Windows 2003 S2k3 Cannot access C$ but have correct permission

  • Thread starter Thread starter Kat
  • Start date Start date
K

Kat

I set up a new file server and I'm trying to access the C$ drive. I
have added the domain admin account with Full access to the drive.
When I try to access it with that domain admin login, I get the
following error:

\\server\c$ is not accessible. You might not have permission to use
this network resource.

Multiple connections to a server or shared resource by the same user,
using more than one user name, are not allowed. Disconnect all
previous connections to the server or shared resource and try again.

----

I checked the server and I do not have any open sessions. Any ideas???
 
C$ is an asministrative "share" and cannot be edited. What you did was allow
domain admin NTFS permissions on C:\. Check to make sure Domain Admins are
members of the local Administrators group on the server in question.


"Kat" <katrina.allsup@gmail.com> wrote in message
news:1187633656.491682.269840@i38g2000prf.googlegroups.com...
>I set up a new file server and I'm trying to access the C$ drive. I
> have added the domain admin account with Full access to the drive.
> When I try to access it with that domain admin login, I get the
> following error:
>
> \\server\c$ is not accessible. You might not have permission to use
> this network resource.
>
> Multiple connections to a server or shared resource by the same user,
> using more than one user name, are not allowed. Disconnect all
> previous connections to the server or shared resource and try again.
>
> ----
>
> I checked the server and I do not have any open sessions. Any ideas???
>
 
Good idea...

I thought that was going to be it, but I checked and the domain admin
is a member of the local Admin group.

I CAN access D$, however... I'm completely confused.
 
Is the C$ shared (present as a share) ?

If you can access the d$, it may not be a security issue (if the default
permission are still set)
--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"Kat" <katrina.allsup@gmail.com> wrote in message
news:1187635121.977008.197540@j4g2000prf.googlegroups.com...
> Good idea...
>
> I thought that was going to be it, but I checked and the domain admin
> is a member of the local Admin group.
>
> I CAN access D$, however... I'm completely confused.
>
 
C$ is listed under Shared Folders. Permissions are correct. Anything
else that could cause this?
 
What happens if you try to access this as the local machine administrator
and not the domain administrators account?

"Kat" <katrina.allsup@gmail.com> wrote in message
news:1187639685.088548.64550@m37g2000prh.googlegroups.com...
> C$ is listed under Shared Folders. Permissions are correct. Anything
> else that could cause this?
>
 
On the server and workstation, issue a net session to be sure you don't have
session opened with another account.
Can you test from a different client ?

Any security audit fail entry on the server?

--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"Kat" <katrina.allsup@gmail.com> wrote in message
news:1187639685.088548.64550@m37g2000prh.googlegroups.com...
> C$ is listed under Shared Folders. Permissions are correct. Anything
> else that could cause this?
>
 
Now I am really confused...

I am able to access the share if I'm logged onto a computer as the
domain admin.

I am NOT able to access if I am logged on with my account on any
computer, even though it prompts for a login and I give the domain
admin account.

I have restarted and no change.

There are no security errors on the server.

I am able to access the C$ of all my others servers as normal.


Thanks for your help with this...I'm totally lost.
 
So now it's narrowed to your account.

Check for your key store:
start / run / control keymgr.dll
Check you don't have the server in the list.



--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"Kat" <katrina.allsup@gmail.com> wrote in message
news:1187642723.004679.23250@r23g2000prd.googlegroups.com...
> Now I am really confused...
>
> I am able to access the share if I'm logged onto a computer as the
> domain admin.
>
> I am NOT able to access if I am logged on with my account on any
> computer, even though it prompts for a login and I give the domain
> admin account.
>
> I have restarted and no change.
>
> There are no security errors on the server.
>
> I am able to access the C$ of all my others servers as normal.
>
>
> Thanks for your help with this...I'm totally lost.
>
 
I had my boss check with his login as well and he got the same error.
So it looks like it's any account that is not a local server admin.

For the time being I just added our accounts to the local server
admin, but I wish I could figure out why it's only doing this on this
one server.

What is the point of the 'run as' if I can't use it?
 
I thought you was "domain admins" member.

To access administrative share, your need to be an administrator of the
server.

By default, on a domain, the Ad group "domain admins" is member of the
"administrators" local group of every computers.

That's why domain admins can access everywhere.

What do you want to achieve with run as ?
I guess you want to work with a standard account, and use "run as" to make
administrative works. If it's the case, welcome to the best practice
security..run as got some limitation, like you can't access two shares on
the same server at the same time with two account. You have to first
suppress any existing share connection, then access a share with a different
credential.


--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"Kat" <katrina.allsup@gmail.com> wrote in message
news:1187644305.717446.266630@m37g2000prh.googlegroups.com...
>I had my boss check with his login as well and he got the same error.
> So it looks like it's any account that is not a local server admin.
>
> For the time being I just added our accounts to the local server
> admin, but I wish I could figure out why it's only doing this on this
> one server.
>
> What is the point of the 'run as' if I can't use it?
>
 
It had me wondering also why they would log onto a server and execute as
RunAs. Although I am a Domain Administrator I always log onto servers as
administraotr.

"Mathieu CHATEAU" <gollum123@free.fr> wrote in message
news:O1cQp$24HHA.5740@TK2MSFTNGP04.phx.gbl...
>I thought you was "domain admins" member.
>
> To access administrative share, your need to be an administrator of the
> server.
>
> By default, on a domain, the Ad group "domain admins" is member of the
> "administrators" local group of every computers.
>
> That's why domain admins can access everywhere.
>
> What do you want to achieve with run as ?
> I guess you want to work with a standard account, and use "run as" to make
> administrative works. If it's the case, welcome to the best practice
> security..run as got some limitation, like you can't access two shares on
> the same server at the same time with two account. You have to first
> suppress any existing share connection, then access a share with a
> different credential.
>
>
> --
> Cordialement,
> Mathieu CHATEAU
> http://lordoftheping.blogspot.com
>
>
> "Kat" <katrina.allsup@gmail.com> wrote in message
> news:1187644305.717446.266630@m37g2000prh.googlegroups.com...
>>I had my boss check with his login as well and he got the same error.
>> So it looks like it's any account that is not a local server admin.
>>
>> For the time being I just added our accounts to the local server
>> admin, but I wish I could figure out why it's only doing this on this
>> one server.
>>
>> What is the point of the 'run as' if I can't use it?
>>
>
 
I have always been able to Start, Run, \\server\c$, enter the domain
admin account, and work as needed. I do this for every computer and
server on my network. I have never received this error in 3 years.

I'm not sure why this server is different. It's as though it doesn't
matter what I enter into the login prompt, it is going only by what
account I am currently logged into. I suppose I'll just give up and
assume the server is corrupt somehow...
 
As i mentionned before:
Check for your key store:
start / run / control keymgr.dll
Check you don't have the server in the list.


--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"Kat" <katrina.allsup@gmail.com> wrote in message
news:1187646011.946631.220920@q4g2000prc.googlegroups.com...
>I have always been able to Start, Run, \\server\c$, enter the domain
> admin account, and work as needed. I do this for every computer and
> server on my network. I have never received this error in 3 years.
>
> I'm not sure why this server is different. It's as though it doesn't
> matter what I enter into the login prompt, it is going only by what
> account I am currently logged into. I suppose I'll just give up and
> assume the server is corrupt somehow...
>
 
for best security practice, you should not do your daily mails and surf with
a domain admin account.

We had a security audit, and the auditor trapped on the domain admin guy,
changing it's internet explorer icon with a cmd to create a backdoor user.
that's just an example.

The good way is to always log on with a standard user, and elevate your
privileges to administrators to launch mmc to do administrator tasks.


--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"SBS Rocker" <noreply@NoDomain.com> wrote in message
news:%23l$bDJ34HHA.3940@TK2MSFTNGP05.phx.gbl...
> It had me wondering also why they would log onto a server and execute as
> RunAs. Although I am a Domain Administrator I always log onto servers as
> administraotr.
>
> "Mathieu CHATEAU" <gollum123@free.fr> wrote in message
> news:O1cQp$24HHA.5740@TK2MSFTNGP04.phx.gbl...
>>I thought you was "domain admins" member.
>>
>> To access administrative share, your need to be an administrator of the
>> server.
>>
>> By default, on a domain, the Ad group "domain admins" is member of the
>> "administrators" local group of every computers.
>>
>> That's why domain admins can access everywhere.
>>
>> What do you want to achieve with run as ?
>> I guess you want to work with a standard account, and use "run as" to
>> make administrative works. If it's the case, welcome to the best practice
>> security..run as got some limitation, like you can't access two shares on
>> the same server at the same time with two account. You have to first
>> suppress any existing share connection, then access a share with a
>> different credential.
>>
>>
>> --
>> Cordialement,
>> Mathieu CHATEAU
>> http://lordoftheping.blogspot.com
>>
>>
>> "Kat" <katrina.allsup@gmail.com> wrote in message
>> news:1187644305.717446.266630@m37g2000prh.googlegroups.com...
>>>I had my boss check with his login as well and he got the same error.
>>> So it looks like it's any account that is not a local server admin.
>>>
>>> For the time being I just added our accounts to the local server
>>> admin, but I wish I could figure out why it's only doing this on this
>>> one server.
>>>
>>> What is the point of the 'run as' if I can't use it?
>>>
>>
>
>
 
On Aug 20, 4:47 pm, "Mathieu CHATEAU" <gollum...@free.fr> wrote:
> for best security practice, you should not do your daily mails and surf with
> a domain admin account.

Yeah, I use my restricted account, which is why I am trying to get Run
As to work.

"It had me wondering also why they would log onto a server and execute
as
RunAs. Although I am a Domain Administrator I always log onto servers
as
administraotr. "

I am trying to use Run As from my computer, trying to access the
server shares. Instead of using Remote Desktop to get to the drives,
I usually just open a cmd and \\server\share\ and enter the domain
admin account. For some reason, this ONE server is not allowing me on
the C$ only.

There was nothing in the box when I ran - start / run / control
keymgr.dll - I must be missing something really easy. In three years
with these servers I've never had this problem though. Very strange.
 
did you try to restart the "server" service ?

did you change your password a few time ago?

--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"Kat" <katrina.allsup@gmail.com> wrote in message
news:1187647518.005124.77810@j4g2000prf.googlegroups.com...
> On Aug 20, 4:47 pm, "Mathieu CHATEAU" <gollum...@free.fr> wrote:
>> for best security practice, you should not do your daily mails and surf
>> with
>> a domain admin account.
>
> Yeah, I use my restricted account, which is why I am trying to get Run
> As to work.
>
> "It had me wondering also why they would log onto a server and execute
> as
> RunAs. Although I am a Domain Administrator I always log onto servers
> as
> administraotr. "
>
> I am trying to use Run As from my computer, trying to access the
> server shares. Instead of using Remote Desktop to get to the drives,
> I usually just open a cmd and \\server\share\ and enter the domain
> admin account. For some reason, this ONE server is not allowing me on
> the C$ only.
>
> There was nothing in the box when I ran - start / run / control
> keymgr.dll - I must be missing something really easy. In three years
> with these servers I've never had this problem though. Very strange.
>
 
Hi Kat,
Let's troubleshoot this from the beginning and see what you have here.

1. To any other server you can do a run command \\server\c$ and submit the
Domain Administrator and password? Yes?
2. You cannot run the above command to a particular server? Yes?
3. You get the error message "\\server\c$ is not accessible. You might not
have permission to use this network resource." Yes?
4. You can access that same server \\server\d$ no problem? Yes?

Here's what you need to check. Some of it is redundant but still check it
anyways.
1. Check the local machine "Administrator" group and confirm "Domain Admins"
is a member.
2. Check to make sure you actually do have C$ shared. By defualt it is and
you can change it but it will change back after reboot.
3. Compare the security on C$ to D$ and also to another server that has C$
accessable.
4. Double check the NTFS security for C:\ and make sure the local
"Administrators" have FULL access.





"Kat" <katrina.allsup@gmail.com> wrote in message
news:1187646011.946631.220920@q4g2000prc.googlegroups.com...
>I have always been able to Start, Run, \\server\c$, enter the domain
> admin account, and work as needed. I do this for every computer and
> server on my network. I have never received this error in 3 years.
>
> I'm not sure why this server is different. It's as though it doesn't
> matter what I enter into the login prompt, it is going only by what
> account I am currently logged into. I suppose I'll just give up and
> assume the server is corrupt somehow...
>
 
Back
Top