Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

How to prevent members of the Power Users group from creating network shares on Windows 2000 or later Windows operating systems


View products that this article applies to.

Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 (http://support.microsoft.com/kb/256986/ ) Description of the Microsoft Windows registry

↑ Back to the top


Summary

This article describes the supported method to prevent members of the Power Users group from creating or managing network shares.

↑ Back to the top


More information

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

For Microsoft Windows Server 2003-based computers, Microsoft Windows XP-based computers, and Microsoft Windows 2000-based computers, you can use the Tweak UI version 2.10 tool or later versions to prevent members of the Power Users group from creating or managing network shares. The Tweak UI tool only runs on Windows Server 2003-based computers and Windows XP Service Pack 1-based computers. The tool lets you change the various security settings without directly modifying the registry.

You can download the Tweak UI tool by visiting the following Microsoft Web site:Note You can only install the Tweak UI version 2.10 tool on Windows Server 2003-based computers or on Windows XP Service Pack 1-based computers. You cannot install the tool on Windows 2000-based computers. However, you can make the security changes that you want on a Windows Server 2003-based computer or on a Windows XP-based computer. To do this, export the changed settings to a .reg file and then import the new registry settings on a Windows 2000-based computer.

To prevent members of the Power Users group from creating network shares on Windows Server 2003-based computers, Windows XP-based computers, or Windows 2000-based computers, follow these steps:
  1. Log on to a Windows Server 2003-based computer or a Windows XP-based computer by using an account that has administrative permissions.
  2. When you use the Tweak UI tool to prevent members of the Power Users group from creating network shares on Windows Server 2003-based computers, Windows XP-based computers, and Windows 2000-based computers, the following registry subkey is modified:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\DefaultSecurity
    We recommend that you export up the following subkey before you use the Tweak UI tool:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\DefaultSecurity
    To do this, follow these steps:
    1. Click Start, click Run, type regedit, and then click OK.
    2. In Registry Editor, right-click the following registry subkey, and then click Export:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\DefaultSecurity
    3. In the Export Registry File dialog box, type a descriptive name in the File name box, specify a location to save the exported .reg file, and then click Save.
  3. Double-click the TweakUiPowertoySetup.exe file, and then follow the steps in the wizard.
  4. After you install the Tweak UI tool, click Start, point to All Programs, click Powertoys for Windows XP, and then click Tweak UI.
  5. In the Tweak UI dialog box, click Access Control.
  6. In the right-pane, click Manage file shares in the list under Access Control, and then click Change.
  7. In the Manage file shares dialog box, click Power Users under Group or user names.
  8. Under Allow, click to clear the Change Share Info check box. Click OK two times.
  9. After you run the Tweak UI tool, you can export the changed registry settings and then import the new settings to other Windows Server 2003-based computers, Windows XP-based computers, and Windows 2000-based computers. To do this, follow these steps:
    1. On the same Windows Server 2003-based computer or Windows XP-based computer where you ran the Tweak UI tool, click Start, click Run, type regedit, and then click OK.
    2. In Registry Editor, right-click the following registry subkey, and then click Export:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\DefaultSecurity
    3. In the Export Registry File dialog box, type a descriptive name in the File name box. Specify a location that can be accessed by all the computers that you want to modify. For example, specify a shared network folder. Click Save.
    4. Locate and then double-click the exported .reg file that contains the security change.
    5. Click Yes when you are prompted with the following message:
      Are you sure you want to add the information in FileName.reg to the registry?
    6. Click OK when you are prompted with the following message:
      Information in FileName.reg has been successfully entered into the registry.
    7. Repeat step d through step g on each computer where you want to prevent the Power Users group from creating network shares.

Windows 2000

To prevent members of the Power Users group from creating or managing network shares in a Windows 2000-only environment, follow these steps:
  1. Copy the following text:
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\DefaultSecurity]
    "SrvsvcShareFileInfo"=hex:01,00,04,80,88,00,00,00,94,00,00,00,00,00,00,00,14,\
      00,00,00,02,00,74,00,04,00,00,00,00,00,1c,00,13,00,0f,00,01,02,00,00,00,00,\
      00,05,20,00,00,00,20,02,00,00,00,00,00,00,00,00,1c,00,13,00,0f,00,01,02,00,\
      00,00,00,00,05,20,00,00,00,25,02,00,00,00,00,00,00,00,00,1c,00,01,00,00,00,\
      01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,00,00,00,00,00,00,18,00,01,\
      00,00,00,01,01,00,00,00,00,00,05,0b,00,00,00,23,02,00,00,01,01,00,00,00,00,\
      00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
  2. Start Notepad.
  3. On the Edit menu, click Paste.
  4. On the File menu, click Save As.
  5. In the Save in box, click Desktop.
  6. In the File name box, type DefaultSecurity.reg.
  7. In the Save as type box, click Text Documents (*.txt).
  8. Click Save.
  9. Exit Notepad.
  10. On your desktop, double-click DefaultSecurity.reg.
  11. Click Yes when you are prompted with the following message:
    Are you sure you want to add the information in D:\DOCUME~1\<username>\Desktop\DEFAUL~1.REG to the registry?
  12. Click OK when you are prompted with the following message:
    Information in D:\DOCUME~1\<username>\Desktop\DEFAUL~1.REG has been successfully entered into the registry.

↑ Back to the top


Keywords: KB823288, kbinfo

↑ Back to the top

Article Info
Article ID : 823288
Revision : 6
Created on : 10/30/2006
Published on : 10/30/2006
Exists online : False
Views : 470