Windows 8, accounts and inbuilt admin $ shares

Hi,
Windows 8 RTM is now out, so everyone who cares is installing it on every device they can find (or is this just me?). Anyway, after doing this to a few PC’s I wanted to browse to a Windows 8 PC’s UNC path using the inbuilt $ share for each drive.

Don’t know what an inbuilt Admin share is exactly? Do some reading here: http://en.wikipedia.org/wiki/Administrative_share

So, if you’re trying to map or browse to a file share such as \\homepc\c$ you should get ‘Access Denied’, even when using administrator credentials.

A fix to this is to add the following setting to the registry on the Windows 8 PC you’re trying to connect to (I had to reboot to make it work afterward):

HKEY_LOCAL_MACHINE\SOFTWARE\Mi
crosoft\Windows\CurrentVersion\Policies\System
Add a new DWORD (32-bit) called LocalAccountTokenFilterPolicy and set it to 1 

While working this out, I did a bit of trial and error with my accounts. Windows 8 lets you use a Microsoft Live ID account over the top of your administrator local account (not the inbuilt administrator). A bunch more info on that from Microsoft blogs here: http://blogs.technet.com/b/privacyimperative/archive/2011/09/28/signing-in-to-windows-8-with-a-windows-live-id-privacy-and-security.aspx

With this, I discovered that once you’ve put your Microsoft Live ID in, it sits on top of your administrator account, and actually changes the password to match your Microsoft Live ID. You can use the combination of the username for the administrator account, and your Microsoft Live ID password to prove this. The old password for the administrator account won’t work. The other interesting thing about this setup is that even if you’re logged onto the PC with your Microsoft Live ID, you can’t change the password of the administrator account it’s on top of via Computer Management > Local Users and Groups. I assume this is because it will break the relationship between the Microsoft Live ID and the administrator account, but anyone who knows more about this please fill me in.

In summary, a registry entry will enable the admin $ shares again and you can either use the combination of “Microsoft Live ID Username\Microsoft Live ID Password” or “Local Administrator Username\Microsoft Live ID Password” because both passwords are now the same. Keep this in mind if you’ve got a poor strength password!

10 thoughts on “Windows 8, accounts and inbuilt admin $ shares

  1. Goodmorning, thanks for the useful help with the LocalAccountTokenFilterPolicy on Registry.

    I have a problem that I don’t understand… if I connect to a win7 pc (in a workgroup) to a shares admin as c$, I have an user in administrators group that with his credentials can open the c$ without problem.

    If I connect to a win8 pc (in a workgroup) to a shares admin as c$, I can do it only with the administrator user and not with an user in administrators group as above.

    What I’m doing wrong?

    Thanking in advance for your kind help.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.