GPO setting for simple file sharing?

[Leozack]

Hey all just wondering if I was blind, or if there sin't a gpo setting to disable the annoynig simple file sharing that seems to be on even on new xpsp2 machines on the domain (?). I've turned them off manually but a gpo setting to cover future machines would be good.

_________________________________
Leozack

MakeUniverse($infinity,1,42);

 

[bcastner]

ForceGuest should be set to 0 by XP when joined to the Domain. It can also be disabled by the local security policy Network Access: Force Network Logons using Local Accounts to Authenticate as Guest.

Or, push this registry edit:

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
ForceGuest=dword:00000000

 

[Leozack]

*blinks* how does that effect the simple file sharing? the machines were on the domain correctly and all was well, I just wanted a gpo setting to turn it off cos some things need it off

_________________________________
Leozack

MakeUniverse($infinity,1,42);

 

[bcastner]

By default, on computers running Windows XP Professional and not joined to a domain, all incoming network connections are forced to use the Guest account. This means that an incoming connection, even if a user name and password is provided, has only Guest-level access to the share. Because of this, either the Guest user account or the Everyone group (the only group to which the Guest account belongs) must have permissions on the share and on the directories and files that are shared. It also means that, in contrast to Windows 2000, you do not need to configure matching user accounts on computers to share files. Because Windows XP Professional supports Anonymous connections, and because it severely limits the use of the Everyone group in file system permissions, granting the Everyone group access to shared folders does not present the security problem that it does on Windows 2000–based computers.

ForceGuest is enabled by default, but can be disabled on Windows XP Professional by disabling the local security policy Network Access: Force Network Logons using Local Accounts to Authenticate as Guest. By contrast, on Windows XP Professional–based computers joined to a domain, the default sharing and security settings are the same as in Windows 2000. Likewise, if the ForceGuest policy setting on a Windows XP Professional–based computer not joined to a domain is disabled, then the computer behaves as in Windows 2000.

Sharing Files and Folders Using the Simple Sharing User Interface

To simplify configuring sharing and to reduce the possibility of misconfiguration, Windows XP Professional uses the Simple Sharing User Interface (UI). The simple sharing UI appears if ForceGuest is turned on; the traditional sharing and security tabs are shown if ForceGuest is turned off.

On computers running Windows XP Professional that are not joined to a domain, ForceGuest is turned on by default. To access the traditional sharing and security tabs and manage permissions manually on these computers, go to Windows Explorer or My Computer, click the Tools menu, click Folder Options, click the View tab, and then clear the Use simple file sharing (Recommended) check box. Note that changes made manually cannot be undone by using the simple sharing UI, and although you might make what appears to be a reasonable change to permissions, the resultant permissions might not work as expected if ForceGuest is subsequently turned on.

 

[Leozack]

Ok that's a bit of a nobbly one there but thanks for the tipoff! Don't you just love such random solutions? Here was me looking for somethiing silly like "enable simple file sharing" in the gpo when I should've been looking for the obvious choice of "force network logons using local accounts to authenticate as guest"

_________________________________
Leozack

MakeUniverse($infinity,1,42);

 

[Leozack]

Oh, I assume I set it to disabled

_________________________________
Leozack

MakeUniverse($infinity,1,42);