
>>
>> Quick question, we have removed all users from the administrators/
>> domain admin groups for security reasons.
>
> Surely not ALL users. You've left the built-in Administrator account in
> there, I trust.
>
>> However one side affect of
>> this has been that we can no longer brows to unc admin shares eg:
>> \\server1\c$ even when we use the administrator username and password
>> and with the domain prefix eg: domain\administrator as the user when
>> prompted for an authorised user.
>
> Who are you logging in as when you try to do this?
>>
>> Does anybody know if this is standard behaviour and if it is is there
>> a way round it? Or is is down to s Group policy setting that we may
>> have added in the past for example?
>>
>> Any help greatly appreciated.
>
> I agree with the other reply you got - don't connect to the admin share.
> Why would you need to? I personally don't explicitly share anything on the
> system volume on a server - set up the shares you wish, but unless there
> is some urgent and compelling reason you haven't provided here, don't use
> the admin shares, and don't set up another share at the root.
>>
>> Cheers
>>
>> Rich
>
>

is w$ a real admin share, i.e. created automatically by the os, or is it
just a 'hidden' share that you created at some point for his use? the $
does not always mean 'administrative share', all it really means is that the
share is 'hidden' and won't show on listings of shares on the network.

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thanks for the advice, it is a historical requirement in that the network
> I am talking about has always had an IT manager logging in as a member of
> the domain admins group in his own name. He decided to knock his
> permissions back down to user level only as he was worried about security.
> The admin account is still enabled and in domain admins by the way.
>
> Also historically, he has accessed a drive containing all his databases
> via the admin share W$ and a side affect of removing his acocunt from the
> admin group has been that he no longer can. I agree that a specific share
> is probably the best way to to do this as good practice. However I wa
> curious to see if this was normal behaviour as I have never noticed in the
> past and he was asking why it was happening. Personally I have always
> fround the admin share very useful when working on the network to check
> root level drives etc. every now and again.
>
> I will advise creating a seperate share anyway but would have been good to
> get back to him with some specific reasons... hence the post.
>
> Kind Regards
>
> Rich
>
> "Lanwench [MVP - Exchange]"
> <(E-Mail Removed) ahoo.com> wrote in
> message news:(E-Mail Removed)...
>>
>>
>> In news:(E-Mail Removed),
>> msnews.microsoft.com <(E-Mail Removed)> typed:
>>> Hi,
>>>
>>> Quick question, we have removed all users from the administrators/
>>> domain admin groups for security reasons.
>>
>> Surely not ALL users. You've left the built-in Administrator account in
>> there, I trust.
>>
>>> However one side affect of
>>> this has been that we can no longer brows to unc admin shares eg:
>>> \\server1\c$ even when we use the administrator username and password
>>> and with the domain prefix eg: domain\administrator as the user when
>>> prompted for an authorised user.
>>
>> Who are you logging in as when you try to do this?
>>>
>>> Does anybody know if this is standard behaviour and if it is is there
>>> a way round it? Or is is down to s Group policy setting that we may
>>> have added in the past for example?
>>>
>>> Any help greatly appreciated.
>>
>> I agree with the other reply you got - don't connect to the admin share.
>> Why would you need to? I personally don't explicitly share anything on
>> the system volume on a server - set up the shares you wish, but unless
>> there is some urgent and compelling reason you haven't provided here,
>> don't use the admin shares, and don't set up another share at the root.
>>>
>>> Cheers
>>>
>>> Rich
>>
>>
>
>

In news:(E-Mail Removed),
(E-Mail Removed)am <(E-Mail Removed)> typed:
> Thanks for the advice, it is a historical requirement in that the
> network I am talking about has always had an IT manager logging in as
> a member of the domain admins group in his own name. He decided to
> knock his permissions back down to user level only as he was worried
> about security.

That's a very good thing. There should be two accounts, really - his 'daily
driver' account, which is a user only, and an admin-equivalent one, for
special occasions.

> The admin account is still enabled and in domain
> admins by the way.
> Also historically, he has accessed a drive containing all his
> databases via the admin share W$ and a side affect of removing his
> acocunt from the admin group has been that he no longer can. I agree
> that a specific share is probably the best way to to do this as good
> practice.

Absolutely, 100%. In fact, I create user shares not at the root of any
drive/volume/partition, but in a subfolder (e.g., E:\DATA).

> However I wa curious to see if this was normal behaviour as
> I have never noticed in the past and he was asking why it was
> happening.

Check the share permissions?

> Personally I have always fround the admin share very
> useful when working on the network to check root level drives etc.
> every now and again.

I tend to use remote desktop when I need to see anything on the server side.
>
> I will advise creating a seperate share anyway but would have been
> good to get back to him with some specific reasons... hence the post.
>
> Kind Regards
>

Hope this helps.

> Rich
>
> "Lanwench [MVP - Exchange]"
> <(E-Mail Removed) ahoo.com> wrote in
> message news:(E-Mail Removed)...
>>
>>
>> In news:(E-Mail Removed),
>> msnews.microsoft.com <(E-Mail Removed)> typed:
>>> Hi,
>>>
>>> Quick question, we have removed all users from the administrators/
>>> domain admin groups for security reasons.
>>
>> Surely not ALL users. You've left the built-in Administrator account
>> in there, I trust.
>>
>>> However one side affect of
>>> this has been that we can no longer brows to unc admin shares eg:
>>> \\server1\c$ even when we use the administrator username and
>>> password and with the domain prefix eg: domain\administrator as the
>>> user when prompted for an authorised user.
>>
>> Who are you logging in as when you try to do this?
>>>
>>> Does anybody know if this is standard behaviour and if it is is
>>> there a way round it? Or is is down to s Group policy setting that
>>> we may have added in the past for example?
>>>
>>> Any help greatly appreciated.
>>
>> I agree with the other reply you got - don't connect to the admin
>> share. Why would you need to? I personally don't explicitly share
>> anything on the system volume on a server - set up the shares you
>> wish, but unless there is some urgent and compelling reason you
>> haven't provided here, don't use the admin shares, and don't set up
>> another share at the root.
>>>
>>> Cheers
>>>
>>> Rich

Yes this behavior is standard. By default, when a machine joins
a domain the "domain admin" group is automatically added to the
local administrator group. You can add each users domain account
to the local administrators group to give them same access. Most
would suggest that it is bad practice to give normal users local admin
access.

"msnews.microsoft.com" <(E-Mail Removed)> wrote in message news:
> Hi,
>
> Quick question, we have removed all users from the administrators/ domain
> admin groups for security reasons. However one side affect of this has
> been that we can no longer brows to unc admin shares eg: \\server1\c$ even
> when we use the administrator username and password and with the domain
> prefix eg: domain\administrator as the user when prompted for an
> authorised user.
>
> Does anybody know if this is standard behaviour and if it is is there a
> way round it? Or is is down to s Group policy setting that we may have
> added in the past for example?