to Admin Shares may be required to remotely administer the device,
deploy software, and this section covers two suggestion when an Access
Denied message is returned when attempting to connect to the admin
share on a workgroup computer.
Local Administrator account Remote Restrictions
are two access tokens assigned to accounts in the local Administrator
group, standard user and administrator. When actions are performed
under an administrator account, UAC access filtering will automatically
run this under the standard user token unless specified to run as an
Administrator in elevated privileges mode (or if using the in-built
administrator account as above). Please note that where the computer is
part of a domain UAC access control filtering will not affect any
actions performed by a domain administrator account, although if using
a local non-domain administrator account UAC access filtering will
again run this under the standard user token.
When using a local administrator account (apart from the in-built administrator account) the LocalAccountTokenFilterPolicy registry entry may be created to disable UAC remote restrictions.
Log into the target device
Open the Registry Editor (Start/Run/regedit)
the Registry. As changes are immediately applied with no automatic
backup, in line with best practice we suggest backing up the Windows
registry before amending the registry.
The required steps are covered in the Windows Microsoft Technet article How to back up and restore the registry
Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
If the LocalAccountTokenFilterPolicy does not exist the key must be created:
Right-click on System Select then right-click on LocalAccountTokenFilterPolicy
From the context menu choose New, DWORD (32-bit) Value
Enter LocalAccountTokenFilterPolicy as Value Data
Set the Value Data to 1
OK to save changes
Exit out of the Registry Editor
this change, remote connections to the Admin Share using a local
account in the administrators group are accepted and will not generate
an Access Denied message.
Use the built-in administrative account
built-in administrator account provides full unrestricted access rights
and permissions on the computer, as this runs in an elevated state it
is not prompted by User Access Control (UAC) to provide confirmation of
any changes. Depending on the version of Windows the built-in
administrator account is disabled by default.
Login to the target device
To enable the administrator account, launch an elevated command prompt (Start, Run, cmd right-click cmd.exe in the returned results and Run as administrator) then enter:
net user administrator /active:yes
created the administrator account without a password, so it cannot be
used to access the network share, and the next step is to create a
password for this administrative account.
In Local Users and Groups, (Start, Run, lusrmgt.msc) expand Users and right-click on Administrator (Built-in account for administering the computer/domain) and Set Password
To confirm these changes, log off of the computer then log back in using the Administrator account.
If this was successful the the Admin Shares will become remotely accessible when using the built-in Administrator account.
the in-built administrator account provides unrestricted access to the
computer, as such it is advisable not to leave this always enabled or
use for everyday tasks.
To disable this account simply open an elevated command prompt then enter:
net user administrator /active:no