Why is there a C$ share???

[Guest]

I was just wondering why Microsoft has allowed a share from the c: drive,
where are the OS information is at. What I mean is any user on our network
can type \\computername\c$ and access everything on that persons computer.
Just curious.

Also, is this the same for servers? Does a C$ share exist automatically?
Why would you want your users (if they knew this) to access anyone elses
computer like that?

Any feedback is appreciated. Thanks.

 

[David H. Lipman]

It is called an administrative share.

And yes, it is the same for both workstations and servers.

Users should not have access to this share, administrators do.

--
Dave




| I was just wondering why Microsoft has allowed a share from the c: drive,
| where are the OS information is at. What I mean is any user on our network
| can type \\computername\c$ and access everything on that persons computer.
| Just curious.
|
| Also, is this the same for servers? Does a C$ share exist automatically?
| Why would you want your users (if they knew this) to access anyone elses
| computer like that?
|
| Any feedback is appreciated. Thanks.

 

[Guest]

Here we setup Domain Users to be a part of a local admins group on their
PC's, so they can install software without any problems, and so users are
able to logon to different machines. That must be why they can access others
admin share.

Is there a better way to set this up, not to add them to the local admins
group, and still let them do almost anything locally on the machine?

 

[David H. Lipman]

Don't load File & Print Shares on user workstations !

There is also a Registry setting that will allow you to disable administrative shares but my
memory fails me and I don't know it off hand - sorry.

--
Dave




| Here we setup Domain Users to be a part of a local admins group on their
| PC's, so they can install software without any problems, and so users are
| able to logon to different machines. That must be why they can access others
| admin share.
|
| Is there a better way to set this up, not to add them to the local admins
| group, and still let them do almost anything locally on the machine?
|
| "David H. Lipman" wrote:
|
| > It is called an administrative share.
| >
| > And yes, it is the same for both workstations and servers.
| >
| > Users should not have access to this share, administrators do.
| >
| > --
| > Dave
| >
| >
| >
| >
| > | > | I was just wondering why Microsoft has allowed a share from the c: drive,
| > | where are the OS information is at. What I mean is any user on our network
| > | can type \\computername\c$ and access everything on that persons computer.
| > | Just curious.
| > |
| > | Also, is this the same for servers? Does a C$ share exist automatically?
| > | Why would you want your users (if they knew this) to access anyone elses
| > | computer like that?
| > |
| > | Any feedback is appreciated. Thanks.
| >
| >
| >

 

[George M. Garner Jr.]

David,

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
Double click on AutoShareServer and set it to 0 to disable it for a server.
Double click on AutoShareWks and set it to 0 to disable it for a
workstation.
If the entries are not present, Add Value of type REG_DWORD. The Range is 0
(disable) or 1 (enable - the default).

Certain miscreant domain management software (like SMS) uses these shares.

Regards,

George.

 

[David H. Lipman]

Thanx George.

Saved for future reference !

--
Dave




| David,
|
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
| Double click on AutoShareServer and set it to 0 to disable it for a server.
| Double click on AutoShareWks and set it to 0 to disable it for a
| workstation.
| If the entries are not present, Add Value of type REG_DWORD. The Range is 0
| (disable) or 1 (enable - the default).
|
| Certain miscreant domain management software (like SMS) uses these shares.
|
| Regards,
|
| George.
|
|

 

[Colin Nash [MVP]]

Here we setup Domain Users to be a part of a local admins group on their
PC's, so they can install software without any problems, and so users are
able to logon to different machines. That must be why they can access
others
admin share.

Is there a better way to set this up, not to add them to the local admins
group, and still let them do almost anything locally on the machine?

Try adding INTERACTIVE to the administrators group.

This will mean anyone whoever is logged in locally will have administrator
access, without including network users.