locked
How can we disable the automatic administrative share $ by Group Policy RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Dear All

     

    I would like to Stop Auto share drive C$ , D$ everytime when they login to his/her machine set control by using Grop Policy.

     

    thank you

    Kwan

    Friday, July 13, 2007 9:19 AM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    You could on one machine disable them as stated below, export the key and then in a GPO import it.

     

     

    Disable the default shares
    Windows NT and Windows 2000 open hidden shares on each installation for use by the system account. (Tip: You can view all of the shared folders on your computer by typing NET SHARE from a command prompt.) You can disable the default Administrative shares two ways. One is to stop or disable the Server service, which removes the ability to share folders on your computer. (However, you can still access shared folders on other computers.) When you disable the Server service (via Control Panel > Administration Tools > Services), be sure to click Manual or Disabled or else the service will start the next time the computer is restarted. The other way is via the Registry by editing HKeyLocal Machine\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters. For Servers edit AutoShareServer with a REG_DWORD Value of 0. For Workstations, the edit AutoShareWks. Keep in mind that disabling these shares provide an extra measure of security, but may cause problems with applications. Test your changes in a lab before disabling these in a production environment. The default hidden shares are:

      Share Path and Function
    C$ D$ E$ Root of each partition. For a Windows 2000 Professional computer, only members of the Administrators or Backup Operators group can connect to these shared folders. For a Windows 2000 Server computer, members of the Server Operators group can also connect to these shared folders
    ADMIN$ %SYSTEMROOT%  This share is used by the system during remote administration of a computer. The path of this resource is always the path to the Windows 2000 system root (the directory in which Windows 2000 is installed: for example, C:\Winnt).
    FAX$ On Windows 2000 server, this used by fax clients in the process of sending a fax. The shared folder temporarily caches files and accesses cover pages stored on the server.
    IPC$ Temporary connections between servers using named pipes essential for communication between programs. It is used during remote administration of a computer and when viewing a computer's shared resources
    NetLogon This share is used by the Net Logon service of a Windows 2000 Server computer while processing domain logon requests.
    PRINT$ %SYSTEMROOT%\SYSTEM32\SPOOL\DRIVERS  Used during remote administration of printers.
    Friday, July 13, 2007 9:34 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
     mufc wrote:

    How to import to gpo


    Thank you so much.

     

    You can refer to following article: http://www.windowsitpro.com/Articles/ArticleID/44621/44621.html?Ad=1

    Sunday, July 15, 2007 6:00 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    You could on one machine disable them as stated below, export the key and then in a GPO import it.

     

     

    Disable the default shares
    Windows NT and Windows 2000 open hidden shares on each installation for use by the system account. (Tip: You can view all of the shared folders on your computer by typing NET SHARE from a command prompt.) You can disable the default Administrative shares two ways. One is to stop or disable the Server service, which removes the ability to share folders on your computer. (However, you can still access shared folders on other computers.) When you disable the Server service (via Control Panel > Administration Tools > Services), be sure to click Manual or Disabled or else the service will start the next time the computer is restarted. The other way is via the Registry by editing HKeyLocal Machine\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters. For Servers edit AutoShareServer with a REG_DWORD Value of 0. For Workstations, the edit AutoShareWks. Keep in mind that disabling these shares provide an extra measure of security, but may cause problems with applications. Test your changes in a lab before disabling these in a production environment. The default hidden shares are:

      Share Path and Function
    C$ D$ E$ Root of each partition. For a Windows 2000 Professional computer, only members of the Administrators or Backup Operators group can connect to these shared folders. For a Windows 2000 Server computer, members of the Server Operators group can also connect to these shared folders
    ADMIN$ %SYSTEMROOT%  This share is used by the system during remote administration of a computer. The path of this resource is always the path to the Windows 2000 system root (the directory in which Windows 2000 is installed: for example, C:\Winnt).
    FAX$ On Windows 2000 server, this used by fax clients in the process of sending a fax. The shared folder temporarily caches files and accesses cover pages stored on the server.
    IPC$ Temporary connections between servers using named pipes essential for communication between programs. It is used during remote administration of a computer and when viewing a computer's shared resources
    NetLogon This share is used by the Net Logon service of a Windows 2000 Server computer while processing domain logon requests.
    PRINT$ %SYSTEMROOT%\SYSTEM32\SPOOL\DRIVERS  Used during remote administration of printers.
    Friday, July 13, 2007 9:34 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    How to import to gpo


    Thank you so much.

    Friday, July 13, 2007 9:58 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
     mufc wrote:

    How to import to gpo


    Thank you so much.

     

    You can refer to following article: http://www.windowsitpro.com/Articles/ArticleID/44621/44621.html?Ad=1

    Sunday, July 15, 2007 6:00 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Dear Sir

    i change both Key in Server than from Group policy in computer Setting >>Preferences>>window Setting>>security Setting > Registry>> New>> Registry Wizerd

    i add those both Key "AutoShareServer " and AutoShareWks" wiht value 0 but when i applied on OU it has no effect and stile the hidden share show enable C$ if some one succeffully implements pleas share it

    my Network PlateForm is w2k8 Starderd Edition 64 bits

    thansk

    Admin

    • Proposed as answer by EL-Beghdadi Tuesday, December 18, 2012 9:11 AM
    Tuesday, September 25, 2012 9:02 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    I, then,  restarted the server service,  et voila!

    before:

    C$           C:\                             Partage par défaut
    E$           E:\                             Partage par défaut
    G$           G:\                             Partage par défaut
    H$           H:\                             Partage par défaut
    IPC$                                         IPC distant
    print$       C:\Windows\system32\spool\drivers      Pilotes d'imprimantes
    ADMIN$    C:\Windows                       Administration à distance

    La commande s'est terminée correctement.

    After:

    print$       C:\Windows\system32\spool\drivers            Pilotes d'imprimantes
    IPC$                                         IPC distant

    How about these remaining ones?,  are they harmful? 

    Tuesday, December 18, 2012 9:22 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Just note

    Only users with administrator privileges can access administrative share. In domain environment user must be member of Domain Admin group to access this share.

    Best regards
    Dubravko Marak
    MCP, MVP
    Blog: Windows Server Administration
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. Please VOTE as HELPFUL if the post helps you. This can be beneficial to other community members reading the thread.

    Tuesday, December 18, 2012 10:42 AM