When:
1) UAC is off and
2) a folder is network shared with Administrators read only privilege and
3)share mode is classic: local users authenticate as themselves,
– it can be accessed from other computer after inputing admin ID/password.
But when UAC is on, this access is denied despite correct ID/password input. The error message is “\\mypcname\sharename is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. Access is denied.” Even when I try to access the shared folder locally, the access is denied.
I suppose UAC may change authenticated admin privilege to least privileged account and so this least privileged account may fail to access the shared folder with admin privilege. If the shared folder has Everyone privilege, there is no problem.
When accessing a network share or resource on a Vista machine, authenticating with an administrator account local to that Vista machine does NOT give you administrator privileges. This is a security feature of Windows Vista. Only domain-level administrators can remotely access a Vista computer’s network resources with administrator privileges.
To disable this feature, you can change the following registry settings on the vista machine(s) [insert standard registry editing disclaimer here]:
In:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\
Create DWORD value named:
LocalAccountTokenFilterPolicy
With value: 1
UAC and Remote logon
Just noticed that there is a solid document on UAC here.
It mentions the following:
“When a user with an administrator account in a Windows Vista computer’s local Security Accounts Manager (SAM) database remotely connects to a Windows Vista computer, the user has no elevation potential on the remote computer and cannot perform administrative tasks. If the user wants to administer the workstation with a SAM account, the user must interactively log on to the computer to be administered.”
We came across an interesting manifestation of this when using the “net use” command to connect to an admin share on a Vista machine (MachineV for now) from an XP machine (MachineX). Both machines were in separate unrelated domains. When using “net use m: \\MachineV\c$ * /user:MachineA\Abby” from MachineX (where Abby is member of the administrators group on MachineV) we got an error 5 or Access Denied. So apparently when the SAM account Abby was logged on to MachineV, we got the filtered token. If Abby were a domain account and both machines were in the same domain, I would be able to connect to the admin share c$.
There is however a UAC flag in the registry that allows you to toggle this behavior for local accounts:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy.
0 – build filtered token (Remote UAC enabled)
1 – build elevated token (Remote UAC disabled)
If you set the DWORD entry to 1, you will be able to connect to the admin share since the remote login is not filtered.
Obviously this is not restricted to “net use” but applies to all variations of remote account logins.