Archive for File and Printer Sharing

Windows 7 – The $admin share

Posted by Steve Wiseman on August 19, 2009 with 8 Comments

I got my shiny new copy of Windows 7 today from MSDN. It became available to MSDN subscribers earlier this week.

If you have access then give it a spin, there are some excellent improvements over Vista.

I installed it today to test some of our software. One issue, that is also in Vista, is that file and printer sharing and the $admin share are disabled out of the box.

This is fine for your computer at home. You don’t want this turned on unless you absolutely need to.

In a corporate environment it is used quite a bit by the likes of Backup Exec, the distribution tool for Kaspersky antivirus, the remote execute tool PSExec from SysInternals, and last but not least our admin tools heavily rely on the admin share too.

The simple fact is if you need to push software remotely, you are going to need access to the $admin share.

This special share is automatically created when Windows is installed, but it is not available unless file and printer sharing is turned on.

Like I said before, this is disabled by default in Windows 7, and unfortunately Microsoft has yet again changed the method to turn it back on. The steps you need to take are now different than the ones you took in Vista.

How do you get it back up and running in Windows 7?

Start by going into the control panel.

Click on “Network and Internet”

File and Printer Sharing

Then click on “Network and Sharing Center”

Windows 7 Network and Sharing Center

A new window will be displayed. Look on the left side.

See the item that says “Change Advanced Sharing Settings” – Click on it.

Windows 7 Admin Share Settings

Now you are shown different profiles.

Windows 7 Admin Share Settings

The list can change depending on how your system is configured. Windows 7 will determine automatically what profile your network card is using. You may want to enable file and printer sharing on all of them, or limit it to the “Home or Work” profile for higher security.

Expand the profile you want to modify, and scroll down until you see “File and Printer Sharing”

Click on “Turn on file and printer sharing”

Windows 7 File and Printer Sharing

Save your changes.

I wish I could say that is all you need to do, but unfortunately you also need to make a registry change.

Open regedit, and drill down to this key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System

Under this key you will need to create a new DWORD value called:

LocalAccountTokenFilterPolicy

Admin Share Registry
Set it to 1, and reboot.

Now you can access the $admin share on your Windows 7 machine.

Filed Under: Admin$ share, File and Printer Sharing, Windows, Windows 7

Enabling File and Printer Sharing – FPEnabler.exe

Posted by Steve Wiseman on December 11, 2008 with 1 Comments

We started out this week thinking that we would update FPEnabler.exe. We released this free program about a year ago, but we had to pull it from our website because it was breaking every few months with new patches released by Microsoft. FPEnabler simplified the process of adding a file and printer sharing exception to the firewall. What do you need it for? Well, lots of tools use the file and printer sharing mechanism to install patches, run reports, remotely reboot, etc. And of course, many of our tools use this to do their magic.

Part of the problem is that we used an undocumented, and unsupported method of updating the registry to add this exception. So I thought that if we used the public firewall APIs it would be simpler, but after some deeper research into the issue we have decided against continuing this command line program.

A few reasons for this:

1. Different versions of XP have different ways of reading these registry keys. For example XP Pro is different than XP Media center, and if we set the wrong keys it had the potential of breaking file sharing all together in Windows.

2. Vista has a completely different way of enabling this exception, so we would need to create custom code to detect between Vista and XP.

3. With the new UAC model in Vista, this methodology for changing the firewall settings does not work with UAC enabled…or for users without administrative rights over their PC. So the necessity and effectiveness of an enabler program are in question.

So what to do? Well, if you have lots of machines the answer is group policy. If you have a few machines, you can make these changes by hand.

I have 3 articles for each method that I have written for those of you that need to get this done.

Enabling File And Printer Sharing in XP

Enabling File And Printer Sharing in Vista

Enabling File And Printer Sharing using Group Policy

Filed Under: File and Printer Sharing, Windows, Windows Vista, Windows XP

Enabling File and Printer Sharing In Vista

Posted by Steve Wiseman on December 11, 2008 with 1 Comments

File and printer sharing is used primarily for…you guessed it…sharing your files and printers. By default Vista is configued with these disabled. Many times file and printer sharing is also needed for remote administration tools that access the admin$ share.

The first step to getting this to work is enabling an exception in the firewall. Get into the control panel, and double click on the firewall icon:

Vista Firewall Icon

A configuration window will appear, click on the change settings link:

Change Firewall Settings

Once that opens, switch to the “Exceptions” tab, and make sure “File and Printer Sharing” is checked.

File and Printer Sharing Firewall Exceptions

If you are only interested in sharing files, then you are done. If you are interested in getting the admin$ share to work there is one more step…a registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System

Browse to the above key, and you will need to create a new DWORD value called:

LocalAccountTokenFilterPolicy

Admin Share Vista

Set it to 1, and reboot.

Now your machine will have file and printer sharing accessible through the firewall, and programs like Remote Control 3.0 will be able to automatically install software from another machine.

This tip will also work for Windows 2008

Filed Under: Admin$ share, File and Printer Sharing, Tools, Windows, Windows 2008, Windows Vista

Enable File and Printer Sharing using Group Policy

Posted by Steve Wiseman on December 11, 2008 with 3 Comments

Since the release of Windows XP SP2 file and printer sharing has been blocked by default in the Windows firewall. This includes all versions of Vista, and even XP SP3. Heck the same is true for the pre-release versions of Windows 7 that I have looked at.

This creates a problem for many of our tools and products. For example, our remote USB disabler cannot do its work without remotely writing the appropriate registry keys. Our Remote Control product cannot automatically install its agent without file and printer sharing. They all use this to do their magic. We are not the only ones – psexec from SysInternals needs file and printer sharing too.

There are hundreds if not thousands of tools used by IT administrators that require file and printer sharing enabled in the firewall.

If you have 10 computers it is an easy fix. You simply walk around to each of them and add an exception in the firewall. Simple. Done.

If you have 100s of computers spread across 3 states…you now have a much more difficult problem. You could write a script that executes at login. The trouble with this idea is that every user would need full administrator access to their own machine. This type of access is getting pretty rare these days, so I don’t even consider it an option.

The best method is group policy. I am going to walk you through it. My example uses Windows 2003 Server. Those of you with 2008 will find that it is almost exactly the same. If you have 2000 Server…well…you have your hands full anyway and shouldn’t even have time to read this article.

Start out by getting on your domain controller. Open “Active Directory Users and Computers”. You need to determine what group of machines your policy is going to be applied to. Some organizations will have computers under many different OUs.

To keep things simple I am going to change the group policy for the entire domain.

Right click on the domain name and go to properties:

Enable File And Printer Sharing Firewall GPO

This will bring up a properties window. You will want to move to the Group Policy tab, select the policy you want to edit (In our case it is the Default Domain Policy) and press the edit button.

GPO File and Printer Sharing Firewall

This is a computer policy (It will apply to computers…not specific users), so drill down to:

Computer Configuration -> Administrative Templates -> Network -> Network Connections -> Windows Firewall

GPO Firewall policy

You will notice two sections under this area. A domain profile, and a standard profile. A machine will automatically determine which profile it should use by the type of network it is connected to. Directly from Microsoft, they are defined in this way:

* Domain profile The domain profile is the set of Windows Firewall settings that are needed when the computer is connected to the managed network. For example, the domain profile might contain settings for excepted traffic for the applications and services needed by a managed computer in an enterprise network.

* Standard profile The standard profile is the set of Windows Firewall settings that are needed when the computer is connected to another network. A good example is when an organization laptop computer is taken on the road and connects to the Internet using a public broadband or wireless Internet service provider. Because the organization laptop computer is directly connected to the Internet, the standard profile should contain more restrictive settings than the domain profile.

So generally speaking, I suggest only making these changes to the Domain Profile. You don’t want your sales guys hooking up to a hotel network with their file and printer sharing fully accessible.

Selecting the domain profile, and looking on the right we see what we need – “Windows Firewall: Allow file and printer sharing exception”

GPO Windows Firewall File and Printer Sharing

There are two items you need to set. First check the radio button to enabled, and then below you need to fill out a filter value. This tells the group policy what computers are allowed to connect to the machine. For our example I will put *

GPO Firewall Settings

This value allows any computer to connect. Click OK, and allow some time to pass (15 to 30 minutes). Then your computers will pick up the new policy. If you are impatient you can go to the command line on the server and your test machine. Type: GPUPDATE /force

If I hop on one of my Vista machines we can see that it has accepted the policy:

Perfect. Now I can terrorize my programmers by rebooting all of their machines at the same time using Network Administrator :)

Filed Under: Admin$ share, File and Printer Sharing, Group Policy, Windows
Remote Control 4
A fast, easy remote control solution for windows
$179 Per Administrator
Click for more info

Please wait while we add your email address to our list

Join our Tips and Software Email List

Get free software, news, and tips
once a week by joining our email list
Enter your email address below

Just like you, we hate spam.

We promise to never sell, or spam your inbox

Thanks for joining our list, and have a great day!

Error adding address

There was an error adding your email address.
It might be because you are already on our list.
If this is not the case, please try again later. Thanks!