Monday, January 11, 2010

How To Restrict The Members Of Power User Group From Creating Or Managing Network Shares?

The article we have given contains the steps to modify the registry. Therefore, before doing all of these steps ensure that you have backup the registry. Then be sure that you know to restore the registry if any problem occurs. If you want to know more about restoring registry visit Microsoft website.
Moreover, this article is about the supported method to prevent the members of Power Users group from creating or managing network shares.
Important warning:
If you modify the registry incorrectly, some serious problems might occur and these issues might require reinstalling the Operating System. At the same time, Microsoft cannot guarantee that these problems can be fixed.

You can use Tweak UI version 2.10 or later version tool in order to prevent the members of the Power User group from creating or managing network shares. This tool is suitable for Microsoft Windows Server 2003, Microsoft Windows XP and Microsoft Windows 2000 Operating Systems. The tool is able to change the various security settings without any need of modifying the registry. You can download this tool here.


Important Note:
You can’t install this tool in Windows 2000 Operating System based Computer, whereas you can install it in Windows Server 2003 Operating system based computers and Windows XP service pack 1 based computers. If you still want to use this in Windows 2000 based computers, you can export the changed settings to a “.reg” files and then import the new registry settings on a Windows 2000 based computer.
You can follow the following steps in order to prevent the members from creating and sharing points in Windows 2003, Windows 2000 and Windows XP based computers.

1. First log on to a Windows Server 2003 based Computer or a Windows XP based computer using an administrator account.
2. If you are going to prevent the members of the Power Users group from creating network shares on Windows 2003, Windows 2000 and Windows XP based computers using Tweak UI tool, the following registry key is required to modify.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\DefaultSecurity
At the point of this time, we recommend you to export up the following sub-key before you use the Tweak UI tool.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\DefaultSecurity
Follow these steps to export up the above keys.
a. Click on Start Menu and choose Run.
b. In the Run prompt, type regedit and then click on OK.
c. Now, in the Registry Editor, right-click the following registry sub-key and then click Export:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\DefaultSecurity
d. After that, in the “Export Registry File” dialog box, type a descriptive name in the File name box and specify a location to save the exported “.reg” file and then click on Save.
3. Now, double click on the Tweak UI Powertoy Setup.exe file and follow the onscreen steps.
4. Once you finish the installation of Tweak UI tool, click on the Start Menu, All Programs and choose Powertoys for Windows XP, and then click Tweak UI.
5. After that, in the Tweak UI dialog box, click Access Control.
6. Click “Manage file shares” in the list under “Access Control”, and then click Change in the right-pane.
7. Now, in the “Manage file shares” dialog box, click “Power Users” under “Group or user names”.
8. Uncheck the “Change Share Info” check box under “Allow” and click OK twice.
9. After you run the Tweak UI took, you can easily export the changed registry settings and then import the new settings to other Windows Server 2003, Windows XP and Windows 2000 based computers. If you want to do this follow the following steps.
. Go to the registry using the steps given in the above steps a and b.
a. In Registry Editor windows, right-click the following registry sub-key and click Export:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\DefaultSecurity
b. Now, in the “Export Registry File” dialog box, type a descriptive name in the “File name box and specify a location to be accessed by all the computers that you want to modify. For an example, specify a shared network folder. Click on Save.
c. Now, locate and double click on the exported “.reg” file that has the security change.
d. After that, click Yes when you are asked with the following message.
Are you sure you want to add the information in FileName.reg to the registry?
e. Now, click OK if you are prompted with the following message:
Information in FileName.reg has been successfully entered into the registry.
f. Now, repeat the steps on each computer where you want to prevent the members from creating network shares. Windows 2000

The steps given below are used to prevent the members of the Power Users Group from creating or managing network shares in a Windows 2000 only environment.
Copy the whole text given below.
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\DefaultSecurity]
"SrvsvcShareFileInfo"=hex:01,00,04,80,88,00,00,00,94,00,00,00,00,00,00,00,14,\
00,00,00,02,00,74,00,04,00,00,00,00,00,1c,00,13,00,0f,00,01,02,00,00,00,00,\
00,05,20,00,00,00,20,02,00,00,00,00,00,00,00,00,1c,00,13,00,0f,00,01,02,00,\
00,00,00,00,05,20,00,00,00,25,02,00,00,00,00,00,00,00,00,1c,00,01,00,00,00,\
01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,00,00,00,00,00,00,18,00,01,\
00,00,00,01,01,00,00,00,00,00,05,0b,00,00,00,23,02,00,00,01,01,00,00,00,00,\
00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

1. Now, open a Notepad and paste in it.
2. Save the file on your Desktop with the name DefaultSecurity.reg.
3. The file should be in Text Documents (*.txt) format. Choose it in Save as type.
4. Exit Notepad.
5. After that, on your desktop, double-click DefaultSecurity.reg.
6. Now, click Yes if you are prompted with the following message:
Are you sure you want to add the information in D:\DOCUME~1\\Desktop\DEFAUL~1.REG to the registry?
7. Than again click OK if you are prompted with the following message:
Information in D:\DOCUME~1\\Desktop\DEFAUL~1.REG has been successfully entered into the registry.
The steps given above are applied to
• Microsoft Windows Server 2003, Standard Edition (32-bit x86)
• Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
• Microsoft Windows Server 2003, Web Edition
• Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
• Microsoft Windows Server 2003, Enterprise x64 Edition
• Microsoft Windows Server 2003, 64-Bit Datacenter Edition
• Microsoft Windows XP Home Edition
• Microsoft Windows XP Professional
• Microsoft Windows 2000 Professional Edition
• Microsoft Windows 2000 Server
• Microsoft Windows 2000 Advanced Server

Taken