17

I have a Windows 2008 Server that I'm trying to connect to the default administrative share

\\servername\c$

I can connect to it using the default Administrator account. But if I try to connect using my user account that is a member of the Administrators group, I can't. What am I missing?

Jeff Atwood
  • 13,104
  • 20
  • 75
  • 92
philcruz
  • 451
  • 1
  • 3
  • 9

4 Answers4

18

Yes, UAC is set up to not allow access to default shares remotely. To enable, create the LocalAccountTokenFilterPolicy DWORD value at this key in the registry

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\

0 - build filtered token (Remote UAC enabled)
1 - build elevated token (Remote UAC disabled)

By setting the DWORD entry to 1, you will be able to access the administrative shares since the remote logon token will not be filtered.

This is discussed in this KB article, http://support.microsoft.com/kb/947232. (It's for Vista but it applies to Windows Server 2008 R2)

Snowburnt
  • 775
  • 2
  • 5
  • 18
philcruz
  • 451
  • 1
  • 3
  • 9
  • 1
    we had this problem, but only with Windows Server 2008 R2. Windows Server 2008 did not exhibit this behavior at all, so it is apparently new to 2008 R2 (along with Vista and Windows 7). – Jeff Atwood Jan 03 '10 at 06:41
  • Awesome! Exactly the problem I had w/W2K8R2 in a lab test of doubletake. Thanks! – WaldenL Feb 20 '10 at 01:03
  • I upvoted this answer at least a year ago and I reference this page at least once a month. If only I could upvote it again. – Saul Dolgin Mar 26 '12 at 15:24
  • I would upvote this 4 times if I could. – Kurt Koller Mar 04 '13 at 23:16
  • I know I'm necroing this answer. I just want to mention you can change this setting via local or group policy. I've seen many times people setting this key with a registry-policy instead of group policy. If you choose to change values in the policies regkey do it only locally on the server. – Tom Feb 09 '17 at 09:37
7

You have User Access Control enabled. Disable it and try again.

If UAC is on, then being a member of the local Administrators group DOES NOT give you local administrator privileges.

JR

Re LocalAccountTokenFilterPolicy:

this registry setting does indeed allow all members of the local administrators group to use the admin shares C$, Admin$ etc, on Server 2008.

However if the ACL on a directory is "Administrators: Full control" then members of the local Administrators group (apart from Administrator) still do not have access to the directory even though the ACL grants them access. This is unaffected by the above registry setting.

John Rennie
  • 7,776
  • 1
  • 23
  • 35
  • I suspect it's a UAC issue but I'd prefer to leave it enabled as that is more secure. If being a member of Administrators group does not give me admin privileges (to connect to default shares), what does? – philcruz Jul 10 '09 at 17:25
  • I hadn't come across the LocalAccountTokenFilterPolicy registry setting. I'll have a play with this. In the mean time you can create your own shares at the root of C:, D: and whatever. – John Rennie Jul 11 '09 at 08:40
1

I finally fixed my administrative share access issue. In my case it turned out to be a corrupted relationship between the domain and the PC. To fix it follow these simple steps: - leave the domain and join a workgroup (I used TEMP), you will be required to restart - rejoin the domain, restart required that's it, the trust was re-established and I can now access the PC administrative shares from any other PC/server in the domain.

Manolo
  • 11
  • 1
1

Server 2008 handles things differently than it used to. You can't simply add yourself to the local administrators group on a member server. What I have found out is that you must give the domain admins group full control of the volume in questions and add yourself to the domain admins group. This has absolutely nothing to do with UAC from what I have experienced. I've turned it completely off during testing and still experienced this problem.