Posted on October 17, 2016 · Posted in Windows 10

Enable Remote Access to Admin Shares in WorkGroup

I have come across a problem that I wasn’t able to connect to default $Admin  shares on a computer running Windows 10 remotely from the account being a member of the Local Administrators group. At the same time, I could access them without any troubles using  built-in local Administrator account (by default, it is disabled).

Here is what the problem looks like in detail. I’m trying to get a remote access to the built-in administrative shares on a computer running Windows 10 and being a member of a workgroup (with the firewall turned off) as follows:

  • \\w10_pc\C$
  • \\w10_pc\D$
  • \\w10_pc\IPC$
  • \\w10_pc\Admin$

In the authorization window, I specify the name and password of the account being a member of the Local Administrators group on Windows 10, and get the access error (Access is denied). At the same time, I can access all network shares and shared printers on Windows 10. Also, I can access administrative resources from the Administrator account. If this computer is included in Active Directory domain, the access to the administrative shares from domain accounts with administrative privileges is not blocked.

Windows 10: Admin Shares Don't Work in WorkGroup

The matter is in another aspect of security policy that appeared in the UAC – so called Remote UAC (user account control for remote connections) that filters tokens of local and Microsoft accounts and blocks remote access to such accounts. When accessing with the domain accounts, this restriction is not applied.

You can disable Remote UAC by creating the LocalAccountTokenFilterPolicy parameter in the registry

Tip. It will slightly reduce the system security level.

  • Open the Registry Editor (regedit.exe)
  • Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  • Create a new DWORD (32-bit) parameter with the name LocalAccountTokenFilterPolicy
  • Specify the LocalAccountTokenFilterPolicy parameter value equal to 1LocalAccountTokenFilterPolicy
  • Restart your computer to apply the changes

Note. You can create this key using the following command:

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "LocalAccountTokenFilterPolicy" /t REG_DWORD /d 1 /f

After the restart, try to remotely open the administrative share C$ on the computer running Windows 10.

How To Enable Remote Access To Administrative Shares in Windows 10

Note. Now you also can remotely connect to your of Windows 10 computer using the Computer Management snap-in.

So, we have considered how to allow the remote access to hidden administrative shares for all local administrators of a computer running Windows 10 using LocalAccountTokenFilterPolicy key. This guide is also applicable to Windows 8.x, 7 and Vista.

Related Articles