How to allow users to manage file and print shares without granting other advanced privileges
By default, the ability to manage file and print shares is granted only to members of the Administrators, Power Users, and Server Operators groups. Because members of those groups have many other system-level privileges, it is not recommended to make users members of those groups for the sole purpose of managing shares. However, Windows provides no APIs, group policy setting, or user interface to change the default permissions. This post describes how to grant users the ability to manage shares through Windows Explorer or the “NET SHARE” command line, without granting other advanced privileges.
File and print sharing is controlled by the Server (lanmanserver) service. Permissions are specified as access control lists (ACLs) that are stored as binary values in the registry, in the “HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\DefaultSecurity” key. Windows provides no API, group policy setting, or user interface to edit these ACLs. However, an unsupported utility, TweakUI, does provide such a user interface.
Security note: Sharing a folder does not allow bypassing of NTFS permissions in the folder. For example, if a share grants “Full Control” to “UserGroupX”, but the NTFS permissions on the folder grant only “Read” access, members of “UserGroupX” accessing the folder through the share will have only “Read” access.
How to change the setting for a single computer
TweakUI is an unsupported utility available for download from microsoft.com. These instructions apply to Version 2.10, which is the current version available at the time of this writing.
To grant a user or group the ability to manage file shares on a single workstation:
- Run TweakUI with administrator privileges, and click on “Access Control” in the left pane. The “Access Control” item does not appear if you are not an administrator.
“Manage file/print server connections” – Enumerate Connections
- Select the “Manage file/print server connections” operation in the “Access Control” dropdown in the right pane.
- Click the “Change” button. A dialog with a “Security” tab will appear. Click the “Add…” button.
- In the Select Users, Computers, or Groups dialog box, type the name of the user or group that you want to set permissions for. (If you want to grant this permission to whoever is logged on to the computer, type the name “INTERACTIVE”). Click OK to close the “Select Users, Computers or Groups” dialog.
- Select the newly added name, check the “Allow” checkbox for “Enumerate Connections” , and click OK.
“Manage file shares” – Full Control
- In the “Access Control” dropdown, select the “Manage file shares” operation.
- Click the “Change” button. A dialog with a “Security” tab will appear. Click the “Add… ” button.
- In the Select Users, Computers, or Groups dialog box, type the name of the user or group that you want to set permissions for. Click OK to close the “Select Users, Computers or Groups” dialog.
- Select the newly added name, check the “Allow” checkbox for “Full Control” , and click OK.
“Manage print shares” – Full Control
- In the “Access Control” dropdown, select the “Manage print shares” operation.
- Click the “Change” button. A dialog with a “Security” tab will appear. Click the “Add… ” button.
- In the Select Users, Computers, or Groups dialog box, type the name of the user or group that you want to set permissions for. Click OK to close the “Select Users, Computers or Groups” dialog.
- Select the newly added name, check the “Allow” checkbox for “Full Control” , and click OK.
- Click the “OK” button in the main TweakUI dialog.
- Reboot the computer.
Note that changes to the “Manage file and printer sharing” operation are not needed and not recommended.
For example, to grant the interactively logged-on user the ability to manage file and printer shares on the local computer, grant permissions to INTERACTIVE.
Additional considerations
There are certain scenarios in which additional reboots may be required, and in which settings may need to be reapplied.
The system defaults for the DefaultSecurity values in the registry depend on the RestrictAnonymous value in HKLM\System\CurrentControlSet\Control\Lsa. The RestrictAnonymous value appears in security policy as “Network access: Do not allow anonymous enumeration of SAM accounts and shares”. Whenever RestrictAnonymous is modified (e.g., through a Group Policy change), all the lanmanserver DefaultSecurity values get set to system defaults the next time the Server service is restarted (or at next reboot). After those defaults have been reset, custom settings will need to be reapplied and the computer rebooted again in order for custom permissions to take effect.
To remove custom permissions and return to system defaults, delete the Srvsvc* values from the DefaultSecurity key and restart the Server service. Explorer will need to be restarted in order for the user interface to reflect the changes. Logging off or restarting the computer will accomplish this.
The download location for TweakUI is https://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx. (Note that there are two versions, including one for Itanium-based systems.)
Comments
Anonymous
April 18, 2005
Complete list of Aaron Margosis' non-admin / least privilege posts, for easy lookup.Anonymous
April 28, 2005
How to allow users to manage file and print shares without granting other advanced privileges
http://blogs.msdn.com/aaron_margosis/archive/2005/04/18/409105.aspx&nbsp...Anonymous
June 10, 2005
Get your friends and family, all those folks that come to you for computer help once their machines have...Anonymous
July 21, 2005
Do you have any advice about and/or a way to allow standard users to add fonts?Anonymous
September 06, 2005
Hi Aaron,
Currently our users need admin rights when they install a Palm like device. The need is to sync up with Outlook etc.
Do you have any suggestions for this?
thanks.Anonymous
September 28, 2005
Palm and admin :
http://kb.palm.com/SRVS/CGI-BIN/WEBCGI.EXE/,/?St=38,E=0000000000160050878,K=7811,Sxi=17,Case=obj(1465)Anonymous
October 04, 2005
It's nice that this can be done from TweakUI, but this doesn't help a lot in a managed or (in my case) XPe enviroment. Is there another way to do this?Anonymous
October 27, 2005
Nice work!
I'm wonder if there is any way that I can alow my users to install local printer without belong to a Power User group? ThanksAnonymous
December 01, 2005
The comment has been removedAnonymous
December 13, 2005
John, take a look at this utility. It takes advantage of the fact that Windows 2000 introduced per-user registration data - HKCR is now a merged view of HKLMSoftwareClasses and HKCUSoftwareClasses (the latter is user-writable).
RegSvrEx - An Enchanced COM Server Registration Utility
http://www.codeproject.com/w2k/regsvrex.aspAnonymous
December 22, 2005
I'm stuck in a Windows 2000 environment and can't use that version of tweakui. Is there another easy way of doing this?Anonymous
December 22, 2005
Ryan, TEST THIS FIRST, but you may be able to build the ACLs you want on a Windows XP computer, then export those values from the registry and import them to the Windows 2000 computer. The three values you care about are: SrvsvcConnection, SrvsvcShareFileInfo, and SrvsvcSharePrintInfo.Anonymous
December 27, 2005
Hi,
I would like to know why changes to the “Manage file and printer sharing” operation are not needed and not recommended? And is there anyway to invoke these security windows such as “Manage file/print server connections” security window and so forth, directly and without using Tweakui?
ThanksAnonymous
February 01, 2006
The comment has been removedAnonymous
February 01, 2006
Steve: do you have any remote access (e.g., Remote Desktop, Remote Assistance) to the affected computer? Can you use RunAs to run the Malicious Software Removal Tool? BTW, once the MSRT has been run once as admin (and the EULA accepted), if you've enabled Automatic Updates MSRT will run automatically every month.
http://support.microsoft.com/Default.aspx?kbid=890830Anonymous
September 17, 2006
Hi,Mr Margosis
I've changed the setting by using tweakUI,but it didn't work even if I reboot my computer.what's happened?Anonymous
September 23, 2006
Hi,
I've got the same problem as Taylor. I set "Manage file shares" to FULL CONTROL for the local group INTERACTIVE, but no account in the local group USER can read, change or create file shares.
OS: Windows XP SP2 incl. all patches Review the instructions on this post carefully -- there are three different items you need to change the access control for. -- AaronAnonymous
September 28, 2006
Hi,
Is there any other ways to allow normal users to manage shares in addition to TweakUI? TweakUI offers the only UI that I know of to edit the permissions. Without that you're manipulating binary values in the registry. Now, once you have established permissions on one system with TweakUI, you can export the relevant registry values (SrvsvcConnection, SrvsvcShareFileInfo, and SrvsvcSharePrintInfo) from that system and import them onto other systems. If you do this, make sure that the accounts being granted access are either domain accounts or built-in accounts like "INTERACTIVE" and not local accounts that won't exist on the other systems. HTH -- AaronAnonymous
October 02, 2006
Hi, Is there a way to incorporate "RUNAS.EXE" in logon scripts to run a program as an administrator without user intervention such as the password? I am using rundll32 in logon scripts to install printers on the remote machine. In order for the ordinary user to install printers, I used gpedit.msc to allow "Power Users" to "load and unload device drivers". However, I am having problems setting the printer settings (i.e. page setup, paper size, etc.). I have saved the settings of the printer in a network drive using the command: rundll32 printui.dll,PrintUIEntry /Ss /n <name of printer> /a <file where to save the settings> and then, tried to restore the settings using the following: rundll32 printui.dll,PrintUIEntry /Sr /n <name of printer> /a <file where to save the settings> However, it is telling me that the "Operation is not permitted" if I logon as a Power User. But if I use an account with Administrator rights, there is no problem. I hope to solve this using the "RUNAS.EXE" utility. Thanks! RUNAS.EXE always requires the password to be entered at the console. -- AaronAnonymous
January 22, 2007
Hi, Does anyone know a way to invoke a command to create and shared a folder in window XP? I am not sure if the rundll32 will do all the trick. Thanks, Jay jaydiep@gmail.com Jay: Did you try NET SHARE from a command prompt? HTH -- AaronAnonymous
April 24, 2007
When I try to install TweakUIPowerToySetup.exe, I get an error: "Entry Point Not Found - The procedure entry point GetDllDirectoryW could not be located in the dynamic link library KERNEL32.DLL" Is this supposed to be installable on Win2K? I tried the earlier version of TweakUI, but it doesn't offer any of the screens for privileges described above. Pat: Each version of TweakUI is tightly coupled to the version of Windows for which it was made. The XP version will not be usable on Windows 2000; and unfortunately, the Windows 2000 version did not include the extra ACL editing capability that the XP version allowed. There may be ways to get through this if you don't mind some risky registry editing... -- AaronAnonymous
August 02, 2007
Hi, My machine is windows XP home edition, SP6. I cannot get option "Manage file/print server connections” operation in the “Access Control” dropdown in the right pane. I get 2 options namely "connect to registry remotely" and "access performance counter" on the tweakUI screen. Could you help? Thanks, ShrutikaAnonymous
April 03, 2008
Does anyone know of away to How to Install Local Printers as a restricted user without granting Power User or Administrator in XP SP2? Thanks in advance.Anonymous
September 15, 2008
I do not want to install tweak UI on every server, instead i rather just make the changes that tweak ui would do, and manually set them on my servers. I have a script where i have users create shares with for new hires. they need rights to create shares on the servers across the US, but i dont want them to have rights to do anything else but create a share on those few servers.Anonymous
November 24, 2008
Hi Aaron, I was very happy when I found your solution for this problem. But it must be that I'm doing something wrong I implemented the three changes that you explain using tweakui, but I can still ot add any printers. When I use the Add Printer Wizard (or Print Managemtn) the 'Local Printer attached to this computer' is grayed out. When I add my user to the power users it works. Can you help me out please? Regards, John [Aaron Margosis] This blog post is about file and printer sharing, not about installing printers. Installing local printers remains an admin task for the time being.Anonymous
November 24, 2008
Aaron, Thanks for the reply. For the time being is an interesting quote to take away. The task of adding drivers, ports and printers and sharing them is trivial and gets executed by helpdesk people or even key-users in a site. Now we need to give them at least power user membership to enable them to do this task. This creates a risk. Is it possible to figure out what individual rights I need to give a user to be able to give him the same possibilties? This would mean usinf tools like process monitor en process explorer and the like. Any quick pointers? Thanks, JohnAnonymous
June 24, 2009
Hi Aaron I've configured the three registry values SrvsvcConnection, SrvsvcShareFileInfo and SrvsvcSharePrintInfo, using the tweakUI tool. The idea is to add a local built-in group (print operators?) or a domain group. Adding those using the UI is easy enough, and the settings are verified as saved. However, creating new printer objects, the configured group does not even appear on the new object. The system have of course been booted. Currently we use a script to change permissions on new printer objects, but changing the default permissions would be a much better solution. Thank you.Anonymous
October 15, 2012
How about windows 2008 R2 64bits ? Can't find any version of TweakUI that works.