Access Denied Trying to Connect to Administrative Shares C$, D$ etc.

Under certain circumstances you cannot connect to administrative shares (e.g. C$) on remote computers, even though you use the right credentials. Accessing a normal (i.e. non-administrative) share works flawlessly, though.

Problem

In this situation you get the following error when trying to connect to the admin share in Explorer:

This is the message text:

\\192.168.175.129\c$ is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.

Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again.

The message hints at multiple connections, but that is misleading.

When you try to connect to the admin share on the command line, you get a different error message:

C:\>net use \\192.168.175.129\c$ /user:win7-2\admin *
Type the password for \\192.168.175.129\c$:
System error 5 has occurred.
 
Access is denied.

Solution

As described in MS KB article 951916, Microsoft introduced as part of UAC a little known feature called “UAC remote restrictions”. It filters the access token for connections made with local user accounts or Microsoft accounts (the latter typically have the format MicrosoftAccount\EMailAddress). In other words it removes the SID for “Administrators”. Connections made with domain accounts remain unchanged.

From KB951016:

If the user wants to administer the workstation with a Security Account Manager (SAM) account, the user must interactively log on to the computer that is to be administered with Remote Assistance or Remote Desktop, if these services are available.

One may like this or not, the solution is luckily pretty simple. UAC remote restrictions can be disabled by setting the registry value LocalAccountTokenFilterPolicy to 1:

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Value: LocalAccountTokenFilterPolicy
Data: 1 (to disable, 0 enables filtering)
Type: REG_DWORD (32-bit)

After a reboot access tokens from remote connections are not filtered any more. On Windows 8 the reboot is not even required any more.

, ,

15 Responses to Access Denied Trying to Connect to Administrative Shares C$, D$ etc.

  1. George February 10, 2013 at 14:16 #

    I am assuming the UAC reg key is not the case if one admin account (set on both machines) will access the C$ with ease but a newly created admin account on both local and server will toss the access denied prompt. Starting to bug me now and I will probably figure it out come the time anyone responds, but have narrowed it down to a server side error as the local account on the client machine will utilize network level auth to pull remote system info on another machine, but will get the access denied when trying to save that file on the server.

  2. David May 22, 2013 at 15:58 #

    I use a mechanism that runs net use command to verify the local admin account password has not changed on my windows 2003 servers. When we upgraded to 2008 it broke with the system error 5 message. Found your post and this worked for me. Thanks

  3. Carl February 4, 2014 at 18:20 #

    Big thanks on this article, I found it very useful. I was about to make some backups from my laptop to my desktop, and have just been struggling for more than half an hour with connecting. I was just about to give up when realized that I (for some strange reason) have left the wicked UAC feature enabled on the laptop, so that this could have something to do with it. A Google search “uac admin shares” took me here, and a couple of minutes later I was fixed. In my case, the Windoze registry didn’t even have a DWORD there, so at first I thought I was in the wrong key folder. Anyways, I created the DWORD and rebooted the system. Everything worked. Big thanks!

  4. Kapil September 26, 2014 at 11:15 #

    Thanks for the workout … it really work as champ. I was havning problem while access c$ of window 2012 using local admin accout. This regitry twik works and aslo as mention reboot not required.

  5. Terry December 26, 2014 at 20:21 #

    Great find. Thanks much for the tip!

  6. pilat32 March 10, 2015 at 18:38 #

    Very usefull!!! Thanks much

  7. dom March 13, 2015 at 00:28 #

    great tip. worked for me on srv 08. did not even have the Dword, had to add it. srv is a workgroup in dmz

    • Michael March 19, 2015 at 09:24 #

      super! was struggling with this for backing up my servers with veeam in dmz…
      added the key in 2012R2 and it work perfect now!!

  8. dharanesh May 21, 2015 at 06:57 #

    guys, This did not work for me in windows server 2008 r2. Please help

  9. raymov May 18, 2016 at 01:59 #

    To avoid a reboot, simply restart the “Server” Service (along with Computer Browser) in services.msc
    The correct KB article is: 951016

  10. Julian May 25, 2016 at 09:18 #

    Thank you, you saved me hours of hair pulling.

  11. lorisco May 27, 2016 at 08:27 #

    great!!!!
    I had the problem for two years. Thanks

  12. Suki August 15, 2016 at 16:45 #

    I’m having the same issue – ran the regedit and rebooted but this hasn’t worked for me either – anyone got any other suggestions?

  13. Schnurpf April 26, 2017 at 21:13 #

    Struggled with this issue since Windows 7. Is still the same in latest Windows 10 release (Creators Update, Version 1703, Build 15063).
    Used the fix as described, – works perfectly.
    Super ! Thank you.

  14. Osvaldo June 19, 2017 at 23:31 #

    Worked like a charm. I do nothave a domain but a standalone Windows 2012 server, and with this solution I was able to map administrative shares with a user account with administrative rights.

Leave a Reply