About Me

My photo
I know the last digit of PI

Tuesday, August 04, 2015

Windows 10/8/7/Vista administrative shares are not accessible (from linux / windows)

The information is based on Access Denied Trying to Connect to Administrative Shares C$, D$ etc.

Typical error is :

mount -t cifs -o username=superman,password=secret //192.168.22.14/c$ /mnt/c
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
The reason is that described in KB951916 Microsoft introduced as part of UAC a little known feature called “UAC remote restrictions”. It filters the access token for connections made with local user accounts or Microsoft accounts (the latter typically have the format MicrosoftAccount\EMailAddress). In other words it removes the SID for “Administrators”. Connections made with domain accounts remain unchanged. From KB951016:
If the user wants to administer the workstation with a Security Account Manager (SAM) account, the user must interactively log on to the computer that is to be administered with Remote Assistance or Remote Desktop, if these services are available.
UAC remote restrictions can be disabled by setting the DWORD registry value LocalAccountTokenFilterPolicy to 1:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Value: LocalAccountTokenFilterPolicy
Data: 1 (to disable, 0 enables filtering)
Type: REG_DWORD (32-bit)
Reboot is not required on Windows 8/10

No comments: