- Author and member of the year 2019 – Why DevOps still doesn't rule the IT world - Wed, Jan 1 2020
- Results of the 4sysops member and author competition in 2018 - Tue, Jan 8 2019
- Why Microsoft is using Windows customers as guinea pigs - Reply to Tim Warner - Tue, Dec 18 2018
This message is a bit misleading because, by default, there is no such network password. However, in this post, I will explain how you can “create” this password and describe two other ways to access Admin Shares on standalone machines.
Access denied admin share
Traditionally, Administrative Shares have been a favorite Windows feature of hackers and crackers. And, as everyone knows, the best way to improve security is to give in to hackers and terrorists by restricting the freedom to move for everyone. Thus, even if you have an account with administrative rights, Windows will deny access to Admin Shares by default.
Access to Admin Shares is often required to remotely administer computers. That’s why they are called Administrative Shares. In a corporate environment, it might make sense to get your administrative privileges back.
Map Admin Shares with the built-in administrator account ^
The network password that I referred to above is the password of the built-in administrator account, which is disabled by default in Windows 8. A while back, I outlined two methods for enabling the built-in administrator account if you have no other administrator account. Here I assume that you have another account with admin privileges. To enable the administrator account, you just have to launch a command prompt with administrator privileges and then type net user administrator /active:yes.
If you now try to connect to an Admin Share with the user name “administrator,” you will receive the error message “Login error: user account restriction. Possible reasons are blank passwords not allowed,…” Yup, we have to create the ominous network password that I mentioned above.
Login failure - user account restriction blank password
Open the Control Panel, click User Account and Family Safety (“family safety”—funny, isn’t it?), click User Accounts, and then Manage Accounts. You should see the local Administrator now, and you can set a password.
Create the network password for local Administrator account
You can now access Administrative Shares remotely with the built-in Administrator account.
LocalAccountTokenFilterPolicy – UAC remote restrictions ^
The reason why access is denied if you try to access an Admin Share with an account with administrator privileges is User Account Control (UAC). For the built-in administrator account, UAC prompts are disabled by default. That is why the above described procedure works. If you don’t want to enable the built-in administrator for security reasons, you can disable the UAC remote restrictions with the LocalAccountTokenFilterPolicy Registry setting. Note that this will also enable other remote management features, such as the ability to remotely connect through the Computer Management console.
To get rid of the Access Denied message, follow this procedure:
- Launch the Registry editor by typing regedit.exe in the Start Screen.
- Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.
- Create a new entry by right-clicking System and then selecting DWORD (32-bit) Value.
- Choose LocalAccountTokenFilterPolicy as name for the new entry.
- Set the value of LocalAccountTokenFilterPolicy to 1 by right-clicking the new entry.
Disable UAC Admin Approval mode ^
Another way to access Administrative Shares is to disable the Admin Approval mode for all administrator accounts. Note that this setting not only removes the remote UAC restrictions as described above, but it also affects UAC for logged-on administrator accounts.
Note: Disabling UAC Admin Approval mode will also disable the Windows Store app.
- Launch Control Panel, type admin… in the search box, and then click Administrative Tools.
- Open the Local Security Policy application.
- Navigate to Local Policies > Security Options.
- Disable the policy User Account Control: Run all administrators in Admin Approval Mode.
Disable UAC Admin Approval mode
From now on, the Access Denied message will disappear if you try to access an Administrative Share with a local account in the administrators group.
Please let me know if you know another method. I am a how-to collector. 🙂