HiAll our users are local admin on their own notebook (Added through GP Preferences) and it looks like they have access to \\Computer\c$ on all other domain computers. How do I remove that possibility?/Lasse/Lasse

seems like they are domain admins too.http://www.sysadmins.lv

They are not member of the Domain Admin group, but how can I check?If I check the "Local Users and Groups" I can see Domain.local\Username and also Domain.local\Administrators./Lasse

this means that they are admins for entire domain. Logon to system with this user and check 'whoami /all' command output.> All our users are local admin on their own notebook (Added through GP Preferences)this is incorrect way. The correct is Restricted Groups. You need to rollback this policy (where you define users in GPP) and reassign user rights using Restricted Groups option in group policies.Restricted Groups: Security Configuration Editor; Security ServicesRestricted GroupsHOW TO: Use Restricted Groups in Windows 2000http://www.sysadmins.lv

Why is the GP Preferences the wrong way? By using the GPP I can specify that only the user logging in to a domain computer is added to the Local Admin group.By using Restricted Groups I have to add Domain.local\Domain Users which will result in all users being local admin on all domain computers. /Lasse

> By using Restricted Groups I have to add Domain.local\Domain Users which will result in all users being local admin on all domain computers.this is wrong answer. Using Restricted Groups you can specify user principals, not groups only.http://www.sysadmins.lv

you can freely use the preferences. there is no problem with preferences. you just need to check what is confirured incorrectly so that the users are local administrators on all other computers.as Vadims said, if you see the Yourdomain\Administrators as members of the local administrators, there is a possibility, that the users are all members of the group or any other group that is nested into the Yourdomain\Administrators.I would go to Active Directory and tried to find who is actually member of the Administrators group. You have to options:a) you can open the Builtin container and open properties of the Administrators group, find the Members tab and find what groups and users are members. The membership can be nested, so you would need to go recursivelly throught all the groups.b) or you can do it automatically using a special LDAP search (just replace you domain name in the DC=, DC= part) and put it into the Find dialog box into the Custom Search selection on the Advanced tab:(&(objectCategory=user)(member:1.2.840.113556.1.4.1941:=CN=Administrators,CN=Builtin,DC=yourdomain,DC=local))ondrej.

Thanks for the replies.To Vadims: How do I use user principals with Restricted groups without having to add each user manually?To Ondrej:This doesn't make any sense.... If I add a user to the Local Admin Group and the Domain\Administrators group is a member then the user gets Domain Admin permissions, that sounds totally wrong.I have checked our AD and everything is fine regarding who is member of Administrators group, but that I knew already :-)/Lasse

If multiple users will have local administrator rights on the same computer you can add these users to separate group and add this group to Restricted Groups policy. If different users will have local administrators rights on different computers (for example, user1 on computer1, user2 on computer2, etc) then you will need to create as much Restricted Groups policies as much you have computers for that policy.http://www.sysadmins.lv

Then using Restricted Groups is useless in my case.I still don't understand why the users can access \\Computername\C$ when they only are member of the Local Admin group, unless it acually means that they get Domain Admin rightswhen Domain\Administrators are member of the Local Admin group......../Lasse

have you discovered 'whoami /all' output?http://www.sysadmins.lv

I have just added a new user to our domain and made it a member of "Domain Users" and nothing else. I then tried to login to a computer with the new username andI can still see the C$ on other domain computers. With the new user I am using the GP Preferences to add the user to theLocal Admin group and remove all other users except for Administrator (the local admin as far as I can see).I have now also run "Whoami /all" and the result doesn't give me anyinformationthat I don't already have. The user is a member of the following groups according to "Whoami /all":Domain.local\Domain UsersEveryoneBUILTIN\AdministratorsBUILTIN\UsersNT AUTHORITY\INTERAKTIVENT AUTHORITY\APPROVED USERS (Don't know what the correct name is since I get it in danish when I run the Whoami command)LOCALThe only group I have added the user to is "Domain.local\Domain Users" through "Active Directory Users And Computers" and then the "BUILTIN\Administrators" through the GP Preference.Might this be caused by a permission that the actual Domain Computer has? /Lasse

Lasse,I have not been able to reproduce your problem using GP Preferences, however, I may have found something that could be causing the behaviour you're seeing. Here's what I did for testing:Test Setup:1 Domain controller2 Clients running Windows 7 Enterprise - Client1 and Client22 test user accounts - Test1 and Test2Default Domain Policy GPO modified to use GP Preferences. Preferences\Control Panel Settings\Local Users and Groups - added Aministrators (Built-in) and selected Update and Add the current user.First Test:Rebooted both clients to ensure that GP was applied, logged on to Client1 with Test1, logged on to Client2 with Test2. Logged off both clients and then logged on again with the same accounts to ensure that the Administrator group membership was reflected in each user's access token.From Client1, while logged on with Test1, attempted to access \\client2\c$. Result: Access Denied.From Client2, while logged on with Test2, attempted to access \\client1\c$ Result: Access Denied.Second Test:Logged on to Client1 with Test2, attempted to access \\client2\c$ Result: Succeeded.Logged on to Client2 with Test1, attempted to access \\client1\c$ Result: Succeeded.Observations:My guess here, and since I don't exactly how you've been testing at your end, its only a guess, is that you've logged on to the target computer(s) with the account that you're using on the source computers before attempting to access the C$ share on the target computer. If this is the case, and you've configured your GP Preferences the way I have in my testing, then you're seeing expected behaviour. The way this group membership works by default in GP Preferences is that it will add the current user to the specified group at first logon and will not then remove the user from the group at logoff.What may resolve your problem is to modify your GP Preferences for the Administrators group and check the box labelled Delete all member users. That way, anytime the GP preferences are applied, any existing user accounts will be removed from the group, and the user logging on will be added. Note that this only affects user accounts and not group accounts, and doesn't seem to affect the local Administrator account at all.If this isn't your problem then you've got some other group membership issues somewhere in your environment.Paul Adare CTO IdentIT Inc. ILM MVP

Hi PaulThanks for the reply.I can understand why your second test will succeed, since the users have been logged in to both computers so they are both a member of Local Admin on both computers.We have 80 computers and normally the users only use their own notebook, they rarely log onto a different users computer so that is not the cause of my problem.Just as part of the finding the problem I have tried changing the GP Preference to the following:"Do not configure for the current user""Delete all member users""Delete all member group"When doing so it leaves me with a "Local Users and Groups\Administrator" group thatonly contains the Local Administrator account (Or at least I assume it's the Local Administrator account). After doing this I can still see the C$ share on the other domain computers.I have been through all other of the local groups and the only other group that is in use it the "Users" group. The members are:"NT AUTHORITY\APPROVED USERS" (Don't know what the correct name is, since it is shown in danish on my test computer)"NT AUTHORITY\INTERACTIVE""Domain.local\Domain Users"But the "Users" account is pretty limited so that shouldn't be the cause either.The user I am using for my test is only a member of "Domain Users" and that group is only a member of the builtin group "Users" when checking the "AD Users and Computers".All domain computers are a member of "Domain Computers" and that group is not member of any other group.I am starting to loose the last bit of hair on my head................/Lasse

I don't know what else to suggest then. There has to be some kind of difference between your environment and mine as it works as expected here.Paul Adare CTO IdentIT Inc. ILM MVP

I totally agree. I took over the job as IT admin here and enherited the "problem" but can figure out what is going wrong. I am considering creating a test environment to try to figure out what is going wrong.When I do the "Whoami /all" with my test user I can see that the user is a member of "BUILTIN\Users", might the problem exist because the C$ share allows Full Access to the "BUILTIN\Users", but how do I remove the user from the "BUILTIN\Users" group? Can't find it anywhere./Lasse

Found it..... not the solution but where the "BUILTIN\Users" membership is from when doing the "Whoami /all". That's because "Domain Users" are member of "BUILTIN\Users" in the AD.I think the solution is to create a test environment to figure out how to solve the problem./Lasse

Domain Users must be in local Users group. However this is not necessary, because when user interactiely logs on to workstation, user will become a member of Interactive group that is nested into localUsers group. http://www.sysadmins.lv

Hi you can try to disble the server-service on the clients.Then the access to c$ and admin$ wont work/Johan

you can disable it using Group Policies (in Computer Configuration -> Security Settings). However I don't sure if it is correct way, because you will be unable toadminister them remotely, because IPC$ share will be disabled too. http://www.sysadmins.lv

I have been doing some further testing and it looks like "Domain Users" are added to the permissions on the C$ share. If Iremove every group membership on my test user, except for a new group that I have created for testing purposes, then I can't access the C$ share, I get a login prompt and it doesn't accept my test user. If I add the user to "Domain Users" I can access the C$ share. But where do I manage permissions on the $ share?/Lasse

You can't change the permissions on the C$ share. Are you certain that Domain Users has not somehow been added to either Domain Admins or to the local Administrators group?Paul Adare CTO IdentIT Inc. ILM MVP

This is not making any sense..........The test user is only amember ofDomain Users in the Active Directoryand on the computer I have removed all users and groups from the Local Administrators group through my GP Preference and I still have full access to the C$ shares.I am currently creating a test environment where I want to see if I can re-produce the problem./Lasse