How To Enable Admin Shares For Local Accounts And Allow WMI Access

Share This:

1245913945windows-8-blue_mediumIf you have a local computer that is not on a domain, since Windows XP, you cannot access the admin shares or have WMI access using a local account, even if that account is in the administrators group. The example I have is trying to configure Solarwinds IPAM to query the MicrosoftDNS via WMI on a public nameserver that is not joined to the domain. Solarwinds would show Access Is Denied errors even though the local account was in the Administrators group and had access to WMI. While trying to copy a file to that server using the C$ share, I was also getting Access Is Denied errors.

After doing some research, this is related to a UAC control that Microsoft introduced in Windows XP and later. For security, the best configuration is the default, but if you must change it, there’s a simple registry key that you need to create.

Windows XP

For Windows XP, you’ll want to change/add the registry key below and set it to 0 for Classic:

Key: HKLMSYSTEMCurrentControlSetControlLsaforceguest
Type: DWORD (32-bit) Value
Value:
0 – Classic
1 – Guest only

Windows Vista or Newer

For Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2012, etc, you’ll want to change/add the registry key below and set it to 1.

Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystemLocalAccountTokenFilterPolicy
Type: DWORD (32-bit) Value
Value:
0 - build filtered token (Remote UAC enabled)
1 - build evelated token (Remote UAC disabled)

You don’t even need to reboot the machine. As soon as you set the value for the key above, you should be able to access WMI and access the admin shares using a local account.


Share This:

 

One Response

  1. Inder August 21, 2016

Leave a Comment