Admin rights on Vista

[Andreas]

1) Since I haveAdmin rights on both computers in a workgroup, why can't I
access the administrative shares? It prompts me for password, which I
provide and rejects. That used to work in previous versions. If I define my
own administrative shares (with $), it works fine.

2) The same issue applies If I attempt to remotely administer a machine. I
have no rights. What has changed with those rights?

3) Also, why do I have to use RunAs admin if I belong to the admins group?
is there anything more powerful in Vista to bypass this?

 

[Frank Saunders, MS-MVP OE/WM]

1) Since I haveAdmin rights on both computers in a workgroup, why can't I
access the administrative shares? It prompts me for password, which I
provide and rejects. That used to work in previous versions. If I define
my
own administrative shares (with $), it works fine.

2) The same issue applies If I attempt to remotely administer a machine. I
have no rights. What has changed with those rights?

3) Also, why do I have to use RunAs admin if I belong to the admins group?
is there anything more powerful in Vista to bypass this?

Are you supplying your password or the default Administrator.?

 

[Gerry Hickman]

Hi,

As far as I know, the ability to supply credentials against remote
machines has changed in Vista. In the old days you could have two boxes
in a workgroup, then you could act as an Administrator on Box B by
supplying credentials from Box A like this.

NET USE \\BOXB\C$ /user:BOXB\Administrator *

In Vista, this doesn't work anymore (by default), but apparently there
is a way to change it, but it would need Group Policy, or would need
done on every box.

If you're on a domain, and you are a domain Admin, you can still work
with remote boxes. No one seems to know about "delegated admins for
Active Directory OUs" yet.

The big problem (in the domain context) is that if something goes wrong
with the secure channel and you have thousands of computers to look
after, there's no way you can connect to them and fix them. Even group
policy relies on the domain, so even if you'd hacked the group policy,
you'd suddenly be cut off.

You'd have to decide whether to set the local account capability at
build time or to take the risk that you could end up locked out of all
your computers. In the former case you'd be accused of "weakening
security", in the latter you'd be accused of failing to have a disaster
recovery plan.

 

[Andreas]

In the beginning I couldn't supply the administrator password because I
didn't not know it but I also tried to change it and provide that password
for the Admin but it didn't work again. I am providing my user account which
is mapped on both machines with the same credentials. I also tried to use
the username with the destination machine name as prefix and it doesn't
work.

How can I access Admin shares and connect to remote management console
without changing the default policy? There must be a way. However, if
Policies are the only hope then let me know.

 

[Michael Price]

Here is how you fix it.

http://www.jimmah.com/vista/Networking/filtertoken.aspx

 

[Michael Price]

Here is how you fix it

http://www.jimmah.com/vista/Networking/filtertoken.aspx

 

[Andreas]

I followed this exact procedure on both computers. It DOESN'T work at all.