Hi
Background - Windows XP SP1 workstations log into Windows 2003 Active Directory. Machines are all members of the domain. We use AD Group Policy to elevate local privileges. Eg some users are local administrators. We do this via the following Group Policy:
Workstation Policy\Windows Settings\Restricted Groups Members - Desktop Open users
Group - Builtin\Administrators
In other words, users who are members of the AD group Desktop Open users are given local admin equivalence. This works fine.
Issue
My issue is any user who is a local admin equiavlent can map to any c$ share of any other local admin user without being prompted for a target password. This makes sense as they are in the AD group that is a member of local administrators group. Is there a way or a group policy that will prompt for the target credentials??
I don't want users to be able to map to any workstation without entering the local admin password of the target system (users don't know this password). I know I could enable the MS firewall to get around it but is there an easier way?? I don't want to stop sharing the c$ share as this may cause issues with certain apps.
What are my options??
Thanks
Background - Windows XP SP1 workstations log into Windows 2003 Active Directory. Machines are all members of the domain. We use AD Group Policy to elevate local privileges. Eg some users are local administrators. We do this via the following Group Policy:
Workstation Policy\Windows Settings\Restricted Groups Members - Desktop Open users
Group - Builtin\Administrators
In other words, users who are members of the AD group Desktop Open users are given local admin equivalence. This works fine.
Issue
My issue is any user who is a local admin equiavlent can map to any c$ share of any other local admin user without being prompted for a target password. This makes sense as they are in the AD group that is a member of local administrators group. Is there a way or a group policy that will prompt for the target credentials??
I don't want users to be able to map to any workstation without entering the local admin password of the target system (users don't know this password). I know I could enable the MS firewall to get around it but is there an easier way?? I don't want to stop sharing the c$ share as this may cause issues with certain apps.
What are my options??
Thanks
