Windows: Admin Share - Access Denied

Access to Admin Shares may be required to remotely administer the device, deploy software, and this section covers two suggestion when an Access Denied message is returned when attempting to connect to the admin share on a workgroup computer.

Local Administrator account Remote Restrictions

There are two access tokens assigned to accounts in the local Administrator group, standard user and administrator. When actions are performed under an administrator account, UAC access filtering will automatically run this under the standard user token unless specified to run as an Administrator in elevated privileges mode (or if using the in-built administrator account as above). Please note that where the computer is part of a domain UAC access control filtering will not affect any actions performed by a domain administrator account, although if using a local non-domain administrator account UAC access filtering will again run this under the standard user token.

When using a local administrator account (apart from the in-built administrator account) the LocalAccountTokenFilterPolicy registry entry may be created to disable UAC remote restrictions.

  1. Log into the target device.
  2. Open the Registry Editor (Start > Run > regedit).
  3. Backup the Registry. As changes are immediately applied with no automatic backup, in line with best practice we suggest backing up the Windows registry before amending the registry. The required steps are covered in the Windows Microsoft Technet article How to back up and restore the registry.
  4. Navigate to:

    5. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

  5. If the LocalAccountTokenFilterPolicy does not exist the key must be created:
    1. Right-click on System.
    2. From the context menu choose New > DWORD (32-bit) Value.
    3. Enter LocalAccountTokenFilterPolicy as Value Data.
  6. Select then right-click on LocalAccountTokenFilterPolicy.
  7. Choose Modify.
  8. Set the Value Data to 1.
  9. Click OK to save changes.
  10. Exit out of the Registry Editor.

After this change, remote connections to the Admin Share using a local account in the administrators group are accepted and will not generate an Access Denied message.

Use the built-in administrative account - Not recommended

The built-in administrator account provides full unrestricted access rights and permissions on the computer, as this runs in an elevated state it is not prompted by User Access Control (UAC) to provide confirmation of any changes. Depending on the version of Windows the built-in administrator account is disabled by default.

  1. Login to the target device.
  2. To enable the administrator account, launch an elevated command prompt (Start, Run, cmd right-click cmd.exe in the returned results and Run as administrator) then enter:

    3. net user administrator /active:yes

    This creates the administrator account without a password, so it cannot be used to access the network share, and the next step is to create a password for this administrative account.

  3. In Local Users and Groups, (Start > Run > lusrmgt.msc) expand Users and right-click on Administrator (Built-in account for administering the computer/domain) and then click Set Password.
  4. To confirm these changes, log off of the computer then log back in using the Administrator account.

If this was successful the Admin Shares will become remotely accessible when using the built-in Administrator account.

Important: the in-built administrator account provides unrestricted access to the computer, as such it is advisable not to leave this always enabled or use for everyday tasks.

  1. To disable this account simply open an elevated command prompt then enter:

    2. net user administrator /active:no