Vista Forums - View Single Post - Accessing Vista drives by c$, d$ from Windows XP fails

03-23-2007

"Robert L [MVP - Networking]" <noreply@hotmail.com> wrote in message
news:en8yeQQbHHA.4476@TK2MSFTNGP03.phx.gbl...
> "Alexandru Gherman" <alex@alexgherman.name> wrote in message
> news:u2pWAoKbHHA.1400@TK2MSFTNGP06.phx.gbl...
>> Hi!
>>
>> I cannot access a Vista machine drive by the default admin share
>> c$, d$ from the Windows XP.
>> I can reach the pop-up screen for password, I entered the correct
>> username and password ( a user member of the Administrators group )
>> but the logon keeps popping as if the authentication fails.
>>
>> Is there an additional registry security setting required on the
>> Vista Machine ? Or some Local Security policy ? It is a Windows Vista
>> Ultimate.

> The administrative sharing has been changed. This post may help,

> Vista issues By default, Vista administrative shares e.g. C$, D$) are
> not shared by default for security reasons. You should create your own
> shares to share your drives ...
> http;//www.chicagotech.net/vista/vistanetissues.htm
>
>
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting on
> http://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access on
> http://www.HowToNetworking.com

Actually, the admin shares are there, but by default Windows Vista
prevents local administrators from using their administrator powers over
the network. This results in the inability to remotely administer a
computer using filesharing and tools that use similar technology (such
as the computer manager MMC snap-in and the
administrative shares, such as C$). However, this DOES NOT affect Remote
Desktop in any way. Also, domain-level admins are not affected.

For example: you have an admin account set up on VISTAMACHINE, and log
in to VISTAMACHINE from your other computer XPMACHINE via the network
(net use or whatnot), and try to access VISTAMACHINE's administrative
share C$. Technically you have access to that share; however, due to the
token filtering, you are returned access denied, since the system is
ignoring the fact that you are an administrator.

Although it's probably better to explicitly set up new shares with the
desired security restrictions, you can allow administrators local to a
computer to use their administrator powers when accessing the Vista
computer remotely by following these steps:

- Click start
- Type: regedit
- Press enter
- In the left, browse to the following folder:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\
- Right-click a blank area in the right pane
- Click New
- Click DWORD Value
- Type: LocalAccountTokenFilterPolicy
- Double-click the item you just created
- Type 1 into the box
- Click OK
- Restart your computer

Regards,

Dave

03-23-2007	#3 (permalink)
Dave R. n/a posts	Re: Accessing Vista drives by c$, d$ from Windows XP fails "Robert L [MVP - Networking]" <noreply@hotmail.com> wrote in message news:en8yeQQbHHA.4476@TK2MSFTNGP03.phx.gbl... > "Alexandru Gherman" <alex@alexgherman.name> wrote in message > news:u2pWAoKbHHA.1400@TK2MSFTNGP06.phx.gbl... >> Hi! >> >> I cannot access a Vista machine drive by the default admin share >> c$, d$ from the Windows XP. >> I can reach the pop-up screen for password, I entered the correct >> username and password ( a user member of the Administrators group ) >> but the logon keeps popping as if the authentication fails. >> >> Is there an additional registry security setting required on the >> Vista Machine ? Or some Local Security policy ? It is a Windows Vista >> Ultimate. > The administrative sharing has been changed. This post may help, > Vista issues By default, Vista administrative shares e.g. C$, D$) are > not shared by default for security reasons. You should create your own > shares to share your drives ... > http;//www.chicagotech.net/vista/vistanetissues.htm > > > Bob Lin, MS-MVP, MCSE & CNE > Networking, Internet, Routing, VPN Troubleshooting on > http://www.ChicagoTech.net > How to Setup Windows, Network, VPN & Remote Access on > http://www.HowToNetworking.com Actually, the admin shares are there, but by default Windows Vista prevents local administrators from using their administrator powers over the network. This results in the inability to remotely administer a computer using filesharing and tools that use similar technology (such as the computer manager MMC snap-in and the administrative shares, such as C$). However, this DOES NOT affect Remote Desktop in any way. Also, domain-level admins are not affected. For example: you have an admin account set up on VISTAMACHINE, and log in to VISTAMACHINE from your other computer XPMACHINE via the network (net use or whatnot), and try to access VISTAMACHINE's administrative share C$. Technically you have access to that share; however, due to the token filtering, you are returned access denied, since the system is ignoring the fact that you are an administrator. Although it's probably better to explicitly set up new shares with the desired security restrictions, you can allow administrators local to a computer to use their administrator powers when accessing the Vista computer remotely by following these steps: - Click start - Type: regedit - Press enter - In the left, browse to the following folder: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\ - Right-click a blank area in the right pane - Click New - Click DWORD Value - Type: LocalAccountTokenFilterPolicy - Double-click the item you just created - Type 1 into the box - Click OK - Restart your computer Regards, Dave
My System Specs