When attempting to access the default administrative share (\\servername\c$) on Windows Server 2008 using a non-default administrator account, you might encounter access denied errors despite having administrative privileges. This occurs because Windows handles built-in administrator accounts differently from domain/local admin accounts added to the Administrators group.
Windows Server 2008 implements User Account Control (UAC) which creates a "split token" for administrators. The secondary token removes certain privileges (like accessing admin shares) unless you explicitly elevate your credentials.
// Check effective permissions using PowerShell:
Get-SmbShare -Name C$ | Get-SmbShareAccess
Option 1: Disable UAC Remote Restrictions
Modify the registry to disable UAC's remote restrictions:
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /fThen restart the server or restart the Server service:
net stop server && net start serverOption 2: Use Explicit Credentials
Map the drive with explicit credentials:
net use Z: \\servername\c$ /user:servername\username *Option 3: Enable the Built-in Administrator
net user administrator /active:yes
net user administrator P@ssw0rdFor domain environments, you might need to adjust Group Policy:
gpedit.msc → Computer Configuration → Windows Settings →
Security Settings → Local Policies → Security Options →
"User Account Control: Run all administrators in Admin Approval Mode" → DisabledAfter making changes, verify access with:
Test-Path \\servername\c$\windows
# Or using WMI:
Get-WmiObject -Class Win32_LogicalDisk -ComputerName servernameRemember that disabling UAC restrictions lowers security. Consider these alternatives:
- Create a dedicated share with explicit permissions
- Use PowerShell Remoting instead of admin shares
- Implement Just Enough Administration (JEA)
# Example of creating a secure alternative share:
New-SmbShare -Name "AdminData" -Path "C:\AdminData" -FullAccess "DOMAIN\AdminGroup"When working with Windows Server 2008's administrative shares (particularly C$), many administrators encounter a peculiar scenario where the default Administrator account can access the share while domain admin accounts fail. This creates significant operational hurdles in enterprise environments.
The fundamental issue stems from how Windows Server 2008 implements User Account Control (UAC) for remote administrative access:
- UAC remote restrictions apply even to domain admins
- The built-in Administrator account is exempt from UAC filtering
- Group membership alone doesn't grant automatic access
First, verify the effective permissions with PowerShell:
# Check share permissions
Get-SmbShare -Name C$ | Select-Object -ExpandProperty SecurityDescriptor
# Verify effective access for specific user
Test-SmbAccess -Name C$ -AccountName "DOMAIN\User" -AccessRight Full
Option 1: Registry Modification (Recommended)
Create the following registry entry to disable UAC remote restrictions:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"LocalAccountTokenFilterPolicy"=dword:00000001
Option 2: Group Policy Adjustment
For domain environments, deploy this setting via GPO:
- Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
- Enable "User Account Control: Admin Approval Mode for the Built-in Administrator account"
For temporary access without modifying security policies:
net use Z: \\server\c$ /user:server\administrator password
When implementing these changes:
- Always document security policy modifications
- Consider creating dedicated admin accounts instead of using domain-wide admin groups
- Monitor Event ID 5145 in security logs for share access attempts
If issues persist after applying fixes:
# Check share visibility
Get-SmbConnection | Where-Object {$_.ShareName -like "*$"}
# Verify firewall rules
netsh advfirewall firewall show rule name=all | findstr "File and Printer Sharing"