Managing local share access

By 10925805 ·
I am running Windows XP Pro SP2. I need to prevent an administrative or power user from adding, modifying any local shares

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Re: Managing local share access

If you're working on a Windows XP Professional system that is connected to a network, you can share one or more of that system's folders with other computers and users on that network. Drive volumes and folders are not automatically shared for all users in Windows XP Professional. Members of the Administrators group and the Power Users group, discussed later in this chapter, are the only users who retain the rights to create shared network folders.
Managing Access to Shared Folders

Windows XP Professional implements a new feature called Simple File Sharing, which is enabled by default when the computer is stand-alone or a member of a network workgroup. Simple File Sharing is disabled when the computer is a member of a Windows domain. Simple File Sharing creates a Shared Documents folder, inside of which it creates two subfolders, Shared Pictures and Shared Music. Remote users who access a shared folder over the network always authenticate as the Guest user account when Simple File Sharing is enabled. The Properties sheet for a shared folder under Simple File Sharing configures both share permissions and NTFS permissions (if the shared folder is stored on an NTFS volume) simultaneously?you are not allowed to configure the two permissions separately. For example, you cannot make a shared folder private, under Simple File Sharing, unless the folder resides on an NTFS volume.

To turn off Simple File Sharing for a stand-alone system, or for a computer that is a member of a workgroup, perform the following steps:


Open a window in either My Computer or Windows Explorer.

Click Tools|Folder Options from the menu.

Click the View tab.

Clear the Use Simple File Sharing (Recommended) checkbox under the Advanced Settings section.

Click OK.


The Shared Documents, Shared Pictures, and Shared Music folders are not available if the Windows XP Professional computer is a member of a Windows domain.
Creating Shared Folders from My Computer or Windows Explorer

To share a folder with the network with Simple File Sharing disabled, you can use My Computer or Windows Explorer and follow these steps:


Open a window in either My Computer or Windows Explorer.

Right-click the folder that you want to share and then select Sharing And Security from the pop-up menu.

Click the Share This Folder button.

Type in a Share Name or accept the default name. Windows XP uses the actual folder name as the default Share Name.

Type in a Comment, if you desire. Comments appear in the Browse list when users search for network resources. Comments can help users to locate the proper network shares.

Specify the User Limit: Maximum Allowed or Allow This Number Of Users. Windows XP Professional permits a maximum of 10 concurrent network connections per share. Specify the Allow This Number Of Users option only if you need to limit the number of concurrent users for this share to fewer than 10.

Click OK to create the shared folder. The folder now becomes available to others on your network.


To remove a network share, right-click the shared folder and choose the Sharing And Securiy option. Click the Do Not Share This Folder option button and click OK. The folder will no longer be shared with the network.


The Security tab of an NTFS folder's properties dialog box is not displayed when Simple File Sharing is enabled and the computer is not a member of a Windows domain. To display the Security tab so that you can view and work with NTFS permissions for folders and files, open a window in My Computer or Windows Explorer and select Tools|Folder Options. Click the View tab and clear the checkbox entitled Use Simple File Sharing (Recommended).

Please post back if you have any more problems or questions.

Collapse -

I know how to share a folder

by 10925805 In reply to Re: Managing local share ...

Thanks for the trouble answering the question I asked. I think you missed the question. Let me clarify.

I have a Windows XP workstation on the network. I need to prevent specific local users from adding new shares, editing exiting shares. The user must have no rights to Sharing and Security

This user must have administrative privileges on the workstation, to run specific application that needs administrative privileges.

Collapse -

local administrator group

by rahouseholder In reply to I know how to share a fol ...

Remove the local administrator group form the shares permissions. Make sure at least one user or group has full rights to the share first. Only give access to the groups or users that need access to the share and limit their access to what they need, ie, read only... This wont stop someone who is determined to get into the share, but it will keep the average user out. If you're logged in as the local admin, you can always take ownership of the folder to reset the permissions...

Collapse -

What application requires

by IC-IT In reply to I know how to share a fol ...

administrative privileges to run? The best solution would be to determine the method to allow this application to be run as a limited or power user. Often times if you do a compare between the system prior to installation and then to the post installation state, you can then set permissions on required registry keys, dlls, folders, etc

Collapse -

If I understand correctly,

by Kenone In reply to I know how to share a fol ...

and I may well not.
You have a user, we'll call him/her User1
You don't want User1 to be able to access certain shares - Go into the share(s) and check Deny Access that trumps all.
You don't want User1 to create new shares - use group policy to block "Sharing and Security".
But if you give User1 Domain Admin or Enterprise Admin privileges it still won't work.
Did I understand? Am I barking at the wrong cat?

Collapse -

where in group policy

by 10925805 In reply to If I understand correctly ...


You are on the right path to my solution. The PC is part of a workgroup, not domain. Can I set Local Policy to prevent user 1 from setting up and managing local shares?
Where do I set this up?

Collapse -

So, your using "Simple File Sharing"?

by Kenone In reply to where in group policy

I'm not real familiar with that as I do just about everything in a domain.
Depending on the OS your using it's usually in User Configuration\ Administrative Templates\Network\*, MS keeps moving it around after that point. I'm not sure how it works anyway in a workgroup.
Here's an article with some good info;
It might be easier to use a firewall to prevent file sharing.

Collapse -

I am using "Simple File Sharing"

by 10925805 In reply to So, your using "Simple Fi ...

I am using Simple File Sharing in a workgroup non-domain environment in Windows XP SP2. I need to prevent user X with local administrative privileges from accessing shared folders in computer management, or right clicking on a file or folder and accessing sharing and security.

Collapse -

Now here is a thought

by Jacky Howe In reply to Managing local share acce ...

option 1.

< to add that you can only hope that the user doesn't get clever >

Collapse -

Only one application?

by 1bn0 In reply to Managing local share acce ...

Can you determine exactly what files it is , that they need admin access to?

We have several programs where i work that require full access to at least some files.

Some of the programs we simply grant Full Access to Everyone.

Some of the programs we grant read and modify to specific dll's in the windows folder.

NOBODY gets Local Admin access.

We have a second site under a different domain (hope to integrate soon) where the users have always had Local Admin. We are currently in the process of reconfiguring a systemwide application with the express goal of being able to run the application without local admin so we can remove that access for regular users.

Do some research.

Find out what they need access to and grant it for those files folders specifically.

Related Discussions

Related Forums