We have a network of Windows 7 PCs that are managed as part of a domain. What we want is for the domain admin to be unable to view the PC's local drive (C:) unless he is physically at the PC. In other words, no remote desktop and no ability to use UNC. In other words, the domain admin should not be allowed to put \\user_pc\c$ in Windows Explorer and see all the files on that computer, unless he is physically present at the PC itself.

Edit: to clarify some of the questions/comments that have come up. Yes, I am an admin---but a complete Windows novice. And yes, for the sake of this and my similar questions, it is fair to assume that I am working for someone who is paranoid.

I understand the arguments about this being a "social problem versus a technical problem", and "you should be able to trust your admins", etc. But this is the situation in which I find myself. I'm basically new to Windows system administration, but am tasked with creating an environment that is secure by the company owner's definition---and this definition is clearly very different from what most people expect.

In short, I understand that this is an unusual request. But I'm hoping there is enough expertise in the ServerFault community to point me in the right direction.

  • 1,037
  • 2
  • 14
  • 20
  • 4
    Why the hell would you want this? Are *you* in charge of the network, or are you operating out of remit? – Dan Apr 19 '13 at 15:21
  • 4
    This is bad practice. The only ways of accomplishing this involve breaking functionality that isn't meant to be broken, and will still be easy for a Domain Admin to circumvent. Domain Admins should not be DAs unless they are trusted with the entire network and its contents. – Ryan Ries Apr 19 '13 at 15:28
  • 1
    Your lives would get a little more difficult if I were the admin, and found out you were looking for a way to circumvent things. Sounds like you are trying to hide something. – DanBig Apr 19 '13 at 15:36
  • I've just seen your edit - the problem you face is that not only is the definition different from most peoples, it's also very different from Microsoft's. Ultimately, in nearly everything, Microsoft presumes your Domain Admin is completely trustworthy. We can do almost anything, and work round the rest, by using off the shelf tools. – Dan Apr 19 '13 at 20:43
  • 1
    Being a domain admin does not mean you should have unrestricted access to all the data (think financial data, personal employee details, research data, etc.) – Eric Grange Apr 15 '15 at 06:19

3 Answers3


This post, from the Technet forums, by Yan Li explains it easy enough:

Only the Administrators group have access to the administrative shares, please go to the Administrators group and remove the desired users and groups that you do not what to have access to the administrative shares.

For multiple client PCs, you could on one of the machines and disable them as stated below, export the registry key and then in a GPO import it.

Disable the default shares:

Windows open hidden shares on each installation for use by the system account. (Tip: You can view all of the shared folders on your computer by typing NET SHARE from a command prompt.) You can disable the default Administrative shares two ways.

One is to stop or disable the Server service, which removes the ability to share folders on your computer. (However, you can still access shared folders on other computers.) When you disable the Server service (via Control Panel > Administration Tools > Services), be sure to click Manual or Disabled or else the service will start the next time the computer is restarted.

The other way is via the Registry by editing HKeyLocal Machine\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters. For Servers edit AutoShareServer with a REG_DWORD Value of 0. For Workstations, the edit AutoShareWks. Keep in mind that disabling these shares provide an extra measure of security, but may cause problems with applications. Test your changes in a lab before disabling these in a production environment. The default hidden shares are:


C$ D$ E$

Path and function:

Root of each partition, only members of the Administrators or Backup Operators group can connect to these shared folders. For a Windows 2000 Server computer, members of the Server Operators group can also connect to these shared folders.

Still, it isn't good practice to do this. You are preventing access to things that should be accessible for a domain admin. It's akin to changing the locks on your apartment so your landlord can't get in.

  • 32,352
  • 26
  • 126
  • 188
  • 2
    Hopefully the domain admin has locked the machines down properly, so the users cannot follow this misguided advice. I thought we were here to help fellow admins, and not help users make admins lives more difficult? – DanBig Apr 19 '13 at 15:39
  • If I was the Domain Admin I'd drop in a Group Policy preference to change that reg key back and start the `Server` service. Or just add a Logon script to create my own shares. – Dan Apr 19 '13 at 15:40
  • 1
    Agree with both of you...but maybe there's some screwball reason here or maybe the owner simply wants it for his PC only. – TheCleaner Apr 19 '13 at 15:41
  • I would retract my statement if the OP comes back and provides a valid reason, and simply isn't an end user. – DanBig Apr 19 '13 at 15:41
  • He's not an end user...at least from his previous question of trying to make Exchange the same way. Looks like he's working for someone that is paranoid. – TheCleaner Apr 19 '13 at 15:43

Use encrypted volumes with a 3rd party encryption utility like TrueCrypt.

This is the only way to prevent an admin from having access to data it should not have. It is sufficient against an honest admin, but it is not sufficient against a malicious admin, which could still install key-loggers or use remote access tools to view the volume content while a volume in unlocked.

As for those wondering why you would want to lock out an admin from the data, it is just BAD PRACTICE that by default, admins have access to any kind of confidential data, be it financial data, personal employee details, research data, etc. They should not.

Part of an IT administrator's job should be to make sure that no single administrator account being compromised will lead to the intruder having full access to all the company data.

Eric Grange
  • 265
  • 1
  • 3
  • 10

Is there a written company policy about who, and why any particular information is to be accessed on a networked computer, and why this particular info needs to be on a networked computer in the first place? If this is data is for this office only, why not budget a extra laptop or use an old "offline" computer that can be only accessed in the actual office? A laptop in the safe can't be easily stolen or accessed. Fires, flooding, tornadoes, hackers in China, India etc. Then connect it only when you have to.

  • 21
  • 2