{"id":3837,"date":"2012-06-22T12:41:55","date_gmt":"2012-06-22T10:41:55","guid":{"rendered":"https:\/\/ingmarverheij.com\/?p=3837"},"modified":"2012-06-22T12:44:40","modified_gmt":"2012-06-22T10:44:40","slug":"how-to-enable-administrative-shares-for-local-accounts","status":"publish","type":"post","link":"https:\/\/ingmarverheij.com\/en\/how-to-enable-administrative-shares-for-local-accounts\/","title":{"rendered":"How to enable administrative shares for local accounts"},"content":{"rendered":"<p>If you enabled <em>file and printer sharing<\/em> in Windows you can access shared folders from a remote machine. By Windows shares administrative folders like IPC$, Admin$, C$ (and all other disks) for administrative purposes. <\/p>\n<p><a href=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2012\/06\/share2.jpg\"><img loading=\"lazy\" decoding=\"async\" style=\"background-image: none; border-right-width: 0px; margin: 0px 0px 0px 5px; padding-left: 0px; padding-right: 0px; display: inline; float: right; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px; padding-top: 0px\" title=\"\" border=\"0\" alt=\"\" align=\"right\" src=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2012\/06\/share2_thumb.jpg\" width=\"154\" height=\"86\" \/><\/a>Since Windows XP you need to enable access to these folders if you want to access them with a local account (like Administrator). Domain accounts with administrative permissions on the system are always allowed to access the administrative shares.<\/p>\n<p><!--more--><\/p>\n<h2>Windows XP<\/h2>\n<p>When you access a non-domain joined Windows XP machine all local accounts authenticated via a network logons are treated as the Guest account. This means that even when you authenticate with an administrative account, access to the administrative share is denied.<\/p>\n<p>The security policy \u201c<a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/cc786449(v=ws.10).aspx\">Network access: Sharing and security model for local accounts<\/a>\u201d (found in Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options) has two models:<\/p>\n<ul>\n<li>Classic: Local users authenticate as themselves. <\/li>\n<li>Guest only: Local users authenticate as Guest. <\/li>\n<\/ul>\n<p>By setting the policy to Classic (pre Windows XP) you\u2019re able to access the administrative share.   <br clear=\"all\" \/><a href=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2012\/06\/GPO-Guest.png\"><img loading=\"lazy\" decoding=\"async\" style=\"background-image: none; border-right-width: 0px; margin: 0px 5px 0px 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px; padding-top: 0px\" title=\"\" border=\"0\" alt=\"\" src=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2012\/06\/GPO-Guest_thumb.png\" width=\"79\" height=\"94\" \/><\/a><a href=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2012\/06\/GPO-Classic.png\"><img loading=\"lazy\" decoding=\"async\" style=\"background-image: none; border-right-width: 0px; margin: 0px 5px 0px 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px; padding-top: 0px\" title=\"\" border=\"0\" alt=\"\" src=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2012\/06\/GPO-Classic_thumb.png\" width=\"79\" height=\"94\" \/><\/a>    <br clear=\"all\" \/><\/p>\n<h4>Registry key<\/h4>\n<pre>Key: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\forceguest \nType: DWORD (32-bit) Value \nValue: \n0 \u2013 Classic\n1 \u2013 Guest only<\/pre>\n<h4>&#160;<\/h4>\n<h4>Symptoms<\/h4>\n<p>When you try to access the network computer with a local account with administrative permissions, you receive an error message that resembles the following:<\/p>\n<pre>xxxxxxx is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have permissions. \nLogon failure: unknown user name or bad password<\/pre>\n<h2>&#160;<\/h2>\n<h2>Windows Vista \/ Windows 7 \/ Windows 8<\/h2>\n<p>In Windows Vista \/ Windows 7 \/ Windows 8 a similar technique is used to prevent remote access with a local account. Instead of authenticating users as Guest (as with Windows XP) the <a href=\"https:\/\/support.microsoft.com\/kb\/951016\/en-us\">User Account Control (UAC)&#160; remote restriction<\/a> filters the administrive groups from the token, preventing the user from accessing the administrative shares.<\/p>\n<p>Disabling the UAC remote restrictions is done with a registry key. After applying the remote registry I found it necessary to reboot the machine (although some articles tell differently).<\/p>\n<pre>Key: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system\\LocalAccountTokenFilterPolicy \nType: DWORD (32-bit) Value \nValue: \n0 - build filtered token (Remote UAC enabled)\n1 - build evelated token (Remote UAC disabled)<\/pre>\n<p>&#160;<\/p>\n<h4>Symptoms<\/h4>\n<p><a href=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2012\/06\/Windows-Security_2012-06-20_09-42-53.png\"><img loading=\"lazy\" decoding=\"async\" style=\"background-image: none; border-right-width: 0px; margin: 0px 0px 0px 5px; padding-left: 0px; padding-right: 0px; display: inline; float: right; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px; padding-top: 0px\" title=\"\" border=\"0\" alt=\"\" align=\"right\" src=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2012\/06\/Windows-Security_2012-06-20_09-42-53_thumb.png\" width=\"154\" height=\"104\" \/><\/a>When you try to access the network computer with a local account with administrative permissions, you receive a dialog that resembles the following:<\/p>\n<pre>Enter Network Password\nEnter your password to connect to: xxx.xxx.xxx.xxx\n\n(x) Access is denied<\/pre>","protected":false},"excerpt":{"rendered":"<p>If you enabled file and printer sharing in Windows you can access shared folders from a remote machine. By Windows shares administrative folders like IPC$, Admin$, C$ (and all other disks) for administrative purposes. Since Windows XP you need to enable access to these folders if you want to access them with a local account [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[292],"tags":[460,461,462,670],"class_list":["post-3837","post","type-post","status-publish","format-standard","hentry","category-no-category","tag-administrative-share","tag-local-account","tag-uac","tag-windows"],"_links":{"self":[{"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/posts\/3837","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/comments?post=3837"}],"version-history":[{"count":6,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/posts\/3837\/revisions"}],"predecessor-version":[{"id":3843,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/posts\/3837\/revisions\/3843"}],"wp:attachment":[{"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/media?parent=3837"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/categories?post=3837"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/tags?post=3837"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}