Restrict access to administrative shares?

[Brian]

I work on a school network, and were starting to get
problems with people figuring out how to use the
automatic administrative shares (drive letter$, admin$,
ipc$). My problem is how do I restrict access to these
shares to say only domain admins. I know how to disable
them entirely using regedit, but they are a good tool.
If possible I want to keep them intact but restricted.
Thanks.

 

[serverguy]

I just gave another poster similar advice. Go ahead and disable the admin
shares with the reg hack, then just share out the drives you need to access
as an admin and setup the appropriate permissions. You should also review
ntfs permissions on the drives and make sure the default "Everyone" group
has been removed in favor of more secure permissions for only those
users/groups who need access to those drives.

 

[Steven L Umbach]

Are they able to access other computers than their own? If so you may have a problem
with users knowing administrator passwords that they should not. You can not change
the permissions on those shares and only those in the local administrators group
[which would include the domain admins group] on domain members can gain access. What
you could try is to modify the user right for access this computer from the network
to only include the domain admins group of those domain member machines that you want
to restrict access to assuming that other users have no need to access shares on the
computer. You could move the computers you want to restrict into their own OU and set
the more restrictive user right in a GPO for that OU. Otherwise you will need to
disable the admin shares all together and create a new hidden admin share [append $
to the share name] with permission to just the domain admins group. --- Steve