You can indeed have a user be a power user - or even an admin, and remove the ability to create shares.
Bruce already pointed out, if they are not power users or admins then they already cannot create file\print shares. There is a registry value called SrvsvcShareFileInfo under \lanmanserver\DefaultSecurity which can be edited in order to remove the "right". This is covered in the security FAQ here.. http://www.microsoft.com/windowsserver2003/community/centers/security/security_faq.mspx Share creation restrictions. Access to share operations such as creating a share, changing share information, and deleting a share, are controlled by security descriptors. On a server, administrators can decide who can/cannot perform certain share operations. For example, on a file server, administrators should be able to delegate or remove Power Users to create file shares. The ability to create/delete shares is controlled by a ACE in the security descriptor, where Power Users can be added/removed from the security descriptor to allow or deny the ability. The security descriptors are stored in the registry by SRV service, under LanManServer\DefaultSecurity, as following: . SrvsvcShareFileInfo, REG_BINARY: Permission to control access on file share operation. . SrvsvcSharePrintInfo, REG_BINARY: Permission to control access on print share operation. . SrvsvcShareAdminInfo, REG_BINARY Keep in mind that this is really just security by obscurity, as the admin can obviously just pop him\her self back in there. I guess I would need to determine how smart my end users really were in this case :) my .02 -steve ----- Original Message ----- From: "joe" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, July 16, 2004 3:10 PM Subject: RE: [ActiveDir] Share creation permissions > Make them normal users. > > > Unfortunately that work is proxied through svchost so you can't lock down by > group other than what MS supplies by default. > > Yes, that is archaic and not very security minded. > > joe > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Carpenter Robert A > Contr InDyne/Enterprise IT > Sent: Friday, July 16, 2004 12:09 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Share creation permissions > > I have a proposed requirement to restrict the ability to create shares on > the workstation to all but a few people within the domain. Anyone have an > idea as to how to do this? > > > > v/r > > RC > > Comments and concerns can be directed back to me, complaints can be directed > to /dev/null > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
