By default, the ability to manage file and print shares is granted only to members of the Administrators, Power Users, and Server Operators groups. Because members of those groups have many other system-level privileges, it is not recommended to make users members of those groups for the sole purpose of managing shares. However, Windows provides no APIs, group policy setting, or user interface to change the default permissions. This post describes how to grant users the ability to manage shares through Windows Explorer or the “NET SHARE” command line, without granting other advanced privileges.
File and print sharing is controlled by the Server (lanmanserver) service. Permissions are specified as access control lists (ACLs) that are stored as binary values in the registry, in the “HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\DefaultSecurity” key. Windows provides no API, group policy setting, or user interface to edit these ACLs. However, an unsupported utility, TweakUI, does provide such a user interface.
Security note: Sharing a folder does not allow bypassing of NTFS permissions in the folder. For example, if a share grants “Full Control” to “UserGroupX”, but the NTFS permissions on the folder grant only “Read” access, members of “UserGroupX” accessing the folder through the share will have only “Read” access.
How to change the setting for a single computer
TweakUI is an unsupported utility available for download from microsoft.com. These instructions apply to Version 2.10, which is the current version available at the time of this writing.
To grant a user or group the ability to manage file shares on a single workstation:
“Manage file/print server connections” – Enumerate Connections
“Manage file shares” – Full Control
“Manage print shares” – Full Control
Note that changes to the “Manage file and printer sharing” operation are not needed and not recommended.
For example, to grant the interactively logged-on user the ability to manage file and printer shares on the local computer, grant permissions to INTERACTIVE.
There are certain scenarios in which additional reboots may be required, and in which settings may need to be reapplied.
The system defaults for the DefaultSecurity values in the registry depend on the RestrictAnonymous value in HKLM\System\CurrentControlSet\Control\Lsa. The RestrictAnonymous value appears in security policy as “Network access: Do not allow anonymous enumeration of SAM accounts and shares”. Whenever RestrictAnonymous is modified (e.g., through a Group Policy change), all the lanmanserver DefaultSecurity values get set to system defaults the next time the Server service is restarted (or at next reboot). After those defaults have been reset, custom settings will need to be reapplied and the computer rebooted again in order for custom permissions to take effect.
To remove custom permissions and return to system defaults, delete the Srvsvc* values from the DefaultSecurity key and restart the Server service. Explorer will need to be restarted in order for the user interface to reflect the changes. Logging off or restarting the computer will accomplish this.
The download location for TweakUI is http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx. (Note that there are two versions, including one for Itanium-based systems.)