Well here's the problem. a) Users are local admins of EVERYONE's machines. We used a global group for this.
b) We found that of course they could connect to anyone's hard drive through the C$ share. c) We changed the group policy for "Access thes computer from a network" to Domain admins rather than everyone. d) Step c) solved our remote access problem but caused a new one - no one could connect to a network printer. When someone tried to open the printer it said "Unable to open, Access Denied." I guess there is some kind of reverse access permission needed when attaching to a network printer. So basically I wanted to see if anyone has a solution for this dilemma. We need people to be local admins of their machines, but we don't want them accessing other people's machines. It's impractical to make a specific person a local admin on each specific machine - people and computers are too portable. And if we fix that problem, we can't print. ~Alex -----Original Message----- From: Greg Eytcheson [mailto:[EMAIL PROTECTED] Sent: Friday, March 14, 2003 11:47 AM To: NT 2000 Discussions Subject: RE: Remote Admin shares As long as the workstations don't need to share printers or other file shares, you should be able to accomplish this by revoking the "Access this computer from a network" rights for everyone except Domain Admins. If you are using XP (maybe W2K too), there is also an option to "Deny access to this computer from the network" that you could add the Staff group into. Greg -----Original Message----- From: Alexander Kha Do [mailto:[EMAIL PROTECTED] Sent: Friday, March 14, 2003 1:01 PM To: NT 2000 Discussions Subject: Remote Admin shares If someone is a local admin of a machine, is there a way to restrict their ability to access the c$ share of the machine? Our situation is such that we have a "staff" group which has local admin rights to the standard workstations. Is there any way to make it so that they cannot UNC to the C$ of their coworkers' computers, but we can sitll get in as Domain Admins? ~Alex ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
