[gptalk] Re: GP to stop administrators from sharing their c drive

  • From: "Nelson, Jamie" <Jamie.Nelson@xxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 22 Oct 2008 13:30:47 -0500

The c: drive should always be administratively shared as C$. You can
temporarily delete it, but it will always come back when the server
service is restarted or the computer is rebooted. If they are
deliberately stopping/disabling the service altogether, there are a few
things you can do.


1)      Native Group Policy can enforce a service's start mode (prevent
them from disabling it), but it can't start the service if it is
stopped. However, I am pretty sure you can use the Group Policy
Preferences (GPP) extensions to do this. I just don't have a GPP-enabled
console to verify. Can anyone check this out? 

2)      Write a script to run as a scheduled task on your machines that
checks for the existence of the C$ share. If it has been removed, the
script starts/restarts the server service. A product like SpecOps
Command would work even better for something like this, as you can
assign scripts to run through Group Policy at any time you want (not
just startup/shutdown or logon/logoff).

3)      Remove their local admin rights with Restricted Groups policy.
They shouldn't need admin rights anyway (i.e. the "principle of least
privilege" concept), and won't be able to manipulate services or
circumvent Group Policy you're trying to enforce.


Jamie Nelson | Operations Consultant | BI&T Infrastructure-Intel | Devon
Energy Corporation | Work: 405.552.8054 | Mobile: 405.200.8088 |
http://www.dvn.com <http://www.dvn.com/> 


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of David Palombi
Sent: Wednesday, October 22, 2008 12:44 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] GP to stop administrators from sharing their c drive




I would like to know if there is a domain group policy that would stop
any one that is a part of the administrators group who is trying to not
share their C drive?  How can you make the service permanently stay on
even if the person wants to change it?



Confidentiality Warning: This message and any attachments are intended only for 
the use of the intended recipient(s), are confidential, and may be privileged. 
If you are not the intended recipient, you are hereby notified that any review, 
retransmission, conversion to hard copy, copying, circulation or other use of 
all or any portion of this message and any attachments is strictly prohibited. 
If you are not the intended recipient, please notify the sender immediately by 
return e-mail, and delete this message and any attachments from your system. 

Other related posts: