Cannot access ADMIN$ Share on NON-Domain joined PC

If you are attempting to access (either with PDQ Inventory or PDQ Deploy) a Windows 7, Windows 8, Vista or Server 2008 computer you may get  the “Access Denied – Failed to connect to ADMIN$ share” error , even when supplying the appropriate local user credentials that have Administrator access. If the target computer is not a member of a Windows 2003 or later Domain then this is most likely because the target system has Remote UAC enabled. Remote UAC prevents local administrative accounts from accessing ADMIN$. (more appropriately Remote UAC prevents local accounts from running in an elevated mode when connecting from the network) If you need to be able to access the ADMIN$ using a local account then you will need to disable Remote UAC. You can accomplish this by editing the registry.

Assuming you have all your other ducks in a row (Firewall exceptions, appropriate credentials of local administrative user, etc) then you just need to add a quick entry in the registry of the target computer. In the registry, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System. Create a DWORD value called LocalAccountTokenFilterPolicy and assign it a value of 1.

A reboot will be necessary (actually you can just restart the Server service but a reboot is ideal). See image.

regadminshare

* By default, when local credentials are used to access a Windows Vista (or later) system that is a member of a Windows Domain this problem does not exist. Your Windows domain may still disable Remote UAC.

** By default Remote administrative access is denied to local accounts when a Windows Vista (or later OS) is NOT a member of a Windows 2003 or later domain.

Advertisements

2 Comments

Leave a Comment

  1. Thanks for posting this! Have never run into it before, but one of my home computers was behaving this way and it was about to drive me to drink. Turns out I had joined a domain at work to install some stuff, then left the domain, perhaps that caused it. Anyway, you saved my sanity!

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s