|
View Full Version : Heddin shares restrections
Hi
at work i have Win2000 domain , i am the administrator of
it , some day when i try to access the C$ drive one one
workstation it gives me message sys windows cannot find
the drive check the spelling and try again or tey
searching , i know that the user of that workstation had
unshared his C$ drive , but i am the administrator on that
network i want too do scan for his machine or backup his
files , so i need the C hard drive to have always the
heddin share C$, to be able at any time to have access for
it , so how can i make restriction for unsharing the
hidden shared drives .
another question , if i want to close just the access to
the GPEDIT.MSC , because i dont like any body to play with
it , and how to make the policy of the domain that if any
clint delete the domain administrator from his local
administrators to not access the domain resources .
please for any body know about thease matters to share me
his knowledge and i'll appriciate so much
Thanks
Maged
|
Lanwench [MVP - Exchange] Maged N. Roshdy wrote:[color=blue]
> Hi
> at work i have Win2000 domain , i am the administrator of
> it , some day when i try to access the C$ drive one one
> workstation it gives me message sys windows cannot find
> the drive check the spelling and try again or tey
> searching , i know that the user of that workstation had
> unshared his C$ drive , but i am the administrator on that
> network i want too do scan for his machine or backup his
> files , so i need the C hard drive to have always the
> heddin share C$, to be able at any time to have access for
> it , so how can i make restriction for unsharing the
> hidden shared drives .[/color]
Take all end users out of the local admins group.
Also - since you have a domain, you really ought to have everyone store ALL
their data on the server - use folder redirection to move My Documents to
their home directories, etc. Workstation backups are a pain and aren't very
reliable.[color=blue]
>
> another question , if i want to close just the access to
> the GPEDIT.MSC , because i dont like any body to play with
> it , and how to make the policy of the domain that if any
> clint delete the domain administrator from his local
> administrators to not access the domain resources .[/color]
Again, take the end users out of the local admin group and they can't do
this.[color=blue]
>
> please for any body know about thease matters to share me
> his knowledge and i'll appriciate so much
>
> Thanks
>
> Maged[/color]
|
ok but i want to keep the users administrators on thier
workstations i just dont like them to affect the
administrator tools of the domain like the securety and
the hidden shares , so is there a customize solution can
do that .
Maged[color=blue]
>-----Original Message-----
>Maged N. Roshdy wrote:[color=green]
>> Hi
>> at work i have Win2000 domain , i am the administrator[/color][/color]
of[color=blue][color=green]
>> it , some day when i try to access the C$ drive one one
>> workstation it gives me message sys windows cannot find
>> the drive check the spelling and try again or tey
>> searching , i know that the user of that workstation had
>> unshared his C$ drive , but i am the administrator on[/color][/color]
that[color=blue][color=green]
>> network i want too do scan for his machine or backup his
>> files , so i need the C hard drive to have always the
>> heddin share C$, to be able at any time to have access[/color][/color]
for[color=blue][color=green]
>> it , so how can i make restriction for unsharing the
>> hidden shared drives .[/color]
>
>Take all end users out of the local admins group.
>
>Also - since you have a domain, you really ought to have[/color]
everyone store ALL[color=blue]
>their data on the server - use folder redirection to move[/color]
My Documents to[color=blue]
>their home directories, etc. Workstation backups are a[/color]
pain and aren't very[color=blue]
>reliable.[color=green]
>>
>> another question , if i want to close just the access to
>> the GPEDIT.MSC , because i dont like any body to play[/color][/color]
with[color=blue][color=green]
>> it , and how to make the policy of the domain that if[/color][/color]
any[color=blue][color=green]
>> clint delete the domain administrator from his local
>> administrators to not access the domain resources .[/color]
>
>Again, take the end users out of the local admin group[/color]
and they can't do[color=blue]
>this.[color=green]
>>
>> please for any body know about thease matters to share[/color][/color]
me[color=blue][color=green]
>> his knowledge and i'll appriciate so much
>>
>> Thanks
>>
>> Maged[/color]
>
>
>.
>[/color]
|
Maged N. Roshdy wrote:
[color=blue]
> (snip)
> and how to make the policy of the domain that if any
> clint delete the domain administrator from his local
> administrators to not access the domain resources .[/color]
Hi
Restricted Groups enforced with Group Policy is maybe an option:
[url]http://groups.google.com/groups?selm=uM5aZa1YDHA.440%40tk2msftngp13.phx.gbl[/url]
and
How to Configure a Global Group to Be a Member of the Administrators Group on
all Workstations
[url]http://support.microsoft.com/default.aspx?scid=kb;en-us;320065[/url]
We add "NT Authority\Interactive" in the local Administrators group
to let all domain users automatically be local admins when they log
on to a computer interactively.
This is more secure than adding "Authenticated Domain users",
"Domain Users" or "NT AUTHORITY\Authenticated Users" because you
avoid the issue with cross network admin rights (remote access)
that these groups introduces.
--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
[url]http://www.microsoft.com/technet/scriptcenter/default.mspx[/url]
|
Lanwench [MVP - Exchange] [email]anonymous@discussions.microsoft.com[/email] wrote:[color=blue]
> ok but i want to keep the users administrators on thier
> workstations[/color]
Why? Do you have (badly written) software that requires this?
[color=blue]
> i just dont like them to affect the
> administrator tools of the domain like the securety and
> the hidden shares , so is there a customize solution can
> do that .[/color]
If regular user rights don't work because you have software that won't run
that way, try putting them in Power Users instead of local admins to see if
they can still run the software.
[color=blue]
>
> Maged[color=green]
>> -----Original Message-----
>> Maged N. Roshdy wrote:[color=darkred]
>>> Hi
>>> at work i have Win2000 domain , i am the administrator of
>>> it , some day when i try to access the C$ drive one one
>>> workstation it gives me message sys windows cannot find
>>> the drive check the spelling and try again or tey
>>> searching , i know that the user of that workstation had
>>> unshared his C$ drive , but i am the administrator on that
>>> network i want too do scan for his machine or backup his
>>> files , so i need the C hard drive to have always the
>>> heddin share C$, to be able at any time to have access for
>>> it , so how can i make restriction for unsharing the
>>> hidden shared drives .[/color]
>>
>> Take all end users out of the local admins group.
>>
>> Also - since you have a domain, you really ought to have everyone
>> store ALL their data on the server - use folder redirection to move
>> My Documents to their home directories, etc. Workstation backups are
>> a pain and aren't very reliable.[color=darkred]
>>>
>>> another question , if i want to close just the access to
>>> the GPEDIT.MSC , because i dont like any body to play with
>>> it , and how to make the policy of the domain that if any
>>> clint delete the domain administrator from his local
>>> administrators to not access the domain resources .[/color]
>>
>> Again, take the end users out of the local admin group[/color]
> and they can't do[color=green]
>> this.[color=darkred]
>>>
>>> please for any body know about thease matters to share me
>>> his knowledge and i'll appriciate so much
>>>
>>> Thanks
>>>
>>> Maged[/color]
>>
>>
>> .[/color][/color]
|
Nice question. I spent an hour or so looking all over the net and couldn't find anything to protect the shares. Delete yes, but not protect against deletion. If you're admin, you can get rid of them. However, let's look at the task another way. Why don't you just check right before you do things to see if they are there, and if not create them on the fly? It's a few lines of script but that shouldn't be too hard. Hope this helps. -- Mark-Allen Perry ALPHA Systems, Switzerland mark-allen AT mvps DOT org "Maged N. Roshdy" wrote in message news:42a801c4730f$3acd1900$a501280a@phx.gbl...
Hi
at work i have Win2000 domain , i am the administrator of
it , some day when i try to access the C$ drive one one
workstation it gives me message sys windows cannot find
the drive check the spelling and try again or tey
searching , i know that the user of that workstation had
unshared his C$ drive , but i am the administrator on that
network i want too do scan for his machine or backup his
files , so i need the C hard drive to have always the
heddin share C$, to be able at any time to have access for
it , so how can i make restriction for unsharing the
hidden shared drives .
another question , if i want to close just the access to
the GPEDIT.MSC , because i dont like any body to play with
it , and how to make the policy of the domain that if any
clint delete the domain administrator from his local
administrators to not access the domain resources .
please for any body know about thease matters to share me
his knowledge and i'll appriciate so much
Thanks
Maged
|
i moved the users to the local power users group but they
cant modify the regional options , how can i give that
permission to the pwer users group
another question , why some programs installed with the
power users level and some other programs deny that and
requier administration permission.
discussing that with you was really usefull for me . thank
you for giving me that chance
Maged[color=blue]
>-----Original Message-----
>anonymous@discussions.microsoft.com wrote:[color=green]
>> ok but i want to keep the users administrators on thier
>> workstations[/color]
>
>Why? Do you have (badly written) software that requires[/color]
this?[color=blue]
>[color=green]
>> i just dont like them to affect the
>> administrator tools of the domain like the securety and
>> the hidden shares , so is there a customize solution can
>> do that .[/color]
>
>If regular user rights don't work because you have[/color]
software that won't run[color=blue]
>that way, try putting them in Power Users instead of[/color]
local admins to see if[color=blue]
>they can still run the software.
>[color=green]
>>
>> Maged[color=darkred]
>>> -----Original Message-----
>>> Maged N. Roshdy wrote:
>>>> Hi
>>>> at work i have Win2000 domain , i am the[/color][/color][/color]
administrator of[color=blue][color=green][color=darkred]
>>>> it , some day when i try to access the C$ drive one[/color][/color][/color]
one[color=blue][color=green][color=darkred]
>>>> workstation it gives me message sys windows cannot[/color][/color][/color]
find[color=blue][color=green][color=darkred]
>>>> the drive check the spelling and try again or tey
>>>> searching , i know that the user of that workstation[/color][/color][/color]
had[color=blue][color=green][color=darkred]
>>>> unshared his C$ drive , but i am the administrator on[/color][/color][/color]
that[color=blue][color=green][color=darkred]
>>>> network i want too do scan for his machine or backup[/color][/color][/color]
his[color=blue][color=green][color=darkred]
>>>> files , so i need the C hard drive to have always the
>>>> heddin share C$, to be able at any time to have[/color][/color][/color]
access for[color=blue][color=green][color=darkred]
>>>> it , so how can i make restriction for unsharing the
>>>> hidden shared drives .
>>>
>>> Take all end users out of the local admins group.
>>>
>>> Also - since you have a domain, you really ought to[/color][/color][/color]
have everyone[color=blue][color=green][color=darkred]
>>> store ALL their data on the server - use folder[/color][/color][/color]
redirection to move[color=blue][color=green][color=darkred]
>>> My Documents to their home directories, etc.[/color][/color][/color]
Workstation backups are[color=blue][color=green][color=darkred]
>>> a pain and aren't very reliable.
>>>>
>>>> another question , if i want to close just the access[/color][/color][/color]
to[color=blue][color=green][color=darkred]
>>>> the GPEDIT.MSC , because i dont like any body to play[/color][/color][/color]
with[color=blue][color=green][color=darkred]
>>>> it , and how to make the policy of the domain that[/color][/color][/color]
if any[color=blue][color=green][color=darkred]
>>>> clint delete the domain administrator from his local
>>>> administrators to not access the domain resources .
>>>
>>> Again, take the end users out of the local admin group[/color]
>> and they can't do[color=darkred]
>>> this.
>>>>
>>>> please for any body know about thease matters to[/color][/color][/color]
share me[color=blue][color=green][color=darkred]
>>>> his knowledge and i'll appriciate so much
>>>>
>>>> Thanks
>>>>
>>>> Maged
>>>
>>>
>>> .[/color][/color]
>
>
>.
>[/color]
|
Lanwench [MVP - Exchange] Maged N. Roshdy wrote:[color=blue]
> i moved the users to the local power users group but they
> cant modify the regional options , how can i give that
> permission to the pwer users group[/color]
Not sure what you're actually trying to allow - what specifically, and
again, why?
[color=blue]
> another question , why some programs installed with the
> power users level and some other programs deny that and
> requier administration permission.[/color]
I personally don't like users installing any software and don't generally
put them even in PowerUsers. But to answer your question, it depends on the
software itself - and what it requires permissions for in order to be
installed.[color=blue]
>
> discussing that with you was really usefull for me . thank
> you for giving me that chance[/color]
No problem - hope this helps.[color=blue]
>
> Maged[color=green]
>> -----Original Message-----
>> [email]anonymous@discussions.microsoft.com[/email] wrote:[color=darkred]
>>> ok but i want to keep the users administrators on thier
>>> workstations[/color]
>>
>> Why? Do you have (badly written) software that requires this?
>>[color=darkred]
>>> i just dont like them to affect the
>>> administrator tools of the domain like the securety and
>>> the hidden shares , so is there a customize solution can
>>> do that .[/color]
>>
>> If regular user rights don't work because you have software that
>> won't run that way, try putting them in Power Users instead of[/color]
> local admins to see if[color=green]
>> they can still run the software.
>>[color=darkred]
>>>
>>> Maged
>>>> -----Original Message-----
>>>> Maged N. Roshdy wrote:
>>>>> Hi
>>>>> at work i have Win2000 domain , i am the[/color][/color]
> administrator of[color=green][color=darkred]
>>>>> it , some day when i try to access the C$ drive one one
>>>>> workstation it gives me message sys windows cannot find
>>>>> the drive check the spelling and try again or tey
>>>>> searching , i know that the user of that workstation had
>>>>> unshared his C$ drive , but i am the administrator on that
>>>>> network i want too do scan for his machine or backup his
>>>>> files , so i need the C hard drive to have always the
>>>>> heddin share C$, to be able at any time to have[/color][/color]
> access for[color=green][color=darkred]
>>>>> it , so how can i make restriction for unsharing the
>>>>> hidden shared drives .
>>>>
>>>> Take all end users out of the local admins group.
>>>>
>>>> Also - since you have a domain, you really ought to have everyone
>>>> store ALL their data on the server - use folder redirection to move
>>>> My Documents to their home directories, etc. Workstation backups
>>>> are a pain and aren't very reliable.
>>>>>
>>>>> another question , if i want to close just the access to
>>>>> the GPEDIT.MSC , because i dont like any body to play with
>>>>> it , and how to make the policy of the domain that[/color][/color]
> if any[color=green][color=darkred]
>>>>> clint delete the domain administrator from his local
>>>>> administrators to not access the domain resources .
>>>>
>>>> Again, take the end users out of the local admin group and they
>>>> can't do this.
>>>>>
>>>>> please for any body know about thease matters to[/color][/color]
> share me[color=green][color=darkred]
>>>>> his knowledge and i'll appriciate so much
>>>>>
>>>>> Thanks
>>>>>
>>>>> Maged
>>>>
>>>>
>>>> .[/color]
>>
>>
>> .[/color][/color]
|
I mean i want to allow them to change all the regional
settings options like languages defaults .... etc
in the case of the power users i cant see all the tabs of
the regional settings options , i appreciate your opinion
to not give any permission to the users i also do that but
not for all the users , some users need to install some
software updates and you can say that i have some advanced
users , i want to give him freedom just on thier
workstation , but on the other hand i dont like them to
play in my area , i want to remote there computers at any
time i need without having surprise that some body close
the remote access or unshare the hidden drives.....ETC
the software that didnt continue installation because of
the permission is Adobe acrobat reader .
again thanks for that interisting discussion
Maged
[color=blue]
>-----Original Message-----
>Maged N. Roshdy wrote:[color=green]
>> i moved the users to the local power users group but[/color][/color]
they[color=blue][color=green]
>> cant modify the regional options , how can i give that
>> permission to the pwer users group[/color]
>
>Not sure what you're actually trying to allow - what[/color]
specifically, and[color=blue]
>again, why?
>[color=green]
>> another question , why some programs installed with the
>> power users level and some other programs deny that and
>> requier administration permission.[/color]
>
>I personally don't like users installing any software and[/color]
don't generally[color=blue]
>put them even in PowerUsers. But to answer your question,[/color]
it depends on the[color=blue]
>software itself - and what it requires permissions for in[/color]
order to be[color=blue]
>installed.[color=green]
>>
>> discussing that with you was really usefull for me .[/color][/color]
thank[color=blue][color=green]
>> you for giving me that chance[/color]
>
>No problem - hope this helps.[color=green]
>>
>> Maged[color=darkred]
>>> -----Original Message-----
>>> [email]anonymous@discussions.microsoft.com[/email] wrote:
>>>> ok but i want to keep the users administrators on[/color][/color][/color]
thier[color=blue][color=green][color=darkred]
>>>> workstations
>>>
>>> Why? Do you have (badly written) software that[/color][/color][/color]
requires this?[color=blue][color=green][color=darkred]
>>>
>>>> i just dont like them to affect the
>>>> administrator tools of the domain like the securety[/color][/color][/color]
and[color=blue][color=green][color=darkred]
>>>> the hidden shares , so is there a customize solution[/color][/color][/color]
can[color=blue][color=green][color=darkred]
>>>> do that .
>>>
>>> If regular user rights don't work because you have[/color][/color][/color]
software that[color=blue][color=green][color=darkred]
>>> won't run that way, try putting them in Power Users[/color][/color][/color]
instead of[color=blue][color=green]
>> local admins to see if[color=darkred]
>>> they can still run the software.
>>>
>>>>
>>>> Maged
>>>>> -----Original Message-----
>>>>> Maged N. Roshdy wrote:
>>>>>> Hi
>>>>>> at work i have Win2000 domain , i am the[/color]
>> administrator of[color=darkred]
>>>>>> it , some day when i try to access the C$ drive one[/color][/color][/color]
one[color=blue][color=green][color=darkred]
>>>>>> workstation it gives me message sys windows cannot[/color][/color][/color]
find[color=blue][color=green][color=darkred]
>>>>>> the drive check the spelling and try again or tey
>>>>>> searching , i know that the user of that[/color][/color][/color]
workstation had[color=blue][color=green][color=darkred]
>>>>>> unshared his C$ drive , but i am the administrator[/color][/color][/color]
on that[color=blue][color=green][color=darkred]
>>>>>> network i want too do scan for his machine or[/color][/color][/color]
backup his[color=blue][color=green][color=darkred]
>>>>>> files , so i need the C hard drive to have always[/color][/color][/color]
the[color=blue][color=green][color=darkred]
>>>>>> heddin share C$, to be able at any time to have[/color]
>> access for[color=darkred]
>>>>>> it , so how can i make restriction for unsharing the
>>>>>> hidden shared drives .
>>>>>
>>>>> Take all end users out of the local admins group.
>>>>>
>>>>> Also - since you have a domain, you really ought to[/color][/color][/color]
have everyone[color=blue][color=green][color=darkred]
>>>>> store ALL their data on the server - use folder[/color][/color][/color]
redirection to move[color=blue][color=green][color=darkred]
>>>>> My Documents to their home directories, etc.[/color][/color][/color]
Workstation backups[color=blue][color=green][color=darkred]
>>>>> are a pain and aren't very reliable.
>>>>>>
>>>>>> another question , if i want to close just the[/color][/color][/color]
access to[color=blue][color=green][color=darkred]
>>>>>> the GPEDIT.MSC , because i dont like any body to[/color][/color][/color]
play with[color=blue][color=green][color=darkred]
>>>>>> it , and how to make the policy of the domain that[/color]
>> if any[color=darkred]
>>>>>> clint delete the domain administrator from his local
>>>>>> administrators to not access the domain resources .
>>>>>
>>>>> Again, take the end users out of the local admin[/color][/color][/color]
group and they[color=blue][color=green][color=darkred]
>>>>> can't do this.
>>>>>>
>>>>>> please for any body know about thease matters to[/color]
>> share me[color=darkred]
>>>>>> his knowledge and i'll appriciate so much
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Maged
>>>>>
>>>>>
>>>>> .
>>>
>>>
>>> .[/color][/color]
>
>
>.
>[/color]
|
Lanwench [MVP - Exchange] Hi -
I'm not sure what specific policies you need to open up to do all this - but
someone else may post. sorry!
Maged N. Roshdy wrote:[color=blue]
> I mean i want to allow them to change all the regional
> settings options like languages defaults .... etc
> in the case of the power users i cant see all the tabs of
> the regional settings options , i appreciate your opinion
> to not give any permission to the users i also do that but
> not for all the users , some users need to install some
> software updates and you can say that i have some advanced
> users , i want to give him freedom just on thier
> workstation , but on the other hand i dont like them to
> play in my area , i want to remote there computers at any
> time i need without having surprise that some body close
> the remote access or unshare the hidden drives.....ETC
> the software that didnt continue installation because of
> the permission is Adobe acrobat reader .
>
> again thanks for that interisting discussion
>
> Maged
>[color=green]
>> -----Original Message-----
>> Maged N. Roshdy wrote:[color=darkred]
>>> i moved the users to the local power users group but they
>>> cant modify the regional options , how can i give that
>>> permission to the pwer users group[/color]
>>
>> Not sure what you're actually trying to allow - what specifically,
>> and again, why?
>>[color=darkred]
>>> another question , why some programs installed with the
>>> power users level and some other programs deny that and
>>> requier administration permission.[/color]
>>
>> I personally don't like users installing any software and don't
>> generally put them even in PowerUsers. But to answer your question,
>> it depends on the software itself - and what it requires permissions
>> for in order to be installed.[color=darkred]
>>>
>>> discussing that with you was really usefull for me . thank
>>> you for giving me that chance[/color]
>>
>> No problem - hope this helps.[color=darkred]
>>>
>>> Maged
>>>> -----Original Message-----
>>>> [email]anonymous@discussions.microsoft.com[/email] wrote:
>>>>> ok but i want to keep the users administrators on thier
>>>>> workstations
>>>>
>>>> Why? Do you have (badly written) software that[/color][/color]
> requires this?[color=green][color=darkred]
>>>>
>>>>> i just dont like them to affect the
>>>>> administrator tools of the domain like the securety and
>>>>> the hidden shares , so is there a customize solution can
>>>>> do that .
>>>>
>>>> If regular user rights don't work because you have software that
>>>> won't run that way, try putting them in Power Users[/color][/color]
> instead of[color=green][color=darkred]
>>> local admins to see if
>>>> they can still run the software.
>>>>
>>>>>
>>>>> Maged
>>>>>> -----Original Message-----
>>>>>> Maged N. Roshdy wrote:
>>>>>>> Hi
>>>>>>> at work i have Win2000 domain , i am the administrator of
>>>>>>> it , some day when i try to access the C$ drive one one
>>>>>>> workstation it gives me message sys windows cannot find
>>>>>>> the drive check the spelling and try again or tey
>>>>>>> searching , i know that the user of that[/color][/color]
> workstation had[color=green][color=darkred]
>>>>>>> unshared his C$ drive , but i am the administrator on that
>>>>>>> network i want too do scan for his machine or[/color][/color]
> backup his[color=green][color=darkred]
>>>>>>> files , so i need the C hard drive to have always the
>>>>>>> heddin share C$, to be able at any time to have access for
>>>>>>> it , so how can i make restriction for unsharing the
>>>>>>> hidden shared drives .
>>>>>>
>>>>>> Take all end users out of the local admins group.
>>>>>>
>>>>>> Also - since you have a domain, you really ought to have everyone
>>>>>> store ALL their data on the server - use folder redirection to
>>>>>> move My Documents to their home directories, etc. Workstation
>>>>>> backups are a pain and aren't very reliable.
>>>>>>>
>>>>>>> another question , if i want to close just the access to
>>>>>>> the GPEDIT.MSC , because i dont like any body to play with
>>>>>>> it , and how to make the policy of the domain that if any
>>>>>>> clint delete the domain administrator from his local
>>>>>>> administrators to not access the domain resources .
>>>>>>
>>>>>> Again, take the end users out of the local admin group and they
>>>>>> can't do this.
>>>>>>>
>>>>>>> please for any body know about thease matters to share me
>>>>>>> his knowledge and i'll appriciate so much
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>> Maged
>>>>>>
>>>>>>
>>>>>> .
>>>>
>>>>
>>>> .[/color]
>>
>>
>> .[/color][/color]
|
|
|
|