How to Disable Access to Specific Shared Folders Using Group Policy

While Group Policy doesn't have a single setting to universally "disable" the creation or feature of sharing folders, you can effectively "disable" access to *specific* shared folders for users or computers by using **File System** security settings within a Group Policy Object (GPO). This method modifies the NTFS permissions on the folder, restricting who can access it.

## Steps to Deny Access to a Shared Folder Using Group Policy File System Security

Follow these steps within the Group Policy Management Editor:

1.  **Open** the Group Policy Management Console (GPMC).
2.  **Edit** the GPO you want to configure (either an existing one or a new one).
3.  In the Group Policy Management Editor, navigate through the tree structure as follows:
    *   **Computer Configuration**
    *   **Windows Settings**
    *   **Security Settings**
    *   **File System**
4.  **Right-click** on the **File System** folder.
5.  Select "**Add File or Folder**".
6.  In the dialog box that appears, **enter the path of the network shared folder** you want to deny access to. For example, you would enter the local path like `C:\SharedDocs` if that folder is shared as `\\Server\SharedDocs`.
7.  Click "**OK**".
8.  A security properties dialog box will open for the path you entered. Here, you can configure the NTFS permissions. **Add the user group or computer group** (e.g., "Domain Users" or a specific security group) that you want to deny access to.
9.  For the added group, check the **"Deny"** box for permissions like "Full Control" or "Read" and "Write" to restrict access.
10. Click "**OK**" on the security properties dialog box.
11. Close the Group Policy Management Editor.
12. **Link** the GPO to the Organizational Unit (OU) containing the user accounts or computer accounts you want the policy to apply to.
13. **Force a Group Policy update** (`gpupdate /force`) on the target computers or have users log off and back on for the policy to take effect.

*Reference Information Used:* In Group Policy Management Editor, navigate to Computer Configuration - Windows Settings - Security Settings - File System. Right click on the File System folder, then select "Add File or Folder", enter the path of the network shared folder you want to deny access to in the dialog box, and then click "OK".

## How This Method Works

Applying File System security settings through Group Policy modifies the Access Control List (ACL) of the specified folder *on the computer where the policy is applied*. If you want to deny access to a shared folder hosted on a server, you would link this GPO to the OU containing the server object and specify the *local path* of the shared folder on that server. When the server processes the GPO, it applies the configured NTFS permissions to that local folder, which in turn affects access via the network share.

Using "Deny" permissions should be done cautiously as they override "Allow" permissions.

## Key Considerations

*   **Scope:** Ensure the GPO is linked to the correct OU containing the computers (e.g., file servers) where the folders reside or the users who should be denied access, depending on how you configure the permissions.
*   **Permissions:** Deny permissions always take precedence over Allow permissions. Be precise about which users or groups you are denying access to.
*   **Path:** Use the local path to the shared folder on the machine hosting the share when configuring the GPO.
*   **Testing:** Always test policy changes in a pilot environment before deploying to production.

By configuring File System security settings via Group Policy, you can effectively control access to specific shared resources, achieving a similar outcome to "disabling" them for certain users or groups.