- Poll: How reliable are ChatGPT and Bing Chat? - Tue, May 23 2023
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
This message is a bit misleading because, by default, there is no such network password. However, in this post, I will explain how you can “create” this password and describe two other ways to access Admin Shares on standalone machines.
Access denied admin share
Traditionally, Administrative Shares have been a favorite Windows feature of hackers and crackers. And, as everyone knows, the best way to improve security is to give in to hackers and terrorists by restricting the freedom to move for everyone. Thus, even if you have an account with administrative rights, Windows will deny access to Admin Shares by default.
Access to Admin Shares is often required to remotely administer computers. That’s why they are called Administrative Shares. In a corporate environment, it might make sense to get your administrative privileges back.
Map Admin Shares with the built-in administrator account
The network password that I referred to above is the password of the built-in administrator account, which is disabled by default in Windows 8. A while back, I outlined two methods for enabling the built-in administrator account if you have no other administrator account. Here I assume that you have another account with admin privileges. To enable the administrator account, you just have to launch a command prompt with administrator privileges and then type net user administrator /active:yes.
If you now try to connect to an Admin Share with the user name “administrator,” you will receive the error message “Login error: user account restriction. Possible reasons are blank passwords not allowed,…” Yup, we have to create the ominous network password that I mentioned above.
Login failure - user account restriction blank password
Open the Control Panel, click User Account and Family Safety (“family safety”—funny, isn’t it?), click User Accounts, and then Manage Accounts. You should see the local Administrator now, and you can set a password.
Create the network password for local Administrator account
You can now access Administrative Shares remotely with the built-in Administrator account.
LocalAccountTokenFilterPolicy – UAC remote restrictions
The reason why access is denied if you try to access an Admin Share with an account with administrator privileges is User Account Control (UAC). For the built-in administrator account, UAC prompts are disabled by default. That is why the above described procedure works. If you don’t want to enable the built-in administrator for security reasons, you can disable the UAC remote restrictions with the LocalAccountTokenFilterPolicy Registry setting. Note that this will also enable other remote management features, such as the ability to remotely connect through the Computer Management console.
To get rid of the Access Denied message, follow this procedure:
- Launch the Registry editor by typing regedit.exe in the Start Screen.
- Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.
- Create a new entry by right-clicking System and then selecting DWORD (32-bit) Value.
- Choose LocalAccountTokenFilterPolicy as name for the new entry.
- Set the value of LocalAccountTokenFilterPolicy to 1 by right-clicking the new entry.
LocalAccountTokenFilterPolicy
Disable UAC Admin Approval mode
Another way to access Administrative Shares is to disable the Admin Approval mode for all administrator accounts. Note that this setting not only removes the remote UAC restrictions as described above, but it also affects UAC for logged-on administrator accounts.
Note: Disabling UAC Admin Approval mode will also disable the Windows Store app.
- Launch Control Panel, type admin… in the search box, and then click Administrative Tools.
- Open the Local Security Policy application.
- Navigate to Local Policies > Security Options.
- Disable the policy User Account Control: Run all administrators in Admin Approval Mode.
Disable UAC Admin Approval mode
From now on, the Access Denied message will disappear if you try to access an Administrative Share with a local account in the administrators group.
Please let me know if you know another method. I am a how-to collector. 🙂
Also read: Public Folder sharing, network discovery, and password-protected sharing
If any local user has a password, i use this:
op dosprompt
net use \\ /user:
then i do \\\c$ from start->run
Oh yes, you can set the password faster on the command prompt. Thanks for the hint. It is just that I bought this new Logitech touch mouse a few days ago and now I enjoy “click-click” even more. 😉
Using the “Disable UAC Admin Approval mode” method appears to disable the ability to run the Windows 8 Microsoft “Store” application. The application reports that UAC is disabled and must be re-enabled to launch Store.
Using the “LocalAccountTokenFilterPolicy – UAC remote restrictions” method above removes the “Access is denied” message and doesn’t disable the Store application.
Alan, thanks for the hint. I added a note to the article.
I am trying to do the regedit method in windows 8.1 (64bit) but it keeps on asking the username and password. Is there any other work around for windows 8.1 environment?
Sandeep. Do you also get the prompts if you disable the UAC policy?
I installed Windows 8.1 x64 with the other computers still running Windows 7 x64, and I had to change the UAC policy before I could connect using a common user ID/pwd that has local administrator. Changing LocalAccountTokenFilterPolicy was not sufficient, like it was in Vista and Windows 7. And FYI, it’s not necessary to use the policy editor to change the UAC Run All Administrators setting. The registry entry is in the same branch as LocalAccountTokenFilterPolicy (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System) and it’s called EnableLUA. Set it to 0 to disable.
Hi,
I am having a different concern. In my office using of /c$ has been restricted. Now if i am trying to access any PC that is connected in the network, it first asks for username and password for the pc that i am trying to access. As i have the this data, i enter username and password. It does accepts and gets in. But then if i am using /c$ (like, \\PCNAME\c$) then it is not accessible. It says that not connected in network or sometimes gives “Cannot Access Network Share – Get Unspecified Error 0x80004005” error.
Can you please help me with this.
Thanking you.
HI
ive made 2 accounts one is administrator and the other is not administrator i couldnt do anything that was in this paige because it come ACESS DENIED YOU HAVE NO PERMISSION can u please give me answer!
when ever i install any software it ask me To continue, type an administrator password and click yes. so what to do then?
Thank for mentioning, I was looking for it a long time now.
The registry key you mentioned, is a hidden policy called “SCM: Pass the Hash Mitigations\Apply UAC restrictions to local accounts on network logon” and it’s description describes the reason:
“This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.). Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Enabling this policy significantly reduces that risk.”
It can be activated in group policy by installing Microsoft SCM (Security Compliance Manager) security baseline bundle.
You can find the connection between each registry key and it’s respective policy, in an excel worksheet located under documentation folder.
Regards
Many thanks. Worked on this for two hours before I found this post. It did the job.
After searching hours on the web for this issue, now found the solution, thank you so much. One question though: so, I am connecting to the administrative share using the builtin Administrator account or now with the solution provided, any admin account. Win10 to Win7. The first time I am connecting to the Win7 administrative share, I am prompted for the username and password but the next time, I am no longer asked for any security and get straight in. I have no homegroup. Default workgroup, no domain computers. Network and Sharing Center Advanced sharing settings are as follows: Private (current profile) – Turn on network discovery, Turn on file and printer sharing. All networks – Use 128-bit encryption, Turn on password protected sharing.
This behaviour is alive until I restart the Win7 machine and will be reproduced again as described above. Is this normal?
Yes, this is normal. Windows caches your credentials until you sign out. It would be quite a hassle if you had to authenticate every time you access a network share.
Thanks, Awesome