Q. How can I use Group Policy to control whether the default administrative shares are created?

A. In Windows NT system policies, you could control creation of the default administrative shares (e.g., C$, D$) by using a policy setting. However, because Microsoft changed how Windows 2000 and later apply policies, you can't use Group Policy to control default administrative share creation. One method for enabling the default administrative shares for all Win2K and later machines is to create a registry file that contains the settings to enable the default administrative shares to run from a logon script.

Another way to use Group Policy settings to control creation of default administrative shares is to create a custom Administrative Template (.adm) file, which you can copy into your Group Policy Objects (GPOs) and which enables the setting of the registry values. The following sample .adm file, which my colleague Tim Goodrich created, creates a GPO that modifies certain registry settings, which control the creation of default administrative shares.

CLASS MACHINE

CATEGORY !!DefaultShares

 POLICY !!DefaultSharesWKS
    EXPLAIN !!EnableDefaultShares_Explain
    VALUENAME "AutoShareWks"
    VALUEON NUMERIC 1
            VALUEOFF NUMERIC 0
    KEYNAME "SYSTEM\CurrentControlSet\Services\lanmanserver\parameters"
 END POLICY

 POLICY !!DefaultSharesSRV    
    EXPLAIN !!EnableDefaultShares_Explain
    VALUENAME "AutoShareServer"
    VALUEON NUMERIC 1
            VALUEOFF NUMERIC 0
    KEYNAME "SYSTEM\CurrentControlSet\Services\lanmanserver\parameters"
 END POLICY

END CATEGORY

\[strings\]
DefaultSharesWKS="Default Workstation Admin Shares"
DefaultSharesSRV="Default Server Admin Shares"
EnableDefaultShares_Explain="Enables default Admin shares"
DefaultShares="Default Shares"

Be aware that this .adm file modifies registry keys that are outside of regular policy areas. Thus, even when you delete this GPO by using the Microsoft Management Console (MMC) Users and Computers snap-in, the registry change will remain in effect permanently.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish