Solved

Remove File & Printer Sharing (XP and 7) via Group Policy

Posted on 2010-09-08
13
1,819 Views
Last Modified: 2012-06-21
Hi Experts,

I have 60 machines in an AD OU, and would like to via group policy, have file and printer sharing removed or disabled from the properties of the Local Area Connection on all of them (XP 32 bit and 7 x64 bit).  

Can this be accomplished via a Group Policy setting (where is it?) or do I need to push a script out to the machines to get this done (keep in mind that not all of the ethernet cards are locally called "Local Area Connection" on all of the machines).

Will need a script/policy for Windows XP (more important) but would be nice also to know what setting needs to be modified to do this with Windows 7.
0
Comment
Question by:taki1gostek
  • 4
  • 4
  • 3
  • +2
13 Comments
 
LVL 12

Expert Comment

by:mattclarified
ID: 33628261
Hi,

You can use Group Policy computer configuration to disable the server service which
will effectively disable file and print sharing on those computers. However this will also disable the ability to remote manage those machines, but if this is not an issue, this will be your best option.

M@
0
 
LVL 2

Expert Comment

by:Comtek
ID: 33628285
What you need to do is disable the Server service.

You can do this in Group Policy by going to: Computer Configuration --> Windows Settings --> Security Settings --> System Services. Double Click your Server Service, Check "Define this policy setting" and select Disabled.
0
 
LVL 12

Expert Comment

by:mattclarified
ID: 33628414
You could also disable the option under Computer configuration > Admin templates > Network > Network connections > Windows firewall > Domain Profile > Windows Firewall: Allow inbound file and printer sharing exception. This should deny all file and print traffic requests coming in, so will not make a difference if file and print sharing is turned on or not.

M@
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 2

Expert Comment

by:Comtek
ID: 33628440
Or do both.
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 33628511
no what i really need is to uncheck file and printer sharing from the local area connection properties, because as machines were rolled out and migrated to this domain, the file and print sharing was unchecked locally by admins, but we need the ability to turn it on again and off (as needed for different apps) using group policy...  so i guess if I can get a way to turn file and printer sharing on (the checkbox next to it in the properties of the lan), the opposite will work for what I currently need...  
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 33628517
i need the server service on because remote management is important
0
 
LVL 12

Expert Comment

by:mattclarified
ID: 33628702
Hi,

There is no way to turn it on or off using group policy, I would suggest turning it on for all machines by using snetcfg.exe, take a look at this thread which will point you in the right direction - http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Number=125461&site_id=1#import

After you have enabled it for all machines, control it by using the firewall rules in group policy as I set out above

M@
0
 
LVL 2

Expert Comment

by:Comtek
ID: 33629051
This can probably be done with Windows Scripting. I'm setting up an XP virtual machine right now to test it and will post back my results.
0
 
LVL 39

Expert Comment

by:Adam Brown
ID: 33629100
There isn't a default method for doing this through a GPO. However, it's possible to create a custom Administrative Template (ADM Templates) to configure the registry entries you need to modify to shut down File and Printer sharing without firewall configuration or shutting down services. The registry entries that need to be modified are here: http://www.pctools.com/guides/registry/detail/132

This is a guide for creating ADM templates: http://support.microsoft.com/kb/225087

Custom ADM templates work best on Windows 2003 and below. If you have Windows 2008 or Windows 7 with the Windows 2008 Remote Server Admin Tools installed on it, you can build a GPO that pushes the registry entries out using Group Policy Preferences. Info on that here: http://technet.microsoft.com/en-us/library/cc731892%28WS.10%29.aspx
There is also some information on handling ADMX templates (Windows 2008's ADM templates) in that section of Technet.
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 33629102
Awesome thanks!
0
 
LVL 2

Accepted Solution

by:
Comtek earned 500 total points
ID: 33629775
Ok, this is the only thing I could come up with, and I tested that it works.

First, download snetcfg_wxp.exe from http://winpesoft.hp.infoseek.co.jp/winpe/arc/snetcfg_wxp.zip 

Then create a script that runs these commands:
snetcfg_wxp -u MS_Server
snetcfg_wxp -c s -i MS_Server

That will remove then reinstall the Server service. In the process it will automatically Check it in the network properties.

From then on if you need to enable/disable it you can is the firewall group policy setting or Server service setting in group policy as described above.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 33631620
Also have a look at this thread - it's about configuring the firewall using a domain startup script and would hold a solution for you on the premise that ALL computers should share the same config. http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/Windows_Vista/Q_23558060.html
0
 
LVL 2

Author Closing Comment

by:taki1gostek
ID: 33800674
Thanks
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While working, an annoying popup showing below will come and we cannot cancel or close it form the screen. The error message will come again and again.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question