Windows 8下开启管理员共享

[HONG]

看到M大分享了一个windows 8的无线3G功能，我也来凑个热闹

windows 8默认关闭了管理员共享访问，虽然在计算机管理可以看到根目录已经共享，如C$, D$等，但实际上从另外一台机器访问时，例如

\\hp-pc\c$，不管输入多少次正确的用户名密码，都会再重复要求输入用户名密码，查看日志提示Access is denied

这个功能在windows 7上或者以前都是默认开启的

照理说windows 8改变这样做更安全了，但对于家里有多台电脑需要经常相互访问的朋友来说，就太不方便啦。

下面介绍一个注册表值，可以打开这个功能。

打开regedit，在HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System下新建一个DWORD，名字是 LocalAccountTokenFilterPolicy，值设置为1

如下图

windows8_share.png

[MUDBOY]

的确有用，感谢分享！
就是不知道DWORD和QWORD的区别，是不是64位的系统必须要建立QWORD键值？

[爱老虎油]

今天在Windows Server 2012 R2上遇到一个同样的问题，靠这个方法解决了，谢谢！

修改前，应该只针对本地用户的访问限制，对加入域并且有本机管理权限的用户无限制。
http://support.microsoft.com/kb/951016

Introduction

User Account Control (UAC) is a new security component of Windows Vista. UAC enables users to perform common day-to-day tasks as non-administrators. These users are called "standard users" in Windows Vista. User accounts that are members of the local Administrators group will run most applications by using the principle of "least privilege." In this scenario, least-privileged users have rights that resemble the rights of a standard user account. However, when a member of the local Administrators group has to perform a task that requires administrator rights, Windows Vista automatically prompts the user for approval.

More information

How UAC remote restrictions work

To better protect those users who are members of the local Administrators group, we implement UAC restrictions on the network. This mechanism helps prevent against "loopback" attacks. This mechanism also helps prevent local malicious software from running remotely with administrative rights.

Local user accounts (Security Account Manager user account)

When a user who is a member of the local administrators group on the target remote computer establishes a remote administrative connection by using the net use * \\remotecomputer\Share$ command, for example, they will not connect as a full administrator. The user has no elevation potential on the remote computer, and the user cannot perform administrative tasks. If the user wants to administer the workstation with a Security Account Manager (SAM) account, the user must interactively log on to the computer that is to be administered with Remote Assistance or Remote Desktop, if these services are available.

Domain user accounts (Active Directory user account)

A user who has a domain user account logs on remotely to a Windows Vista computer. And, the domain user is a member of the Administrators group. In this case, the domain user will run with a full administrator access token on the remote computer, and UAC will not be in effect.

How to disable UAC remote restrictions

To disable UAC remote restrictions, follow these steps:

Click Start, click Run, type regedit, and then press ENTER.
Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
If the LocalAccountTokenFilterPolicy registry entry does not exist, follow these steps:
On the Edit menu, point to New, and then click DWORD Value.
Type LocalAccountTokenFilterPolicy, and then press ENTER.
Right-click LocalAccountTokenFilterPolicy, and then click Modify.
In the Value data box, type 1, and then click OK.
Exit Registry Editor.