We have a restricted Windows 7 computer that hides and prevents non-admin users from accessing the C Drive using the following policies:

However, they are able to circumvent this by typing the following into Explorer: \\localhost\C$

How can I disable this path but allow other UNC paths. For example they are allowed to access a shared folder on a different computer. eg. \\\SharedTransfer

Note: Simply Enabling the Group Policy: Remove Run menu from Start Menu will not work as this blocks all UNC paths.

The user, called Site User, is not a member of the Administrator group directly or indirectly. It is only a member of the group Users.

Accessed the following from: Control Panel\All Control Panel Items\Administrative Tools\Computer Management (Local) > System Tools > Local Users and Groups

Local Users and Groups
 - Groups
      - Administators
             - Administrator
             - Service User (our admin user)
      - Users
             - NT AUTHORITY\Auntenticated Users (S-1-5-11)
             - NT AUTHORITY\INTERACTIVE (S-1-5-4)
             - Site User (user account in question)
  • 2
    By default only users in the local Administrators group can access the dollar sign shares. If users can access these shares, then you have granted more permissions the user then they should have somewhere. Fix the permissions problem.
    – Zoredache
    Commented Dec 11, 2012 at 0:02
  • @Zoredache How can I check and fix these permissions? Can you please submit an answer and I will try it.
    – Ryan R
    Commented Dec 11, 2012 at 0:13
  • Are you testing as Service User or Administrator, or are you testing as Site User? Commented Dec 13, 2012 at 20:11
  • Testing as Site User.
    – Ryan R
    Commented Dec 13, 2012 at 20:39
  • you know the users can also access everything on C using the command prompt?
    – stijn
    Commented Dec 20, 2012 at 11:03

You can disable the "Administrative share" from being created with GPP.

If you navigate to Computer Configuration / Preferences /Windows Settings / Network Shares, you’ll find this hidden gem. Right-click the Network Shares node to create a new share policy.

Source: http://sdmsoftware.com/group-policy-preferences/controlling-shares-on-windows-systems/

Would that solve your problem?


I'd like to point out that Group Policies are just registry entries and depend on applications being programmed to read and obey them. If you really want to prevent local users from accessing the C: drive, you should set the permissions on the Security tab in its Properties dialog. This is separate from its sharing permissions. You could for example add a Deny permission (under Advanced) for your "Site user". (this is in addition to preventing them from accessing the C$ share, however you solve that issue)

  • This is also a very valid point.
    – Ryan R
    Commented Dec 19, 2012 at 18:50

@Zoredache How can I check and fix these permissions? Can you please submit an answer and I will try it.

Open the Administrators group on local machine, see who are the members of that group. Check the people who are accessing \\localhost\C$ are not members of any of the groups (or are members of groups who are members of that group, Administrators <= GroupA <= GroupB <= User).

Once the user, group, or nested group that is a member of Administrators has been removed (via a change in the group policy settings or by hand) the users will no longer be able to access the \\localhost\C$ share.

  • I have updated the question. The user is not part of the Administrator group.
    – Ryan R
    Commented Dec 13, 2012 at 17:34
  • Can you list the members of the local administrators group (not the one in the domain) Commented Dec 13, 2012 at 17:48
  • Updated question.
    – Ryan R
    Commented Dec 13, 2012 at 17:57
  • This answer, based on Zoredache's comment, is correct. By default only administrators can access the "administrative shares". There's little security to be gained by either a) disabling the administrative shares, or b) denying user access to them. If the remote user is an administrator they can just create any share they want (e.g. \\\DriveC). If you're following a corporate security policy, then i would just turn off the admin shares. Security policies usually have little to do with security. Timely Schneier blog post
    – Ian Boyd
    Commented Dec 15, 2012 at 2:14

There is no general method to disable administrative shares. Only the command:

NET SHARE C$ /delete

can be executed in order to disable such a share in a networked computer. The problem is that the share is automatically recreated after reboot.

A common workaround is to create a batch file to disable administrative shares (they can be viewed by running the NET SHARE command) and scheduling it to run at every system startup by using the Windows Task Scheduler.


  • The problem is that in my case, the administrative shares are automatically created upon reboot.
    – SebMa
    Commented Nov 9, 2023 at 16:28
  • @SebMa: This answer is from 2012, but still true. And yes, that's why I advise to create Task Scheduler task to run this command at boot.
    – harrymc
    Commented Nov 9, 2023 at 17:08

Here's another solution, first type these two commands :

net share c$ /del     
net share admin$ /del 

Then you need to add the AutoShareWks registry key to prevent Windows Desktop from recreating the administrative shares upon reboot :

reg add HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters /f /v AutoShareWks /t REG_DWORD /d 0

For Windows Server, you need to add the AutoShareServer registry key :

reg add HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters /f /v AutoShareServer/t REG_DWORD /d 0

