Discussion Forums/General/General Documentation

Can't access ADMIN$ share using a local user account

Shane Corellian
posted this on December 30, 2011 09:52

If you are attempting to access (either with PDQ Inventory or PDQ Deploy) a Windows 7, Windows 8, Vista or Server 2008 computer you may get  the" Access Denied - Failed to connect to ADMIN$ share" error , even when supplying the appropriate local user credentials that have Administrator access. If the target computer is not a member of a Windows 2003 or later Domain then this is most likely because the target system has Remote UAC enabled. Remote UAC prevents local administrative accounts from accessing ADMIN$. (more appropriately Remote UAC prevents local accounts from running in an elevated mode when connecting from the network) If you need to be able to access the ADMIN$ using a local account then you will need to disable Remote UAC. You can accomplish this by editing the registry. 

Assuming you have all your other ducks in a row (Firewall exceptions, appropriate credentials of local administrative user, etc) then you just need to add a quick entry in the registry of the target computer. In the registry, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System. Create a DWORD value called LocalAccountTokenFilterPolicy and assign it a value of 1.

A reboot will be necessary (actually you can just restart the Server service but a reboot is ideal). See image.

LocalAccountTokenFilterPolicy.png

* By default, when local credentials are used to access a Windows Vista (or later) system that is a member of a Windows Domain this problem does not exist. Your Windows domain may still disable Remote UAC.

** By default Remote administrative access is denied to local accounts when a Windows Vista (or later OS) is NOT a member of a Windows 2003 or later domain.

Further reading:

http://support.microsoft.com/kb/942817

http://support.microsoft.com/kb/951016