Q. How can I use Group Policy to control whether the default administrative shares are created?

A. In Windows NT system policies, you could control creation of the default administrative shares (e.g., C$, D$) by using a policy setting. However, because Microsoft changed how Windows 2000 and later apply policies, you can't use Group Policy to control default administrative share creation. One method for enabling the default administrative shares for all Win2K and later machines is to create a registry file that contains the settings to enable the default administrative shares to run from a logon script.

Another way to use Group Policy settings to control creation of default administrative shares is to create a custom Administrative Template (.adm) file, which you can copy into your Group Policy Objects (GPOs) and which enables the setting of the registry values. The following sample .adm file, which my colleague Tim Goodrich created, creates a GPO that modifies certain registry settings, which control the creation of default administrative shares.

CLASS MACHINECATEGORY !!DefaultShares POLICY !!DefaultSharesWKS    EXPLAIN !!EnableDefaultShares_Explain    VALUENAME "AutoShareWks"    VALUEON NUMERIC 1            VALUEOFF NUMERIC 0    KEYNAME "SYSTEMCurrentControlSetServiceslanmanserverparameters" END POLICY POLICY !!DefaultSharesSRV        EXPLAIN !!EnableDefaultShares_Explain    VALUENAME "AutoShareServer"    VALUEON NUMERIC 1            VALUEOFF NUMERIC 0    KEYNAME "SYSTEMCurrentControlSetServiceslanmanserverparameters" END POLICYEND CATEGORY[strings]DefaultSharesWKS="Default Workstation Admin Shares"DefaultSharesSRV="Default Server Admin Shares"EnableDefaultShares_Explain="Enables default Admin shares"DefaultShares="Default Shares"

Be aware that this .adm file modifies registry keys that are outside of regular policy areas. Thus, even when you delete this GPO by using the Microsoft Management Console (MMC) Users and Computers snap-in, the registry change will remain in effect permanently.