Question by reader Kendra:
I stumbled upon your blog/profile while I was looking for options to lockdown my administrative shares. Maybe you can help me. I'm a Network Administrator for an aerospace / engineering firm where users need administrative access to their PCs. The engineers work on very high-level OS and hardware development and need complete control of their systems. As you can imagine this poses a huge security problems for me at the network level. Currently my users are granted local administrator rights via an AD group (Local Admins) which is added to the local Administrators group on their local PCs. This makes it convenient for my engineers to login to any PC in the company and have local admin rights to do whatever they need to do. This also gives all of my users access to each other's administrative shares across the network. For example, anyone in this AD group can run \\computername\c$ and access any PC on my domain. I do NOT want to disable administrative shares as I am using them to automatically deploy desktop configuration settings (email, mapped network drives, printers, etc). Do you know of a way that I can give my engineers local admin rights without giving them rights to each other's administrative shares? Any help would be greatly appreciated.
