Share via


You Encounter Unexpected Behavior When You Log on to a Remote Computer and UAC Is Enabled

Applies To: Windows Server 2008 R2

Symptom

Local user accounts (Security Accounts Manager user account)

When a user who is a member of the local Administrators group on the target remote computer establishes a remote administrative connection (for example, by using the net use * \\remotecomputer\Share$ command), the user does not connect as a full administrator. The user has no elevation potential on the remote computer and cannot perform administrative tasks. If the user wants to administer the computer with a Security Accounts Manager (SAM) account, the user must interactively log on to the computer that is to be administered by using Remote Assistance or Remote Desktop, if these services are available.

Domain user accounts (Active Directory user account)

When a user who has a domain user account that is a member of the Administrators group logs on remotely to a computer running Windows Vista or Windows 7, the domain user account runs with a full administrator access token on the remote computer, and User Account Control (UAC) is not in effect.

Note

This behavior is similar to the behavior in Windows XP.

Cause

UAC is a security component of Windows Vista and Windows 7 that enables users to perform common day-to-day tasks as non-administrators. These users are called "standard users." User accounts that are members of the local Administrators group run most applications by using the principle of "least privilege." In this scenario, least-privileged users have rights that resemble the rights of a standard user account. However, when a member of the local Administrators group has to perform a task that requires administrator rights, the user is prompted for approval.

To better protect users who are members of the local Administrators group, UAC restrictions are implemented on the network. This helps protect against "loopback" attacks and helps prevent local malicious software from running remotely with administrative rights. However, UAC remote restrictions remove administrator credentials and are enabled by default.

Resolution

Warning

This section contains steps that modify the registry. Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any data on the computer. For more information about how to back up and restore the registry, see article 322756 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkID=133378).

To disable UAC remote restrictions

  1. Click Start, type regedit in the Search programs and files box, and then press ENTER.

  2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.

  3. If the LocalAccountTokenFilterPolicy registry entry does not exist, follow these steps:

    1. On the Edit menu, point to New, and then click DWORD Value.

    2. Type LocalAccountTokenFilterPolicy, and then press ENTER.

  4. Right-click LocalAccountTokenFilterPolicy, and then click Modify.

  5. In the Value data box, type 1, and then click OK.

  6. Exit Registry Editor.