How to allow users to manage file and print shares without granting other advanced privileges

By default, the ability to manage file and print shares is granted only to members of the Administrators, Power Users, and Server Operators groups.  Because members of those groups have many other system-level privileges, it is not recommended to make users members of those groups for the sole purpose of managing shares.  However, Windows provides no APIs, group policy setting, or user interface to change the default permissions.  This post describes how to grant users the ability to manage shares through Windows Explorer or the “NET SHARE” command line, without granting other advanced privileges.

File and print sharing is controlled by the Server (lanmanserver) service.  Permissions are specified as access control lists (ACLs) that are stored as binary values in the registry, in the “HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\DefaultSecurity” key.  Windows provides no API, group policy setting, or user interface to edit these ACLs.  However, an unsupported utility, TweakUI, does provide such a user interface.

Security note:  Sharing a folder does not allow bypassing of NTFS permissions in the folder.  For example, if a share grants “Full Control” to “UserGroupX”, but the NTFS permissions on the folder grant only “Read” access, members of “UserGroupX” accessing the folder through the share will have only “Read” access.

How to change the setting for a single computer

TweakUI is an unsupported utility available for download from microsoft.com.  These instructions apply to Version 2.10, which is the current version available at the time of this writing.

To grant a user or group the ability to manage file shares on a single workstation:

  1. Run TweakUI with administrator privileges, and click on “Access Control” in the left pane.  The “Access Control” item does not appear if you are not an administrator.

“Manage file/print server connections” – Enumerate Connections

  1. Select the “Manage file/print server connections” operation in the “Access Control” dropdown in the right pane.
  2. Click the “Change” button.  A dialog with a “Security” tab will appear.  Click the “Add…” button.
  3. In the Select Users, Computers, or Groups dialog box, type the name of the user or group that you want to set permissions for.  (If you want to grant this permission to whoever is logged on to the computer, type the name “INTERACTIVE”).  Click OK to close the “Select Users, Computers or Groups” dialog.
  4. Select the newly added name, check the “Allow” checkbox for “Enumerate Connections” , and click OK.

“Manage file shares” – Full Control

  1. In the “Access Control” dropdown, select the “Manage file shares” operation.
  2. Click the “Change” button.  A dialog with a “Security” tab will appear.  Click the “Add… ” button.
  3. In the Select Users, Computers, or Groups dialog box, type the name of the user or group that you want to set permissions for.  Click OK to close the “Select Users, Computers or Groups” dialog.
  4. Select the newly added name, check the “Allow” checkbox for “Full Control” , and click OK.

“Manage print shares” – Full Control

  1. In the “Access Control” dropdown, select the “Manage print shares” operation.
  2. Click the “Change” button.  A dialog with a “Security” tab will appear.  Click the “Add… ” button.
  3. In the Select Users, Computers, or Groups dialog box, type the name of the user or group that you want to set permissions for.  Click OK to close the “Select Users, Computers or Groups” dialog.
  4. Select the newly added name, check the “Allow” checkbox for “Full Control” , and click OK.
  1. Click the “OK” button in the main TweakUI dialog.
  1. Reboot the computer.

Note that changes to the “Manage file and printer sharing” operation are not needed and not recommended.

For example, to grant the interactively logged-on user the ability to manage file and printer shares on the local computer, grant permissions to INTERACTIVE.

Additional considerations

There are certain scenarios in which additional reboots may be required, and in which settings may need to be reapplied.

The system defaults for the DefaultSecurity values in the registry depend on the RestrictAnonymous value in HKLM\System\CurrentControlSet\Control\Lsa.  The RestrictAnonymous value appears in security policy as “Network access: Do not allow anonymous enumeration of SAM accounts and shares”.  Whenever RestrictAnonymous is modified (e.g., through a Group Policy change), all the lanmanserver DefaultSecurity values get set to system defaults the next time the Server service is restarted (or at next reboot).  After those defaults have been reset, custom settings will need to be reapplied and the computer rebooted again in order for custom permissions to take effect.

To remove custom permissions and return to system defaults, delete the Srvsvc* values from the DefaultSecurity key and restart the Server service.  Explorer will need to be restarted in order for the user interface to reflect the changes.  Logging off or restarting the computer will accomplish this.

The download location for TweakUI is https://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx.  (Note that there are two versions, including one for Itanium-based systems.)