Access denied to Administrative (Admin) shares in Windows 8

Access denied is what you get when you try to map a remote drive by connecting to the Admin share with \\computername\<drive letter>\$ on a workgroup computer. To connect to drive C: on a remote computer, you would map to \\computer\c$. Whereas this works fine for Active Directory domain members, a popup window will appear with the error message “Enter Network Password.”

Michael PietroforteMVP By Michael Pietroforte - Wed, July 10, 2013 - 4 comments google+ icon

Michael Pietroforte is the founder and editor of 4sysops. He is a Microsoft Most Valuable Professional (MVP) with more than 30 years of experience in system administration.

This message is a bit misleading because, by default, there is no such network password. However, in this post, I will explain how you can “create” this password and describe two other ways to access Admin Shares on standalone machines.

Access denied admin share

Access denied admin share

Traditionally, Administrative Shares have been a favorite Windows feature of hackers and crackers. And, as everyone knows, the best way to improve security is to give in to hackers and terrorists by restricting the freedom to move for everyone. Thus, even if you have an account with administrative rights, Windows will deny access to Admin Shares by default.

Access to Admin Shares is often required to remotely administer computers. That’s why they are called Administrative Shares. In a corporate environment, it might make sense to get your administrative privileges back.

Map Admin Shares with the built-in administrator account

The network password that I referred to above is the password of the built-in administrator account, which is disabled by default in Windows 8. A while back, I outlined two methods for enabling the built-in administrator account if you have no other administrator account. Here I assume that you have another account with admin privileges. To enable the administrator account, you just have to launch a command prompt with administrator privileges and then type net user administrator /active:yes.

If you now try to connect to an Admin Share with the user name “administrator,” you will receive the error message “Login error: user account restriction. Possible reasons are blank passwords not allowed,… Yup, we have to create the ominous network password that I mentioned above.

Login failure - user account restriction blank password

Login failure – user account restriction blank password

Open the Control Panel, click User Account and Family Safety (“family safety”—funny, isn’t it?), click User Accounts, and then Manage Accounts. You should see the local Administrator now, and you can set a password.

Create a network password for local Administrator account

Create the network password for local Administrator account

You can now access Administrative Shares remotely with the built-in Administrator account.

LocalAccountTokenFilterPolicy – UAC remote restrictions

The reason why access is denied if you try to access an Admin Share with an account with administrator privileges is User Account Control (UAC). For the built-in administrator account, UAC prompts are disabled by default. That is why the above described procedure works. If you don’t want to enable the built-in administrator for security reasons, you can disable the UAC remote restrictions with the LocalAccountTokenFilterPolicy Registry setting. Note that this will also enable other remote management features, such as the ability to remotely connect through the Computer Management console.

To get rid of the Access Denied message, follow this procedure:

  1. Launch the Registry editor by typing regedit.exe in the Start Screen.
  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.
  3. Create a new entry by right-clicking System and then selecting DWORD (32-bit) Value.
  4. Choose LocalAccountTokenFilterPolicy as name for the new entry.
  5. Set the value of LocalAccountTokenFilterPolicy to 1 by right-clicking the new entry.

LocalAccountTokenFilterPolicy

LocalAccountTokenFilterPolicy

Disable UAC Admin Approval mode

Another way to access Administrative Shares is to disable the Admin Approval mode for all administrator accounts. Note that this setting not only removes the remote UAC restrictions as described above, but it also affects UAC for logged-on administrator accounts.

Note: Disabling UAC Admin Approval mode will also disable the Windows Store app.

  1. Launch Control Panel, type admin… in the search box, and then click Administrative Tools.
  2. Open the Local Security Policy application.
  3. Navigate to Local Policies > Security Options.
  4. Disable the policy User Account Control: Run all administrators in Admin Approval Mode.

Disable UAC Admin Approval mode

Disable UAC Admin Approval mode

From now on, the Access Denied message will disappear if you try to access an Administrative Share with a local account in the administrators group.

Please let me know if you know another method. I am a how-to collector. :)

Also read: Public Folder sharing, network discovery, and password-protected sharing

-1+1 - Rate this post
Loading ... Loading ...
Disclaimer
Your question wasn't answered? Please ask in the new 4sysops forum!

4 Comments- Leave a Reply

  1. Nico says:

    If any local user has a password, i use this:
    op dosprompt
    net use \\ /user:
    then i do \\\c$ from start->run

  2. Oh yes, you can set the password faster on the command prompt. Thanks for the hint. It is just that I bought this new Logitech touch mouse a few days ago and now I enjoy “click-click” even more. ;)

  3. Alan says:

    Using the “Disable UAC Admin Approval mode” method appears to disable the ability to run the Windows 8 Microsoft “Store” application. The application reports that UAC is disabled and must be re-enabled to launch Store.
    Using the “LocalAccountTokenFilterPolicy – UAC remote restrictions” method above removes the “Access is denied” message and doesn’t disable the Store application.

  4. Alan, thanks for the hint. I added a note to the article.

Please share your thoughts in a comment!

Login

Lost your password?