A user on our network disables the admin shares with a batch file that runs every time the computer starts up. I would like to disable this without the users knowledge. I would also like to do this remotely and at will. Is this possible?

This user likes to use their knowledge to circumvent our companies acceptable use policy.

The machine in question is Windows 7 Pro 32-bit. We use Server 2003 for our Domain.

  • 25
  • 1
  • 7
  • 4
    Is he an administrator on his local machine? If he has a local administrator account, physical access, and knowledge he will be able to override anything you try to do. – Zoredache Aug 24 '10 at 16:45
  • +1. You could try enforcing this via GPO – gWaldo Aug 24 '10 at 16:55

3 Answers3


Though there may be a technical solution to this, it's really more of a policy/HR issue. Inform that user's manager of the situation as well as the HR department. If they turn a blind eye to the situation, then there's not a whole lot left for you to do. In this situation, they're implicitly condoning his behavior and even if you disabled his ability to turn off the admin share, you'd likely hear about it and be asked to re-enable the user to continue his behavior.

Does this user have administrative privileges? (I'm assuming yes) Short of removing these, I'm not sure how you'd prevent him from disabling the admin share.

  • 108,414
  • 18
  • 172
  • 242
  • +1. Agreed; Circumventing policy is a HR issues. – gWaldo Aug 24 '10 at 16:57
  • I'd second this. I would guess that his (new?) boss doesn't know about this behaviour. – ChrisF Aug 24 '10 at 16:57
  • 1
    You don't need admin shares in order to gather evidence of that. The proxy and/or firewall logs should be more than enough. – Massimo Aug 24 '10 at 17:10
  • 1
    In addition to what Massimo suggested, mirror the switchport that his workstation is plugged into and fire up wireshark. That should be all the evidence you need. – EEAA Aug 24 '10 at 17:12
  • I am still trying to work that out. Ours is not a sophisticated network nor am I an experienced Admin. My background is not specifically IT oriented (I'm an EE) but it is my passion and chosen profession. I have a Sonicwall TZ-100 that is recording but mot blocking all traffic. I have no idea how to extract the information pertaining to torrent traffic from the SYSLOGs and reports this device generates. – Hannibal Aug 24 '10 at 17:17
  • 1
    Unmanaged HP switches? I wasn't even aware that they made anything other than managed switches. Anyway, do you happen to have a small hub (not a switch, needs to be a hub) around? If so, put that in line between his workstation and the switch. Then you should be able to connect your wireshark machine to any of the hub's ports and get an exact copy of the traffic that is being sent/received from this user's machine. – EEAA Aug 24 '10 at 17:22
  • P2P file sharing is a huge security concern. Many viruses that are available via P2P shares aren't even recognized by top performing virus scanners. If I were you I'd confiscate his computer on the grounds of a "Security Breach, and Possible Virus Infection." Report to management that you believe it is the result of P2P file sharing, the evidence will be all over the computer. The evidence needed to confiscate the machine would go like "Are you using any P2P services on your machine? No? Well, you probably have a virus then, I have to take your machine. Now." – IceMage Aug 24 '10 at 18:52

This isn't a very elegant solution, but you could just create a scheduled task to re-enable the admin share, and have it run every hour. If he has permissions to add/remove scheduled tasks, then he could disable the task as well, but you could also use a group policy to prohibit him from accessing that particular MMC snapin. (Scheduled tasks in Windows 7 are an MMC snapin, whereas in XP and Server 2003 they are not, so you may need to make these configurations from another Windows 7 computer, not from the DC, since I don't think the tasks plugin will appear on the DC.)

  • 567
  • 2
  • 17
  • You could definitely do it remotely as long as you have the proper credentials to do so. He might notice the effects, but unless he regularly hangs out in the task scheduler, I doubt he'd see it unless he goes looking. In order to do it remotely, open up `mmc.exe`, click File -> Add/Remove snapin, and select "task scheduler", then click "add". When prompted, select "another computer" and enter the name of the user's computer. Once connected, you should be able to add/remove tasks. Again, you'll need to do this from a Win7 or Server 2k8 machine, not server 2003. – nhinkle Aug 24 '10 at 22:05
  • Hmm. Is there a way for you to reverse the process that he used to disable them? If you could provide a link to some info on how the disabling works, I can look at it and see if I can think of a way to re-enable it. That also gives me the other thought that you could perhaps find a way to simply remove his ability to disable the share in the first place, though at the moment I can't think of a way to do that. – nhinkle Aug 26 '10 at 21:43
  • Ah, so he's outright deleting them, not just disabling them. I checked and it looks like system network shares (like admin$) can't have their permissions changed. If you want to try to run a batch file to recreate the shares, the command would be `net share admin$="%WINDIR%" /grant:Administrators,FULL`. To get this to run after his runs, you could schedule it to run at logon, then have the first command be a delay. There's no built-in sleep command in windows, but you can download sleep.exe from microsoft, or just ping a bunch of times to slow it down. – nhinkle Aug 27 '10 at 20:49

Regardless of this being an HR issue or not, the problem still exists that a user has the capability to circumvent policy. While contacting HR is a must on the list (the user is doing it on purpose), the next item on the list is to ensure it does not happen again.

As far as management making you change the settings back, I find this grossly unlikely, since the user is in effect making their machine "unmanageable," and therefore it is now a vulnerability.

First off, make sure the user isn't an administrator on the computer. Second, you can enforce a group policy to disable whatever program the user is using in their script to disable those shares.


  • 1,336
  • 7
  • 12
  • @user52180: No offense, but if you're just playing his game, it probably won't work well for you. If you don't resolve the root issue (local admin access, no support from HR for AUP) then you can't stop him from manually performing the same actions. Adding another layer of scripting in order to out-fox him isn't very efficient use of your time. – jscott Aug 24 '10 at 18:34
  • Startup scripts in that folder run last. As the previous comment above states, you still need to contact your HR, and be able to cite policy specifically (By page and paragraph). You can also move or rename the NET.exe program so that it will no longer work. Also, I can't stress enough that you remove his administrator privileges from the box if he has them. You will never win this battle if he has admin privileges locally. – IceMage Aug 24 '10 at 18:42
  • @Hannibal: Please see Zordache's comment on your original question. If you can't remove his local admin access (and get support for keeping it that way) there is *nothing* you can do to stop him. You won't find a technical solution to a political problem. – jscott Aug 24 '10 at 19:46
  • @Hannibal Since you are in this rock and a hard place, make sure you document everything, including his batch file that prevents admin shares, the network traffic, the request to have this behavior stopped etc. Also, you should check out some of the open source appliances available that can filter internet traffic. I use an appliance called untangle, but there are more (and some even better) ones out there. – IceMage Aug 25 '10 at 17:08