Microsoft KB Archive/823288

= How to prevent members of the Power Users group from creating network shares on Windows 2000 or later Windows operating systems =

Article ID: 823288

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Professional
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-



Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



SUMMARY
This article describes the supported method to prevent members of the Power Users group from creating or managing network shares.



MORE INFORMATION
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

For Microsoft Windows Server 2003-based computers, Microsoft Windows XP-based computers, and Microsoft Windows 2000-based computers, you can use the Tweak UI version 2.10 tool or later versions to prevent members of the Power Users group from creating or managing network shares. The Tweak UI tool only runs on Windows Server 2003-based computers and Windows XP Service Pack 1-based computers. The tool lets you change the various security settings without directly modifying the registry.

You can download the Tweak UI tool by visiting the following Microsoft Web site:

http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx

Note You can only install the Tweak UI version 2.10 tool on Windows Server 2003-based computers or on Windows XP Service Pack 1-based computers. You cannot install the tool on Windows 2000-based computers. However, you can make the security changes that you want on a Windows Server 2003-based computer or on a Windows XP-based computer. To do this, export the changed settings to a .reg file and then import the new registry settings on a Windows 2000-based computer.

To prevent members of the Power Users group from creating network shares on Windows Server 2003-based computers, Windows XP-based computers, or Windows 2000-based computers, follow these steps:  Log on to a Windows Server 2003-based computer or a Windows XP-based computer by using an account that has administrative permissions. When you use the Tweak UI tool to prevent members of the Power Users group from creating network shares on Windows Server 2003-based computers, Windows XP-based computers, and Windows 2000-based computers, the following registry subkey is modified:

We recommend that you export up the following subkey before you use the Tweak UI tool:

To do this, follow these steps:  Click Start, click Run, type regedit, and then click OK. In Registry Editor, right-click the following registry subkey, and then click Export:

 

 In the Export Registry File dialog box, type a descriptive name in the File name box, specify a location to save the exported .reg file, and then click Save.  Double-click the TweakUiPowertoySetup.exe file, and then follow the steps in the wizard.</li> After you install the Tweak UI tool, click Start, point to All Programs, click Powertoys for Windows XP, and then click Tweak UI.</li> In the Tweak UI dialog box, click Access Control.</li> In the right-pane, click Manage file shares in the list under Access Control, and then click Change.</li> In the Manage file shares dialog box, click Power Users under Group or user names.</li> Under Allow, click to clear the Change Share Info check box. Click OK two times.</li> After you run the Tweak UI tool, you can export the changed registry settings and then import the new settings to other Windows Server 2003-based computers, Windows XP-based computers, and Windows 2000-based computers. To do this, follow these steps:  On the same Windows Server 2003-based computer or Windows XP-based computer where you ran the Tweak UI tool, click Start, click Run, type regedit, and then click OK.</li> In Registry Editor, right-click the following registry subkey, and then click Export:

 

</li> In the Export Registry File dialog box, type a descriptive name in the File name box. Specify a location that can be accessed by all the computers that you want to modify. For example, specify a shared network folder. Click Save.</li> Locate and then double-click the exported .reg file that contains the security change.</li> Click Yes when you are prompted with the following message:

Are you sure you want to add the information in .reg to the registry?

</li> Click OK when you are prompted with the following message:

Information in .reg has been successfully entered into the registry.

</li> Repeat step d through step g on each computer where you want to prevent the Power Users group from creating network shares.

</li></ol> </li></ol>

Windows 2000
To prevent members of the Power Users group from creating or managing network shares in a Windows 2000-only environment, follow these steps:  <li> Copy the following text: <pre class="fixed_text">Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\DefaultSecurity] &quot;SrvsvcShareFileInfo&quot;=hex:01,00,04,80,88,00,00,00,94,00,00,00,00,00,00,00,14,\ 00,00,00,02,00,74,00,04,00,00,00,00,00,1c,00,13,00,0f,00,01,02,00,00,00,00,\ 00,05,20,00,00,00,20,02,00,00,00,00,00,00,00,00,1c,00,13,00,0f,00,01,02,00,\ 00,00,00,00,05,20,00,00,00,25,02,00,00,00,00,00,00,00,00,1c,00,01,00,00,00,\ 01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,00,00,00,00,00,00,18,00,01,\ 00,00,00,01,01,00,00,00,00,00,05,0b,00,00,00,23,02,00,00,01,01,00,00,00,00,\ 00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00 </li> <li>Start Notepad.</li> <li>On the Edit menu, click Paste.</li> <li>On the File menu, click Save As.</li> <li>In the Save in box, click Desktop.</li> <li>In the File name box, type DefaultSecurity.reg .</li> <li>In the Save as type box, click Text Documents (*.txt).</li> <li>Click Save.</li> <li>Exit Notepad.</li> <li>On your desktop, double-click DefaultSecurity.reg.</li> <li>Click Yes when you are prompted with the following message:

Are you sure you want to add the information in D:\DOCUME~1\ \Desktop\DEFAUL~1.REG to the registry?

</li> <li>Click OK when you are prompted with the following message:

Information in D:\DOCUME~1\ \Desktop\DEFAUL~1.REG has been successfully entered into the registry.

</li></ol>

Additional query words: tweakui

Keywords: kbinfo KB823288

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.