Hiding Sysvol and Netlogon shares?

Hi there,

Is it possible to hide the sysvol and netlogon shares on our windows
domain network?

We have a windows domain on a subnet and another standalone server on
the same subnet that will be managed by someone else. I am just
carrying out some tests and from the standalone server and they are
able to browse the shares and write files to the sysvol share!!

Is there anyway i can secure these two shares? is it possible to put
a $ on the end of the share to hide it?

Anyone any ideas on what is possible? I don't want to come in one day
to find that the domain has gone down because someone has messed up
the sysvol share!

Thanks

Howdie!

foxj77 wrote:
> Is it possible to hide the sysvol and netlogon shares on our windows
> domain network?
>
> We have a windows domain on a subnet and another standalone server on
> the same subnet that will be managed by someone else. I am just
> carrying out some tests and from the standalone server and they are
> able to browse the shares and write files to the sysvol share!!
>
> Is there anyway i can secure these two shares? is it possible to put
> a $ on the end of the share to hide it?

Those shares are used by a number of functions within Windows Server and
Windows clients. I wouldn't wanna mess with them and hide them, move
them, whatever.

Since those folks have access to the shares, I would investigate why
they have that sort of access in the first place - are they in security
groups they shouldn't be in? Tailor down their permission by removing
them from priviledged groups or customize security on both shares (test
that thoroughly!)

Cheers,
Florian

Hello foxj77,

Leave them alone, they are essential for functioning domain. The only one
able to mess up with them are the administrators, users are NOT able to change
anything there.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi there,
>
> Is it possible to hide the sysvol and netlogon shares on our windows
> domain network?
>
> We have a windows domain on a subnet and another standalone server on
> the same subnet that will be managed by someone else. I am just
> carrying out some tests and from the standalone server and they are
> able to browse the shares and write files to the sysvol share!!
>
> Is there anyway i can secure these two shares? is it possible to put
> a $ on the end of the share to hide it?
>
> Anyone any ideas on what is possible? I don't want to come in one day
> to find that the domain has gone down because someone has messed up
> the sysvol share!
>
> Thanks
>

On Nov 5, 10:03*am, Meinolf Weber [MVP-DS] <meiweb@(nospam)gmx.de>
wrote:
> Hello foxj77,
>
> Leave them alone, they are essential for functioning domain. The only one
> able to mess up with them are the administrators, users are NOT able to change
> anything there.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
>
> > Hi there,
>
> > Is it possible to hide the sysvol and netlogon shares on our windows
> > domain network?
>
> > We have a windows domain on a subnet and another standalone server on
> > the same subnet that will be managed by someone else. *I am just
> > carrying out some tests and from the standalone server and they are
> > able to browse the shares and write files to the sysvol share!!
>
> > Is there anyway i can secure these two shares? *is it possible to put
> > a $ on the end of the share to hide it?
>
> > Anyone any ideas on what is possible? *I don't want to come in one day
> > to find that the domain has gone down because someone has messed up
> > the sysvol share!
>
> > Thanks

The seperate server i am trying to access them from use to be part of
the domain. It looks like i have the same admin user locally as my
domain admin account and possible something to do with cached
credentials or something weird with kerbos.

When I create a new local admin users I cannot see anything and things
are fine!

Howdie!

foxj77 wrote:
> The seperate server i am trying to access them from use to be part of
> the domain. It looks like i have the same admin user locally as my
> domain admin account and possible something to do with cached
> credentials or something weird with kerbos.

Dublicate local users with equal passwords wouldn't end in such a
result, either. I suspect you have those users in an over-priviledged
AD-groups (possibly Domain Administrators) and their logging on with
those creds. You should investigate what group membership they have
(whoami /all is something you can do while they're logged on)

Cheers,
Florian