Announcement

Collapse
No announcement yet.

lock create shared folder GPO

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • lock create shared folder GPO

    Hello everybody,

    this is the problem: I need block create shared folders in workstations (gpo).
    I have a domain and 50 workstation.

    Necesito que los usuarios no puedan crear carpetas compartidas en sus propias maquinas ni que puedan compartir las ya existentes.

    Esto lo quiero controlar con una politica a travez de gpo.
    This is what I want to check with a policy through a GPO.

    Any idea?

  • #2
    Re: lock create shared folder GPO

    Please keep it in english only.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: lock create shared folder GPO

      Only administrators can create shared folders. Are you saying that you have administrators who you don't want to be able to create shared folders? If so, why not? They shouldn't be administrators if they can't be trusted.
      Gareth Howells

      BSc (Hons), MBCS, MCP, MCDST, ICCE

      Any advice is given in good faith and without warranty.

      Please give reputation points if somebody has helped you.

      "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

      "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

      Comment


      • #4
        Re: lock create shared folder GPO

        Thanks for answering

        Only administrators can create shared folders--> No.
        everyone can create shared folders in their pc.

        I want to make a policy (GPO) which prohibits create shared folders on the computer.

        PD: pardon my English, is not the best
        Last edited by pez_pijo; 28th October 2008, 17:59.

        Comment


        • #5
          Re: lock create shared folder GPO

          Managers don't necessarily have to be administrators. In any case, I don't believe this can be restricted using a group policy. However, I've flagged this thread for a moderator to move it to the correct forum and hopefully somebody will suggest something.
          Gareth Howells

          BSc (Hons), MBCS, MCP, MCDST, ICCE

          Any advice is given in good faith and without warranty.

          Please give reputation points if somebody has helped you.

          "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

          "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

          Comment


          • #6
            Re: lock create shared folder GPO

            The best I've found so far is http://www.kreslavsky.com/2007/01/di...g-via-gpo.html which is far from a perfect solution. It prevents access to the Security and Sharing tabs when you view a folder's properties, but this is not the only way to share a folder. I would strongly recommend that a better solution would be to review which users have administrative rights and why. If they cannot be trusted not to share a folder, then they should not be administrators.
            Gareth Howells

            BSc (Hons), MBCS, MCP, MCDST, ICCE

            Any advice is given in good faith and without warranty.

            Please give reputation points if somebody has helped you.

            "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

            "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

            Comment


            • #7
              Re: lock create shared folder GPO

              By modifying the registry, I saw in some places.
              I was looking for something for politics but I think I'm going to have to do it well or with any script.
              Thank you very much for answering and so fast.

              Comment


              • #8
                Re: lock create shared folder GPO

                moved to gpo
                Marcel
                Technical Consultant
                Netherlands
                http://www.phetios.com
                http://blog.nessus.nl

                MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                "No matter how secure, there is always the human factor."

                "Enjoy life today, tomorrow may never come."
                "If you're going through hell, keep going. ~Winston Churchill"

                Comment


                • #9
                  Re: lock create shared folder GPO

                  Thanks Dumber
                  I congratulate those that are doing

                  I hope that will help create that policy.

                  Comment


                  • #10
                    Re: lock create shared folder GPO

                    You could restrict access to the following registry key in your GPO to see if it prevents the user from creating shares:

                    HKLM\SYSTEM\CurrentControlSet\Services\LanmanServe r\Shares

                    Granted, this is somewhat of a hack but it might work.

                    Comment


                    • #11
                      Re: lock create shared folder GPO

                      Originally posted by joeqwerty View Post
                      You could restrict access to the following registry key in your GPO to see if it prevents the user from creating shares:

                      HKLM\SYSTEM\CurrentControlSet\Services\LanmanServe r\Shares

                      Granted, this is somewhat of a hack but it might work.

                      Do not probe, but I think it could well be modified with net shared.

                      Comment


                      • #12
                        Re: lock create shared folder GPO

                        i probe this: http://www.kreslavsky.com/2007/01/di...g-via-gpo.html but i can not go back there again.
                        What I do to appear again to share the tab?
                        Last edited by pez_pijo; 31st October 2008, 18:29.

                        Comment


                        • #13
                          Re: lock create shared folder GPO

                          EDIT - reason: Didn't read the article you linked good enough.

                          Don't delete these keys like I suggested before (gray collored text below)! sorry
                          The keys weren't added, like I thought they were - they existed already and they should stay.

                          Just reset to the original permission settings on these keys with a similar policy,
                          (or export the key, delete it from registry and merge the key again with a startup script)

                          \Rems


                          old:
                          To disable the option, try adding a minus sign (-) in front of the applicable class id.
                          from >> http://www.pctools.com/forum/showthread.php?t=9685
                          You probably have to use a startup script for this.

                          - http://social.technet.microsoft.com/...-6596a171aece/
                          - http://www.msfn.org/board/Registry-Tweaks-t27911.html


                          You could use the Registry Extension (free tool) to create, replace, update and delete registry settings from any location in the registry, that is IF you able to find a copy of that tool somewhere . Install the Group Policy Management Console on one Windows XP desktop and then install the PolicyMakerRegistryExtention on it.
                          Originally posted by Microsoft PolicyMaker Registry Extension (POLREG.MSI)


                          http://www.thincomputing.net/blog/mi...extension.html

                          Wednesday, 28 March 2007 - by Michel Roth

                          As far as I'm concerned Group Policy is the preferred method to control the configuration of Windows computers and users (registry). This works great, except for all those custom registry keys that you need to configure for those applications that aren't made by Microsoft and don't have a ADM template for it. In these cases you have to make the ADM templates yourself. Although it isn't that hard like I described in this article I wrote, it can be kind of a hassle.

                          One company that was all over Group Policy and made products to fix the shortcomings of Group Policy, was DesktopStandard. Microsoft however acquired DesktopStandard last year and now they've announced that one of the coolest products, the PolicyMaker Registry Extension, will be incorporated in all future versions of Windows. PolicyMaker Registry Extension is an extremely cool tool which makes it a lot easier to incorporate custom registry settings in Group Policy and allows you use advanced filters op GPOs like IP addresses, hardware specs, file comparisons and lots of other items.

                          Well in stead of going on and on about it, you should really read this article by Aaron Parker in which he explains exactly what PolicyMaker Registry Extension can do. Recommended reading!
                          Last edited by Rems; 1st November 2008, 19:30.

                          This posting is provided "AS IS" with no warranties, and confers no rights.

                          __________________

                          ** Remember to give credit where credit's due **
                          and leave Reputation Points for meaningful posts

                          Comment


                          • #14
                            Re: lock create shared folder GPO

                            i still search a good politics (GPO) for unlock the creation folders in yours workstations.

                            Comment


                            • #15
                              Re: lock create shared folder GPO

                              34 day bump... impressive

                              Originally posted by pez_pijo View Post
                              unlock the creation folders in yours workstations.
                              What does this mean?

                              If you are referring to your original question, which was regarding preventing users from sharing folders, then as previously stated, by default only administrators can share folders. If you have administrators who can't be trusted, then they should not be administrators.
                              Gareth Howells

                              BSc (Hons), MBCS, MCP, MCDST, ICCE

                              Any advice is given in good faith and without warranty.

                              Please give reputation points if somebody has helped you.

                              "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                              "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                              Comment

                              Working...
                              X