How to allow users to manage file and print shares without granting other advanced privileges


By default, the ability to manage file and print shares is granted only to members of the Administrators, Power Users, and Server Operators groups.  Because members of those groups have many other system-level privileges, it is not recommended to make users members of those groups for the sole purpose of managing shares.  However, Windows provides no APIs, group policy setting, or user interface to change the default permissions.  This post describes how to grant users the ability to manage shares through Windows Explorer or the “NET SHARE” command line, without granting other advanced privileges.


File and print sharing is controlled by the Server (lanmanserver) service.  Permissions are specified as access control lists (ACLs) that are stored as binary values in the registry, in the “HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\DefaultSecurity” key.  Windows provides no API, group policy setting, or user interface to edit these ACLs.  However, an unsupported utility, TweakUI, does provide such a user interface.


Security note:  Sharing a folder does not allow bypassing of NTFS permissions in the folder.  For example, if a share grants “Full Control” to “UserGroupX”, but the NTFS permissions on the folder grant only “Read” access, members of “UserGroupX” accessing the folder through the share will have only “Read” access.


How to change the setting for a single computer


TweakUI is an unsupported utility available for download from microsoft.com.  These instructions apply to Version 2.10, which is the current version available at the time of this writing.


To grant a user or group the ability to manage file shares on a single workstation:



  1. Run TweakUI with administrator privileges, and click on “Access Control” in the left pane.  The “Access Control” item does not appear if you are not an administrator.

“Manage file/print server connections” – Enumerate Connections



  1. Select the “Manage file/print server connections” operation in the “Access Control” dropdown in the right pane.
  2. Click the “Change” button.  A dialog with a “Security” tab will appear.  Click the “Add…” button.
  3. In the Select Users, Computers, or Groups dialog box, type the name of the user or group that you want to set permissions for.  (If you want to grant this permission to whoever is logged on to the computer, type the name “INTERACTIVE”).  Click OK to close the “Select Users, Computers or Groups” dialog.
  4. Select the newly added name, check the “Allow” checkbox for “Enumerate Connections”, and click OK.

“Manage file shares” – Full Control



  1. In the “Access Control” dropdown, select the “Manage file shares” operation.
  2. Click the “Change” button.  A dialog with a “Security” tab will appear.  Click the “Add…” button.
  3. In the Select Users, Computers, or Groups dialog box, type the name of the user or group that you want to set permissions for.  Click OK to close the “Select Users, Computers or Groups” dialog.
  4. Select the newly added name, check the “Allow” checkbox for “Full Control”, and click OK.

“Manage print shares” – Full Control



  1. In the “Access Control” dropdown, select the “Manage print shares” operation.
  2. Click the “Change” button.  A dialog with a “Security” tab will appear.  Click the “Add…” button.
  3. In the Select Users, Computers, or Groups dialog box, type the name of the user or group that you want to set permissions for.  Click OK to close the “Select Users, Computers or Groups” dialog.
  4. Select the newly added name, check the “Allow” checkbox for “Full Control”, and click OK.


  1. Click the “OK” button in the main TweakUI dialog.


  1. Reboot the computer.

Note that changes to the “Manage file and printer sharing” operation are not needed and not recommended.


For example, to grant the interactively logged-on user the ability to manage file and printer shares on the local computer, grant permissions to INTERACTIVE.


Additional considerations


There are certain scenarios in which additional reboots may be required, and in which settings may need to be reapplied.


The system defaults for the DefaultSecurity values in the registry depend on the RestrictAnonymous value in HKLM\System\CurrentControlSet\Control\Lsa.  The RestrictAnonymous value appears in security policy as “Network access: Do not allow anonymous enumeration of SAM accounts and shares”.  Whenever RestrictAnonymous is modified (e.g., through a Group Policy change), all the lanmanserver DefaultSecurity values get set to system defaults the next time the Server service is restarted (or at next reboot).  After those defaults have been reset, custom settings will need to be reapplied and the computer rebooted again in order for custom permissions to take effect.


To remove custom permissions and return to system defaults, delete the Srvsvc* values from the DefaultSecurity key and restart the Server service.  Explorer will need to be restarted in order for the user interface to reflect the changes.  Logging off or restarting the computer will accomplish this.


The download location for TweakUI is http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx.  (Note that there are two versions, including one for Itanium-based systems.)

Comments (28)

  1. Complete list of Aaron Margosis’ non-admin / least privilege posts, for easy lookup.

  2. How to allow users to manage file and print shares without granting other advanced privileges

    http://blogs.msdn.com/aaron_margosis/archive/2005/04/18/409105.aspx&nbsp

  3. tonyso says:

    Get your friends and family, all those folks that come to you for computer help once their machines have…

  4. Jon Morningstar says:

    Do you have any advice about and/or a way to allow standard users to add fonts?

  5. kevin says:

    Hi Aaron,

    Currently our users need admin rights when they install a Palm like device. The need is to sync up with Outlook etc.

    Do you have any suggestions for this?

    thanks.

  6. Glenn Woodruff says:

    It’s nice that this can be done from TweakUI, but this doesn’t help a lot in a managed or (in my case) XPe enviroment. Is there another way to do this?

  7. Chris says:

    Nice work!

    I’m wonder if there is any way that I can alow my users to install local printer without belong to a Power User group? Thanks

  8. John says:

    I’m a sys admin with a question about desktop permissions. We are in a Win2K (migrating to XP) mid-size environment. We have customers who occasionally request admin rights to run certain software titles, etc. Sometimes we can grant limited file or registry permissions to allow them to function without elevated rights, sometimes not.

    The current dilemma before me is a group of users who need to run regsvr32 to register new dll’s on a fairly regular basis. Do you know of an explicit permission that would allow this, without elevating rights to power user or admin? Thanks

  9. John, take a look at this utility. It takes advantage of the fact that Windows 2000 introduced per-user registration data – HKCR is now a merged view of HKLMSoftwareClasses and HKCUSoftwareClasses (the latter is user-writable).

    RegSvrEx – An Enchanced COM Server Registration Utility

    http://www.codeproject.com/w2k/regsvrex.asp

  10. Ryan says:

    I’m stuck in a Windows 2000 environment and can’t use that version of tweakui. Is there another easy way of doing this?

  11. Ryan, TEST THIS FIRST, but you may be able to build the ACLs you want on a Windows XP computer, then export those values from the registry and import them to the Windows 2000 computer. The three values you care about are: SrvsvcConnection, SrvsvcShareFileInfo, and SrvsvcSharePrintInfo.

  12. Davoud says:

    Hi,

    I would like to know why changes to the “Manage file and printer sharing” operation are not needed and not recommended? And is there anyway to invoke these security windows such as “Manage file/print server connections” security window and so forth, directly and without using Tweakui?

    Thanks

  13. Steve says:

    How do you support the remote LUA user whose machine for example has been exploited via a unpatched vulnerability such as blaster/sasser? The normal course of action would be to download a scan/repair utility, and install then run the utility. In the remote LUA scenario the installation/execution is prohibited. That has left us looking at a local administrator account as our "sky is falling" backdoor to deal with firmwide consequences of such an attack. Is there an alternative to having this backdoor in place.

    Thx in advance,

    Steve

  14. Steve: do you have any remote access (e.g., Remote Desktop, Remote Assistance) to the affected computer? Can you use RunAs to run the Malicious Software Removal Tool? BTW, once the MSRT has been run once as admin (and the EULA accepted), if you’ve enabled Automatic Updates MSRT will run automatically every month.

    http://support.microsoft.com/Default.aspx?kbid=890830

  15. Taylor says:

    Hi,Mr Margosis

    I’ve changed the setting by using tweakUI,but it didn’t work even if I reboot my computer.what’s happened?

  16. Kaari says:

    Hi,
    I’ve got the same problem as Taylor. I set “Manage file shares” to FULL CONTROL for the local group INTERACTIVE, but no account in the local group USER can read, change or create file shares.
    OS: Windows XP SP2 incl. all patches

    Review the instructions on this post carefully — there are three different items you need to change the access control for.

    — Aaron

  17. Tom says:

    Hi,
    Is there any other ways to allow normal users to manage shares in addition to TweakUI?

    TweakUI offers the only UI that I know of to edit the permissions.  Without that you’re manipulating binary values in the registry.  Now, once you have established permissions on one system with TweakUI, you can export the relevant registry values (SrvsvcConnection, SrvsvcShareFileInfo, and SrvsvcSharePrintInfo) from that system and import them onto other systems.  If you do this, make sure that the accounts being granted access are either domain accounts or built-in accounts like “INTERACTIVE” and not local accounts that won’t exist on the other systems.

    HTH

    — Aaron

  18. Reniel says:

    Hi,

    Is there a way to incorporate “RUNAS.EXE” in logon scripts to run a program as an administrator without user intervention such as the password?

    I am using rundll32 in logon scripts to install printers on the remote machine. In order for the ordinary user to install printers, I used gpedit.msc to allow “Power Users” to “load and unload device drivers”. However, I am having problems setting the printer settings (i.e. page setup, paper size, etc.).

    I have saved the settings of the printer in a network drive using the command:

    rundll32 printui.dll,PrintUIEntry /Ss /n <name of printer> /a <file where to save the settings>

    and then, tried to restore the settings using the following:

    rundll32 printui.dll,PrintUIEntry /Sr /n <name of printer> /a <file where to save the settings>

    However, it is telling me that the “Operation is not permitted” if I logon as a Power User. But if I use an account with Administrator rights, there is no problem.

    I hope to solve this using the “RUNAS.EXE” utility.

    Thanks!

    RUNAS.EXE always requires the password to be entered at the console.

    — Aaron

  19. Jay says:

    Hi,

    Does anyone know a way to invoke a command to create and shared a folder in window XP?  I am not sure if the rundll32 will do all the trick.

    Thanks,

    Jay

    jaydiep@gmail.com

    Jay:

    Did you try NET SHARE from a command prompt?

    HTH

    — Aaron

  20. Pat Stafford says:

    When I try to install TweakUIPowerToySetup.exe, I get an error: “Entry Point Not Found – The procedure entry point GetDllDirectoryW could not be located in the dynamic link library KERNEL32.DLL”

    Is this supposed to be installable on Win2K?  I tried the earlier version of TweakUI, but it doesn’t offer any of the screens for privileges described above.

    Pat:  Each version of TweakUI is tightly coupled to the version of Windows for which it was made.  The XP version will not be usable on Windows 2000; and unfortunately, the Windows 2000 version did not include the extra ACL editing capability that the XP version allowed.  There may be ways to get through this if you don’t mind some risky registry editing…

    — Aaron

  21. Shrutika says:

    Hi,

    My machine is windows XP home edition, SP6.

    I cannot get option "Manage file/print server connections” operation in the “Access Control” dropdown in the right pane.

    I get 2 options namely "connect to registry remotely" and "access performance counter" on the tweakUI screen.

    Could you help?

    Thanks,

    Shrutika

  22. Jon88 says:

    Does anyone know of away to How to Install Local Printers as a restricted user without granting Power User or Administrator in XP SP2? Thanks in advance.

  23. Aen says:

    I do not want to install tweak UI on every server, instead i rather just make the changes that tweak ui would do, and manually set them on my servers.  I have a script where i have users create shares with for new hires.  they need rights to create shares on the servers across the US, but i dont want them to have rights to do anything else but create a share on those few servers.  

  24. Haas says:

    Hi Aaron,

    I was very happy when I found your solution for this problem.

    But it must be that I’m doing something wrong I implemented the three changes that you explain using tweakui, but I can still ot add any printers.

    When I use the Add Printer Wizard (or Print Managemtn) the ‘Local Printer attached to this computer’ is grayed out.

    When I add my user to the power users it works.

    Can you help me out please?

    Regards,

    John

    [Aaron Margosis]  This blog post is about file and printer sharing, not about installing printers.  Installing local printers remains an admin task for the time being.

  25. Haas says:

    Aaron, Thanks for the reply.

    For the time being is an interesting quote to take away. The task of adding drivers, ports and printers and sharing them is trivial and gets executed by helpdesk people or even key-users in a site.

    Now we need to give them at least power user membership to enable them to do this task. This creates a risk.

    Is it possible to figure out what individual rights I need to give a user to be able to give him the same possibilties?

    This would mean usinf tools like process monitor en process explorer and the like.

    Any quick pointers? Thanks, John

  26. Thomas says:

    Hi Aaron

    I’ve configured the three registry values SrvsvcConnection, SrvsvcShareFileInfo and SrvsvcSharePrintInfo, using the tweakUI tool. The idea is to add a local built-in group (print operators?) or a domain group. Adding those using the UI is easy enough, and the settings are verified as saved.

    However, creating new printer objects, the configured group does not even appear on the new object. The system have of course been booted.

    Currently we use a script to change permissions on new printer objects, but changing the default permissions would be a much better solution.

    Thank you.

  27. Frederic says:

    How about windows 2008 R2 64bits ?

    Can't find any version of TweakUI that works.

Skip to main content