UAC and Networking.

[bigstusexy]

I've been banging my brains out for the past couple of days of why I can't connect to admin shares on my vista box (and win7) I already figured out the nt lanman issue with 2000 from them to 2000 but I couldn't access shares from xp to vista or win7. I just now turned off UAC on vista and... it works. I'm going to do the same for win7 soon.

However in the interest of security how am I supposed to network this with UAC on, to legacy clients?


What I was running into was that even though I am an administrator with a password, I couldn't rely on my Membership in the administrator group to allow my access, when I made a test share I had to add my account, adding administrators did not work.

 

[k1pp3r]

In a mixed OS environment (XP, Vista, 7) i always disable UAC, just to much of a time waster and pain in the butt.

I just built an entire network with Win 7 and server 2008 r2, in which case, UAC has not been an issue

 

[xenios]

If you notice this also applied when you are at the computer itself. If you try to access a folder that only has ntfs permissions for the administrator group and not the users group you will get a uac prompt that will in turn give you read access to your user account. And to prove this you can try running explorer elevated and you will get no prompts and have full access.

EDIT: I just tried this and I can not reproduce your problem, I have no problem accessing shares across all platforms. Even when the users group does not exit. Though the local example still applies.

 

[bigstusexy]

I wonder if this is because one of the clients is windows 2000 server, there is no domain its a work group but I sure as heck can't figure it out.

I still haven't switched off UAC on win7 but here are something tests I've tried

vista to win7 No
win7 to vista No (I think yes after UAC is off)
vista to Xp Yes
win7 to Xp Yes
Win7 to 2k Yes (after I configured LM and NTLM send and recieve)
vista to 2k Yes (after I configured LM and NTLM send and recieve)
xp to 2k Yes always
2k to xp Yes Always
Win7 to loopback Yes
vista to Loopback Yes

I am just confused as all get out what I could be doing wrong. When I tested the RCs and betas I didn't have the issue. I haven't tested when I use the loopback to default share if its read only or not I was just happy it worked at all and confused why it didn't work over the network less I set myself explicity. These new OSes are starting to make me feel old I know it must be one simple thing some where that I haven't ticked. My searches aren't urning up much of anything either and now I'm running into issues with MC accessing Network content for the 360 as an extender and for my TV boxes and I can't use the service to impersonate my by loggin in as me because its a svchost process and other processes are logged in differently.

Well I'll start kicking my brain some more and see what I can find.

 

[xenios]

I cant really help you as i use homegroups at home and domain at work. But following the way it works locally, if the users group is missing from the permissions and your account is directly missing from the permissions then it will not work. Either re add the users group or add yourself to the permissions.

Edit: After some reading this is indeed the case, uac will prevent local accounts in the administrators group from authenticating with network shares. To fix do what I listed above. This does not apply to domain accounts(obviously) and for home groups, you will notice that everything has an additional permission for its built in group.

if you wish to disable the localadmin share protection you can change or create LocalAccountTokenFilterPolicy (dword) in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ to 1.

linky: http://support.microsoft.com/kb/951016/en

 

[bigstusexy]

Ahh you beat me too it xenios, thanks for the information I found this yesterday but was too tired. It works and worked quite quickly and without restart.

The article was written for Vista but this applies to win7 as well.