Accessing c$ share in child domain

[Stephen Pettitt]

Whilst trying to access the c$ share on a machine in a child domain but we
are prompted for a username/password unexpectedly. I am using an account
with Enterprise Admin rights and can connect to the c$ share on DCs in any
of the child domains, however this doesn't work for ordinary clients or
member server. What is going wrong? I'm sure we used to be able to do
this! The reason we need this access is to enable deployment of the client
for our chosen Desktop Management System (LANDesk).

Thanks in advance,

Stephen.

 

[Dale Weiss]

Hello,

Check the membership in the local administrators group on the
servers/workstations that are affected. IIRC the Enterprise Administrators
may be able to administer DC's but not member servers and workstations.

You will need to access them with an account that is in the local
administrators group on those systems.

Dale Weiss MCSA MCSE CISSP
PSS Security

This posting is provided "AS IS" with no warranties, and confers no rights.
Any opinions or policies stated within are my own and do not necessarily
constitute those of my employer. Use of included script samples are subject
to the terms
specified at http://www.microsoft.com/info/cpyright.htm

 

[Stephen Pettitt]

We are currently running in mixed mode, am I correct in thinking that
this will only be possible in native mode? We would like to add the
Enterprise Admins to the Domain Admins group on all child domain but
this doesn't appear to be possible at the moment. I had assumed that
Enterprise Admins were automatically domain admins within all child
domains, this is wrong I suppose?

Thanks for your help,

Stephen.

 

[Dale Weiss]

Hello,

The domains will need to be in native mode.

While many people (including myself at one point in time) think that the
Enterprise Admins group is added to the local Administrators group on all
workstations and servers, this is not the case.

The Enterprise Admins group is added to the builtin Administrators group on
the domain controllers, but not member servers and workstations. Enterprise
Admins cannot be added to the Domain Admins group either, whether the
domain is in native mode or not.

In native mode we can nest groups of the same type (Global into Global,
etc) and we can add Global or Universal into Local (as we could in mixed
mode as well).

If you want to grant the Enterprise Admins rights to workstations and
member servers, you will need to do it either manually (not scalable), run
the NET LOCALGROUP command to add them on each system (also not very
scalable), or through some manner of VB Script (scalable but someone has to
write the script), a batch file running a tool called CUSRMGR (command line
user manager tool, also scalable but someone has to write he batch file),
or through group policy using restricted groups.

Using group policy:

If working in a child domain, create a universal group in the child domain.
Add Enterprise Admins to the universal group.
Create a GPO and add a Restricted Groups setting to add the universal group
that you created in the child domain to the local administrators group. You
should also make sure that any other groups or users that you want in the
local Administrators groups are present in the policy as well, such as
Administrator and Domain Admins.

NOTE: You need to create the universal group in the child domain because
restricted group settings in Group Policy can only use groups that are in
the same
domain. If you are doing this in a child domain, you need to create this
"middleman" group and add Enterprise Admins to it. If you are working in
the root domain this is not necessary.

As always, test, test, test to make sure you get the results you want.


Dale Weiss MCSA MCSE CISSP
PSS Security

This posting is provided "AS IS" with no warranties, and confers no rights.
Any opinions or policies stated within are my own and do not necessarily
constitute those of my employer. Use of included script samples are subject
to the terms
specified at http://www.microsoft.com/info/cpyright.htm

 

[Paul Adare]

microsoft.public.win2000.security news group, Dale Weiss (MSFT)

The domains will need to be in native mode.

In addition to what Dale has written here, why do you feel the need for
Enterprise Admins to be able to administer member servers and
workstations? This is a violation of the principle of least privilege.
If you're administering member servers and workstations, you do not need
the rights and permissions that are granted to members of the Enterprise
Admins group, and therefore should not be using accounts that belong to
that group.

 

[Stephen Pettitt]

Strictly speaking we do not need Enterprise Admins to be able to
administer these machines but we do need a single account that has
access to the admin shares on ALL machines in all domains. When
pushing out the LANDesk agent to PC you need to have access to the c$
share - Yes, we could just use a logon script so that the client
"pulls" the agent instead but this isn't the preferred method.

Regards,

Stephen.

 

[Paul Adare]

microsoft.public.win2000.security news group, Stephen Pettitt

Strictly speaking we do not need Enterprise Admins to be able to
administer these machines but we do need a single account that has
access to the admin shares on ALL machines in all domains. When
pushing out the LANDesk agent to PC you need to have access to the c$
share - Yes, we could just use a logon script so that the client
"pulls" the agent instead but this isn't the preferred method.

In that case you should absolutely not be using an account in Enterprise
Admins.