Resolve Windows admin shares access errors

The information contained in this article should only be used to troubleshoot an Access Denied message when attempting to connect to the admin share.

Access to Admin Shares may be required to remotely administer the device or deploy software, this section covers two areas to investigate if an Access Denied message is returned when attempting to connect to the admin share on a workgroup computer.

Verify the device’s Admin Share is accessible

Verify the device’s Admin Share is accessible from the Discovery Agent by connecting to the \\TARGET_COMPUTER_NAME\admin$ share on the target system.

If problems are experienced when connecting to the share, verify that:

  • File and Printer Sharing is allowed through the local firewall.
  • Simple file sharing is disabled:
    1. Navigate via Tools > Folder Options > View.
    2. Deselect the Use Sharing Wizard checkbox.
    3. Choose OK to apply.
  • Admin shares are present and are remotely accessible:
    1. Start > compmgmt.msc > Shared Folders > Shares.
    2. Locate ADMIN$.
  • The configured account has the necessary administrative credentials to remotely access the selected computers.
  • The RPC service is running on the target system
    1. Start > services.msc.
    2. Locate Remote Procedure Call (RPC) Service and start it if necessary.

Local Administrator account remote restrictions

Windows assigns two access tokens to local administrator accounts: one for standard user and one for administrator. By default, User Account Control (UAC) filters remote access, running actions under the standard user token unless elevated privileges are explicitly used.

UAC filtering does not affect domain administrator accounts. However, it does apply to local non-domain administrator accounts.

Option A: Disable UAC remote restrictions

When you use a local administrator account other than the built-in Administrator account, the LocalAccountTokenFilterPolicy registry entry may be created to disable UAC remote restrictions.

  1. Log in to the target device.
  2. Open the Registry Editor:
    • Select Start > Run, type regedit, and press Enter.
  3. Back up the registry. See How to back up and restore the registry in Windows.
  4. Navigate to:

    5. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

  5. If the LocalAccountTokenFilterPolicy does not exist, the key must be created:
    1. Right-click on System.
    2. From the context menu choose New > DWORD (32-bit) Value.
    3. Enter LocalAccountTokenFilterPolicy as Value Data.
  6. Select then right-click on LocalAccountTokenFilterPolicy and choose Modify.
  7. Set the Value Data to 1.
  8. Select OK and exit the Registry Editor.

This change allows remote connections to the admin share using local administrator accounts without triggering Access Denied errors.

Option B: Use the built-in administrative account (Not recommended)

This option is not recommended because it poses security risks. The built-in Administrator account has full access and bypasses User Account Control (UAC). It’s disabled by default and should not be used for routine tasks.

To enable and configure this account:

  1. Open an elevated command prompt:
    • Press Start > Command Prompt > Run as administrator
  2. Enter the command:

    3. net user administrator /active:yes

    This creates the administrator account without a password, so it cannot be used to access the network share. The next step is to create a password for this administrative account.

  3. Set a password for the account:

    1. Open lusrmgr.msc.

    2. Expand Users, right-click Administrator, and select Set Password.

    3. Enter and save the password.

  4. Sign out, then sign in with the built-in Administrator account to verify access.

If this was successful, the Admin Shares will become remotely accessible when using the built-in Administrator account.

  • To disable this account, open an elevated command prompt then enter:

    • net user administrator /active:no

Related articles