Allow a domain user access to administrative shares on some PCs
Solution 1
The fix was to add Snowy into the LOCAL admin group for each PC. I did this with a nice group policy
Create a policy and choose Edit. Since this needs to apply on per computer basis, in the Group Policy Management Editor console expand Computer Configuration > Preferences > Control Panel Settings and click on Local Users and Groups. As you can see, there are other stuff you can configure here too like shortcuts, printers, enable or disable services on clients etc and if you open the Windows Settings folder you can find more. Feel free to explore and test them, but right now do a right-click on Local Users and Groups and choose New > Local Group. The Local User option is there in case you want to remove, update/modify some local users you might have on your clients. You can also create them.
Configure Local Groups using Group Policy Preferences
On the Action drop-down box you have multiple choices. If you want to create a new local group on your clients go with the Create option, if you wan to replace a local group with the one you name here go with Replace and so on. Right now choose Update and from the Group name drop-down box select the local group on which you want to make changes. The local Administrators and local Remote Desktop Users are the most used ones. If the group name you want to update is not listed here you can type it, but do not click the ellipse button and search for it because it will search the domain, and you don’t want that.
Add Snowy but don't replace - just set to Update
http://www.vkernel.ro/blog/add-domain-users-to-local-groups-using-group-policy-preferences
Solution 2
Well, the built-in C$ share is an "Administrative Share" - so the clue is in the name there. If they really need access to that one, then I think they need to be in the Local Admins group or similar.
You can add users (Or Groups) to a PC's Local Groups by using Group Policy.
Alternatively, you could create a specific share on each PC under whichever Folder he needs to access. That's a manual task on each PC.
Related videos on Youtube
04 : 00
01 : 58
05 : 05
06 : 14
02 : 04
Robinhrvatska
Updated on September 18, 2022Comments
-
Robinhrvatska over 1 year
We have an AD domain. We have a domain user called Snowy and a domain user called John. I am the domain admin Rob. John's PC is called JOHN-PC. My PC is called ROB-PC.
I want to allow Snowy access to \JOHN-PC\C$ but not \ROB-PC\C$
I realise I can login to JOHN-PC and add Snowy to the local admin group. However I want to allow Snowy access to admin shares on multiple PCs of my choosing and so I need to do this without actually logging on to JOHN-PC or the other ones.
Our AD is at 2016 level and I tried adding Snowy to various "power user" type groups (eg Key Admins) without actually making him a domain admin, which I don't want to do. Not worked.
Is there a way of doing this in AD or with policies?
thanks in advance
Rob
-
Robinhrvatska over 6 yearsThanks Dan - can you expand on how I would "add users (Or Groups) to a PC's Local Groups by using Group Policy."