I just discovered that all of our domain users can access our domain controller C$ drive shares. I am unsure how long this has been like this, but I do know I (even as network admin) would be prompted for my domain admin credentials to access those shares in the past.All of our member servers prompt for username & password if we attempt to connect to those admin shares.I am hoping this was an inadvertant change from our end. Any ideas on what settings might allow for this activity, and where I can find them?Our environment:Windows 2003 SP2Win 2003 Forest & Domain level.Thanks!MattMatt Miller

I have found that my DCs have the setting "Trust this computer for delegation for any service" enabled. Only our DCs have this setting enabled. All other servers are set to "Do not trust..."I must admit, I am unfamiliar with this setting. It is not one I have had to enable or disable for any purpose. I have read about the need for turning it on for Citrix Kerberose authentication, but also read that it added security risks on our citrix servers, no I never did anything with it.Should this setting be enabled on the DC? Is this required for client logon processes? What would happen if I disable it?ThanksMattMatt Miller

We have this setting disabled and everyting works good, users cant access the C$ Shares but can normaly login by using the \\DC\Netlogon. You could check those Setting of your Default Domain Controller Policy: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment Enable computer and user accounts to be trusted for delegation Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment Description Determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using a client's delegated credentials, as long as the client's account does not have the Account cannot be delegated account control flag set. Maybe something is wrong at your setup over here. BTW there are ways to disable C$ Shares on a Domain Controller but that is not very useful, cause backup software and other services need those shares http://support.microsoft.com/kb/842715/en-us ( Overview of problems that may occur when administrative shares are missing )

Thanks for the reply.I have that setting enabled in the DC policies. The only account granted that permision is the Administrators. None of our member servers have that policy configured. I removed the Administrators from the policy list, but it did not appear to affect our setup. I have since added it back in.Thanks for the notes on disabling the admin shares. I would like to keep the admin shares active, for backups and for admin access; but I do not wish that all domain users be able to access these shares.Matt Matt Miller