Access denied to Administrative (Admin) shares in Windows 8

Access denied is what you get when you try to map a remote drive by connecting to the Admin share with \\computername\<drive letter>\$ on a workgroup computer. To connect to drive C: on a remote computer, you would map to \\computer\c$. Whereas this works fine for Active Directory domain members, a popup window will appear with the error message “Enter Network Password.”
Profile gravatar of Michael Pietroforte

Michael Pietroforte

Michael Pietroforte is the founder and editor of 4sysops. He is a Microsoft Most Valuable Professional (MVP) with more than 30 years of experience in IT management and system administration.
Profile gravatar of Michael Pietroforte

This message is a bit misleading because, by default, there is no such network password. However, in this post, I will explain how you can “create” this password and describe two other ways to access Admin Shares on standalone machines.

Access denied admin share

Access denied admin share

Traditionally, Administrative Shares have been a favorite Windows feature of hackers and crackers. And, as everyone knows, the best way to improve security is to give in to hackers and terrorists by restricting the freedom to move for everyone. Thus, even if you have an account with administrative rights, Windows will deny access to Admin Shares by default.

Access to Admin Shares is often required to remotely administer computers. That’s why they are called Administrative Shares. In a corporate environment, it might make sense to get your administrative privileges back.

Map Admin Shares with the built-in administrator account ^

The network password that I referred to above is the password of the built-in administrator account, which is disabled by default in Windows 8. A while back, I outlined two methods for enabling the built-in administrator account if you have no other administrator account. Here I assume that you have another account with admin privileges. To enable the administrator account, you just have to launch a command prompt with administrator privileges and then type net user administrator /active:yes.

If you now try to connect to an Admin Share with the user name “administrator,” you will receive the error message “Login error: user account restriction. Possible reasons are blank passwords not allowed,… Yup, we have to create the ominous network password that I mentioned above.

Login failure - user account restriction blank password

Login failure - user account restriction blank password

Open the Control Panel, click User Account and Family Safety (“family safety”—funny, isn’t it?), click User Accounts, and then Manage Accounts. You should see the local Administrator now, and you can set a password.

Create a network password for local Administrator account

Create the network password for local Administrator account

You can now access Administrative Shares remotely with the built-in Administrator account.

LocalAccountTokenFilterPolicy – UAC remote restrictions ^

The reason why access is denied if you try to access an Admin Share with an account with administrator privileges is User Account Control (UAC). For the built-in administrator account, UAC prompts are disabled by default. That is why the above described procedure works. If you don’t want to enable the built-in administrator for security reasons, you can disable the UAC remote restrictions with the LocalAccountTokenFilterPolicy Registry setting. Note that this will also enable other remote management features, such as the ability to remotely connect through the Computer Management console.

To get rid of the Access Denied message, follow this procedure:

  1. Launch the Registry editor by typing regedit.exe in the Start Screen.
  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.
  3. Create a new entry by right-clicking System and then selecting DWORD (32-bit) Value.
  4. Choose LocalAccountTokenFilterPolicy as name for the new entry.
  5. Set the value of LocalAccountTokenFilterPolicy to 1 by right-clicking the new entry.

LocalAccountTokenFilterPolicy

LocalAccountTokenFilterPolicy

Disable UAC Admin Approval mode ^

Another way to access Administrative Shares is to disable the Admin Approval mode for all administrator accounts. Note that this setting not only removes the remote UAC restrictions as described above, but it also affects UAC for logged-on administrator accounts.

Note: Disabling UAC Admin Approval mode will also disable the Windows Store app.

  1. Launch Control Panel, type admin… in the search box, and then click Administrative Tools.
  2. Open the Local Security Policy application.
  3. Navigate to Local Policies > Security Options.
  4. Disable the policy User Account Control: Run all administrators in Admin Approval Mode.

Disable UAC Admin Approval mode

Disable UAC Admin Approval mode

From now on, the Access Denied message will disappear if you try to access an Administrative Share with a local account in the administrators group.

Please let me know if you know another method. I am a how-to collector. 🙂

Also read: Public Folder sharing, network discovery, and password-protected sharing

Related Posts

14 Comments
  1. avatar
    Nico 3 years ago

    If any local user has a password, i use this:
    op dosprompt
    net use \\ /user:
    then i do \\\c$ from start->run

    0
  2. Profile gravatar of Michael Pietroforte
    Michael Pietroforte 3 years ago

    Oh yes, you can set the password faster on the command prompt. Thanks for the hint. It is just that I bought this new Logitech touch mouse a few days ago and now I enjoy "click-click" even more. 😉

    0
  3. avatar
    Alan 3 years ago

    Using the "Disable UAC Admin Approval mode" method appears to disable the ability to run the Windows 8 Microsoft "Store" application. The application reports that UAC is disabled and must be re-enabled to launch Store.
    Using the "LocalAccountTokenFilterPolicy – UAC remote restrictions" method above removes the "Access is denied" message and doesn't disable the Store application.

    0
  4. Profile gravatar of Michael Pietroforte
    Michael Pietroforte 3 years ago

    Alan, thanks for the hint. I added a note to the article.

    0
  5. avatar
    Sandeep 2 years ago

    I am trying to do the regedit method in windows 8.1 (64bit) but it keeps on asking the username and password. Is there any other work around for windows 8.1 environment?

    0
  6. Profile gravatar of Michael Pietroforte
    Michael Pietroforte 2 years ago

    Sandeep. Do you also get the prompts if you disable the UAC policy?

    0
  7. avatar
    TanMan 2 years ago

    I installed Windows 8.1 x64 with the other computers still running Windows 7 x64, and I had to change the UAC policy before I could connect using a common user ID/pwd that has local administrator. Changing LocalAccountTokenFilterPolicy was not sufficient, like it was in Vista and Windows 7. And FYI, it's not necessary to use the policy editor to change the UAC Run All Administrators setting. The registry entry is in the same branch as LocalAccountTokenFilterPolicy (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System) and it's called EnableLUA. Set it to 0 to disable.

    0
  8. avatar
    Chintz 1 year ago

    Hi,

    I am having a different concern. In my office using of /c$ has been restricted. Now if i am trying to access any PC that is connected in the network, it first asks for username and password for the pc that i am trying to access. As i have the this data, i enter username and password. It does accepts and gets in. But then if i am using /c$ (like, \\PCNAME\c$) then it is not accessible. It says that not connected in network or sometimes gives "Cannot Access Network Share - Get Unspecified Error 0x80004005" error.

    Can you please help me with this.

    Thanking you.

    0
  9. avatar
    MATHISH 1 year ago

    HI

    ive made 2 accounts one is administrator and the other is not administrator i couldnt do anything that was in this paige because it come ACESS DENIED YOU HAVE NO PERMISSION can u please give me answer!

    0
  10. avatar
    Jeevanram hansdah 7 months ago

    when ever i install any software it ask me To continue, type  an administrator password and click yes. so what  to do then?

    0
  11. avatar
    Amirhossein 5 months ago

    Thank for mentioning, I was looking for it a long time now.

    The registry key you mentioned, is a hidden policy called "SCM: Pass the Hash Mitigations\Apply UAC restrictions to local accounts on network logon" and it's description describes the reason:

    "This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.). Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems.  Enabling this policy significantly reduces that risk."

    It can be activated in group policy by installing Microsoft SCM (Security Compliance Manager) security baseline bundle.

    You can find the connection between each registry key and it's respective policy, in an excel worksheet located under documentation folder.

    Regards

    0
  12. avatar
    Don Airey 5 months ago

    Many thanks.  Worked on this for two hours before I found this post.  It did the job.

    0
  13. avatar
    Cosmin 2 months ago

    After searching hours on the web for this issue, now found the solution, thank you so much. One question though: so, I am connecting to the administrative share using the builtin Administrator account or now with the solution provided, any admin account. Win10 to Win7. The first time I am connecting to the Win7 administrative share, I am prompted for the username and password but the next time, I am no longer asked for any security and get straight in. I have no homegroup. Default workgroup, no domain computers. Network and Sharing Center Advanced sharing settings are as follows: Private (current profile) - Turn on network discovery, Turn on file and printer sharing. All networks - Use 128-bit encryption, Turn on password protected sharing.

    This behaviour is alive until I restart the Win7 machine and will be reproduced again as described above. Is this normal?

    0
    • Profile gravatar of Michael Pietroforte Author
      Michael Pietroforte 2 months ago

      Yes, this is normal. Windows caches your credentials until you sign out. It would be quite a hassle if you had to authenticate every time you access a network share.

      0

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2016

Log in with your credentials

or    

Forgot your details?

Create Account