Heddin shares restrections

[Maged N. Roshdy]

Hi
at work i have Win2000 domain , i am the administrator of
it , some day when i try to access the C$ drive one one
workstation it gives me message sys windows cannot find
the drive check the spelling and try again or tey
searching , i know that the user of that workstation had
unshared his C$ drive , but i am the administrator on that
network i want too do scan for his machine or backup his
files , so i need the C hard drive to have always the
heddin share C$, to be able at any time to have access for
it , so how can i make restriction for unsharing the
hidden shared drives .

another question , if i want to close just the access to
the GPEDIT.MSC , because i dont like any body to play with
it , and how to make the policy of the domain that if any
clint delete the domain administrator from his local
administrators to not access the domain resources .

please for any body know about thease matters to share me
his knowledge and i'll appriciate so much

Thanks

Maged

 

[Lanwench [MVP - Exchange]]

Hi
at work i have Win2000 domain , i am the administrator of
it , some day when i try to access the C$ drive one one
workstation it gives me message sys windows cannot find
the drive check the spelling and try again or tey
searching , i know that the user of that workstation had
unshared his C$ drive , but i am the administrator on that
network i want too do scan for his machine or backup his
files , so i need the C hard drive to have always the
heddin share C$, to be able at any time to have access for
it , so how can i make restriction for unsharing the
hidden shared drives .

Take all end users out of the local admins group.

Also - since you have a domain, you really ought to have everyone store ALL
their data on the server - use folder redirection to move My Documents to
their home directories, etc. Workstation backups are a pain and aren't very
reliable.

another question , if i want to close just the access to
the GPEDIT.MSC , because i dont like any body to play with
it , and how to make the policy of the domain that if any
clint delete the domain administrator from his local
administrators to not access the domain resources .

Again, take the end users out of the local admin group and they can't do
this.

 

[Guest]

ok but i want to keep the users administrators on thier
workstations i just dont like them to affect the
administrator tools of the domain like the securety and
the hidden shares , so is there a customize solution can
do that .

Maged

 

[Torgeir Bakken \(MVP\)]

(snip)
and how to make the policy of the domain that if any
clint delete the domain administrator from his local
administrators to not access the domain resources .

Hi

Restricted Groups enforced with Group Policy is maybe an option:

http://groups.google.com/[email protected]

and

How to Configure a Global Group to Be a Member of the Administrators Group on
all Workstations
http://support.microsoft.com/default.aspx?scid=kb;en-us;320065


We add "NT Authority\Interactive" in the local Administrators group
to let all domain users automatically be local admins when they log
on to a computer interactively.

This is more secure than adding "Authenticated Domain users",
"Domain Users" or "NT AUTHORITY\Authenticated Users" because you
avoid the issue with cross network admin rights (remote access)
that these groups introduces.

 

[Lanwench [MVP - Exchange]]

ok but i want to keep the users administrators on thier
workstations

Why? Do you have (badly written) software that requires this?

i just dont like them to affect the
administrator tools of the domain like the securety and
the hidden shares , so is there a customize solution can
do that .

If regular user rights don't work because you have software that won't run
that way, try putting them in Power Users instead of local admins to see if
they can still run the software.

 

[Mark-Allen]

Nice question. I spent an hour or so looking all over the net and couldn't find anything to protect the shares. Delete yes, but not protect against deletion. If you're admin, you can get rid of them.

However, let's look at the task another way. Why don't you just check right before you do things to see if they are there, and if not create them on the fly? It's a few lines of script but that shouldn't be too hard.

Hope this helps.

--
Mark-Allen Perry
ALPHA Systems, Switzerland
mark-allen AT mvps DOT org

Hi
at work i have Win2000 domain , i am the administrator of
it , some day when i try to access the C$ drive one one
workstation it gives me message sys windows cannot find
the drive check the spelling and try again or tey
searching , i know that the user of that workstation had
unshared his C$ drive , but i am the administrator on that
network i want too do scan for his machine or backup his
files , so i need the C hard drive to have always the
heddin share C$, to be able at any time to have access for
it , so how can i make restriction for unsharing the
hidden shared drives .

another question , if i want to close just the access to
the GPEDIT.MSC , because i dont like any body to play with
it , and how to make the policy of the domain that if any
clint delete the domain administrator from his local
administrators to not access the domain resources .

please for any body know about thease matters to share me
his knowledge and i'll appriciate so much

Thanks

Maged

 

[Maged N. Roshdy]

i moved the users to the local power users group but they
cant modify the regional options , how can i give that
permission to the pwer users group
another question , why some programs installed with the
power users level and some other programs deny that and
requier administration permission.

discussing that with you was really usefull for me . thank
you for giving me that chance

Maged

 

[Lanwench [MVP - Exchange]]

i moved the users to the local power users group but they
cant modify the regional options , how can i give that
permission to the pwer users group

Not sure what you're actually trying to allow - what specifically, and
again, why?

another question , why some programs installed with the
power users level and some other programs deny that and
requier administration permission.

I personally don't like users installing any software and don't generally
put them even in PowerUsers. But to answer your question, it depends on the
software itself - and what it requires permissions for in order to be
installed.

discussing that with you was really usefull for me . thank
you for giving me that chance

No problem - hope this helps.

 

[Maged N. Roshdy]

I mean i want to allow them to change all the regional
settings options like languages defaults .... etc
in the case of the power users i cant see all the tabs of
the regional settings options , i appreciate your opinion
to not give any permission to the users i also do that but
not for all the users , some users need to install some
software updates and you can say that i have some advanced
users , i want to give him freedom just on thier
workstation , but on the other hand i dont like them to
play in my area , i want to remote there computers at any
time i need without having surprise that some body close
the remote access or unshare the hidden drives.....ETC
the software that didnt continue installation because of
the permission is Adobe acrobat reader .

again thanks for that interisting discussion

Maged

 

[Lanwench [MVP - Exchange]]

Hi -

I'm not sure what specific policies you need to open up to do all this - but
someone else may post. sorry!