UAC and file sharing

[Guest]

I have created 2 shares on a Vista RC 1 5600 machine.

The ACLs on both shares were - "Administrators: full control" - and nothing
else.

I could not access these shares from another machine (w2k), user the same
username and password! The user account was a member of Administrators group
on Vista.

Explicitly adding "MyUser: full control" to the share permissions solved the
issue.

More so. Switching UAC off also solved it! Looks like the SMB server ignores
the fact that the user is in the Administrators group due to UAC!

Can I switch some setting to allow the SMB server only (not the whole OS) to
pay attention to Administrators group membership?

 

[Jimmy Brush]

Hello,

By default, Windows Vista filters the access token when you authenticate via
the network to a box as an administrator local to the box. This effectively
prevents you from using any administrator powers remotely when authenticated
to a box as an administrator local to that box.

To change this behavior, create or modify the following registry value:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy

This is a DWORD value. Set it to 1.

 

[Guest]

Thanks Jimmy! this works. Is this behavior documented in some MS's KB
articles? Looks like a good candidate.

 

[Jimmy Brush]

I bugged this behavior and MS responded with this nugget. I assume it will
be a part of group policy, but a KB article would be great also.