I am looking for a way to enable administrative shares on both XP and on Vista. I am a complete newbie when it comes to using administrative shares. I have no prior experience as to how this is supposed to work. What I'm trying to achieve is to make a setup that would allow me to exchange files between the two computers freely, without necessarily having to share individual disk partitions or taking ownership of any disk partition.
Computer 1
- OS: XP Pro SP2
- Host name: TOSH
- Workgroup: WORKGROUP
- IP: 10.0.0.1
- Subnet mask: 255.255.255.0
- Default gateway: blank
- DNS: blank
- Client for Microspoof network enabled (joke!)
- File and printer sharing for Microsoft network enabled
- File and Printer sharing exception in Windows Firewall
- Firewall: Windows Firewall disabled, Kaspersky installed but disabled
- Users: Descartes (admin), Administratör (built-in admin, enabled), Gäst (built-in guest)
- Test user: Testuser1 (admin, my own creation)
- Shares: Shared Documents (default)
Computer 2
- OS: Vista SP2
- Host name: GIGA
- Workgroup: WORKGROUP
- IP: 10.0.0.2
- Subnet mask: 255.255.255.0
- Default gateway: blank
- DNS: blank
- Client for Microsoft network enabled
- File and printer sharing for Microsoft network enabled
- File and Printer sharing exception in Windows Firewall
- Firewall: Windows Firewall disabled, no 3rd party firewall
- Network discovery on
- File sharing on
- Public folder sharing on
- Printer sharing off
- Password protected sharing off
- Media sharing off
- Users: Sammy (admin), Administratör (built-in admin, disabled), Gäst (built-in guest)
- Test user: Testuser1 (admin, my own creation)
- Shares: Public (default)
- Test share: Share 1 (my own creation)
If Descartes@TOSH is local and Sammy@GIGA is remote:
- Cannot access
\\10.0.0.2\c$
- Can access
\\10.0.0.2\
- Cannot access
\\10.0.0.2\Public
- Cannot access
\\10.0.0.2\Share 1
I was logged on as Descartes@TOSH and Sammy@GIGA. When I try to access \\10.0.0.2\c$
I get the dialog box asking for user name and password. I use the credentials for Sammy@GIGA. Trying to access the other paths doesn't show any dialog box, where \\10.0.0.2
just shows the regular network shares @GIGA and \\10.0.0.2\Public
and ..\Share 1
just shows an error message.
If Testuser1@TOSH is local and Sammy@GIGA is remote:
- Cannot access
\\10.0.0.2\c$
- Can access
\\10.0.0.2
- Cannot access
\\10.0.0.2\Public
- Can access
\\10.0.0.2\Share 1
As soon as I log on as Testuser1@TOSH I can access ..\Share 1
but still can't access the ..\Public
share and ..\c$
administrative share. I think something strange is going on here. At bare minimum, the Public share should be accessible without any problem. I checked the sharing options and permissions for the Public share on Vista and it looks OK.
If Sammy@GIGA is local and Descartes@TOSH is remote:
- Cannot access
\\10.0.0.1\c$
- Can access
\\10.0.0.1
- Can access
\\10.0.0.1\Shared Documents
When I try to access \\10.0.0.1\c$
I get the same type of dialog box asking for user name and password. I use the credentials for Descartes@TOSH to log on. But log on fails.
Logon unsuccessful:
Windows is unable to log you on.
Be sure that your user name and password are correct.
I know the credentials I used for Descartes are correct. This is something else.
Administrative shares on TOSH:
C:\WINDOWS>net share
Resursnamn Resurs Anmärkning
---------------------------------------------------------------
IPC$ Fjärr-IPC
print$ C:\WINDOWS\system32\spool\drivers
Skrivardrivrutiner
C$ C:\ Standardresurs
ADMIN$ C:\WINDOWS Fjärr-admin
Administrative shares on GIGA:
C:\Windows\system32>net share
Share name Resource Remark
-----------------------------------------------------------
ADMIN$ C:\Windows Fjärradmin
B$ B:\ Standardresurs
C$ C:\ Standardresurs
Q$ Q:\ Standardresurs
E$ E:\ Standardresurs
There are more shares but you can see here that the c$
share is listed on both computers.
After some research I have found a way to enable the administrative shares on Vista. See Microsoft KB article 947232. You basically just need to create a new or edit existing Windows registry value. You need to have following entry.
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Value: LocalAccountTokenFilterPolicy
Value type: DWORD
Value data: 1 (0x00000001)
After adding this bit to the registry I was able to connect to the administrative share c$ on the Vista computer. As it stands right now:
If Descartes@TOSH is local and Sammy@GIGA is remote (with this mod):
- Can access
\\10.0.0.2\c$
- Can access
\\10.0.0.2
- Cannot access
\\10.0.0.2\Public
- Cannot access
\\10.0.0.2\Share 1
For some reason I still can't access the Public or the Share 1 share. But F DOS! The important thing is that I can now access c$ on Vista. That way, I can rule them all! 🙂 Of course, as before, logging on as Testuser1 on XP will allow me to remotely access Share 1 as well.
Now the only question is how do you do this on XP? Or should this even be necessary for a Windows XP computer? From what I understand this is only a necessity on Windows Vista, 7 and 8?…
Or to quote Microsoft KB article above:
By default, Windows Vista and newer versions of Windows prevent local
accounts from accessing administrative shares through the network.
So does Windows XP require a registry mod to enable administrative shares or not? Which is it? I did try to replicate the same registry value (LocalAccountTokenFilterPolicy) on the XP computer but that didn't work out. So I'm typing this very lengthy question/problem on SU in hope that someone with a lot of experience from Windows networking will be able to help.
What I have tried so far:
Besides the above registry mod, I also tried to add the following registry entry to the XP computer.
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters
Value: AutoShareWks
Value type: DWORD
Value data: 1 (0x00000001)
I also tried to use a 0
but it didn't help.
I also tried to connect to the share using the net command in cmd.
C:\Windows\system32>net use /user:Descartes \\10.0.0.1\c$ ********
System error 5 has occurred.
Access is denied.
C:\Windows\system32>
Best Answer
Problemz zolved!
To begin with, I believe there was some issue with the Descartes account on the XP. It ought to do with security policies. It simply should not matter if I'm logged in as Descartes or Testuser1. As long as they are both administrator accounts, I should still be able to access the default, built-in shares such as Public on the Vista computer. It makes absolutely no sense that Testuser1 can access the Share1 share (that I created myself), while Descartes cannot do that, and that neither of them can access the built-in Public share on Vista.
At the same time, Sammy on the Vista computer is able to access the Shared Documents share on the XP without any problems. This is the way it's supposed to be. It should be just as easy the other way around, to access the Public share on Vista. The Public share on Windows Vista, 7 and above is what used to be known as Shared Documents share in old versions of Windows. However, Sammy on the Vista computer was still unable to access the c$ share on the XP, but I now know why and how to fix that.
Instead of tinkering with security policies and what now, I decided to do a clean install of Windows XP. So I started fresh and I got things working now. So I thought I would share my findings here. I will make this very simple so that both noobz and so called "expertz" can do this.
Enabling file sharing and administrative shares on Vista
The first thing you will need in order to access the administrative shares is an administrator account with a password. So let's look at that first.
Creating an administrator account
It's needless to say, as this is a "superuser" site, but I'll say it anyway. If you have created a new administrator account previously, then you will have to log out from the current account and then log in with the new account to use it. If you are already logged in with an administrator account, and you only added a password to it, then you don't need to log out.
Screeniez...
Now that you have that sorted out, you now need to make sure you have file sharing enabled.
Enabling file sharing
Screeniez...
Now that you have that sorted out, you need to make sure that Windows Firewall is set up properly.
Setting up Windows Firewall
Screeniez...
Now that you got all that sorted out, there is one last thing you need to do. On Windows Vista and later versions of Windows, you need to modify the registry to enable access to the administrative shares.
Enabling access to administrative shares
regedit
and press Enter. Click Continue if prompted by UAC.1
and click OK.Screeniez...
That's it! Windows Vista is now ready. Onto Windows XP...
Enabling file sharing and administrative shares on XP
Just like with Windows Vista, in Windows XP you need to...
The major difference is in the way that administrative shares are enabled. Another difference is in the way that file sharing is enabled. On Windows XP, there is no centralized place in the control panel like the Network and Sharing Center in Vista and above, where you can basically configure everything that has to do with file sharing. Instead, file sharing is configured per network connection. So let's have a look at that.
Creating an administrator account
Screeniez...
Now let's look at enabling file sharing on XP.
Enabling file sharing
Screeniez...
Now let's look at setting up the firewall.
Setting up Windows Firewall
Screeniez...
Finally, let's look at how administrative shares are enabled on XP.
Enabling access to administrative shares
Screeniez...
If you are reading this because you are having trouble accessing the administrative shares on XP, then chances are that it's caused by "Simple File Sharing". As "simple" and innocent as it might seem, it actually puts a spoke in the wheel. Disabling this single option enabled me to access the administrative shares on my XP computer from my Vista computer.
All my other settings were nailed down perfectly, except for this one. I didn't even know, and I wouldn't have expected something like Simple File Sharing to change the security policy on the system so radically. I discovered this by accident, and at first I didn't believe it myself. So I had Windows XP re-installed two times, last time I even made a complete switch to an English version of Windows XP Professional with SP2. It's the same behavior as in my Swedish version, no change. I did a clean install both times.
The only question is... is this a security feature or a bug?...
In either case, that's how you enable access to administrative shares on XP. You just kill off the Simple File Sharing, and if the rest of the settings are done right, then it should work. Some users might find it that not having Simple File Sharing enabled makes sharing files and folders on XP a little more difficult, but it's not really that hard for a "superuser" now, is it? But it's awkward that you must disable a user friendly feature of XP just to get to the more advanced stuff, it's a stupid implementation from Microsoft.
After disabling Simple File Sharing, you will get some new options on the Properties dialog box for the disk you're trying to access remotely. Let's have a look at that.
Verifying that C$ is shared
Screeniez...
This is what it looks like when Simple File Sharing is enabled.
And this is what it looks like when Simple File Sharing id disabled.
Running the
net share
command to "verify" that the C$ share is configured is not very helpful. Even if you see it in the list, it doesn't mean anything. It merely suggests that it's installed or configured, but that doesn't necessarily mean that you can actually use it. Not until you disable Simple File Sharing, and you see it appear in the Sharing tab of the Properties dialog box for the disk whose administrative share you want to access.Here's an example of what it might look like (in XP).
Or in code formatting...
What you see is not exactly what you will get, not in this case anyway. (Reference to WYSIWYG.)
Troubleshooting
In case you run into those pesky errorz...
net use
command!Network cable and IP settings
Make sure the network cable is properly seated. Here's an example of error you might see if the connection is broken for some reason, e.g. cable disconnected.
If you have two computers connected directly to each other, as in my case, then you might need a crossover network cable (where wires 3 and 1, and 6 and 2 have been crossed). It's not very likely, but it's worth noting. Any modern NIC from at least year 2000 and onwards should have Auto MDI-X support. This allows you to use straight network cables (non-crossed, i.e. MDI).
Go over your IP settings again, and whenever possible use the automatic DHCP negotiation.
Using Administrator account
You don't actually need to set up a password protected administrator account to use the administrative shares if you don't want to. You might as well use the Administrator account. But don't get confused by this. Because "Administrator" is the actual name of the account, and it's an administrator level account. It's not your regular administrator account. This account comes built-in on both Windows XP and on Vista. Only difference is that it's enabled by default on XP, while it's disabled by default on Vista. So in case of Vista, you will have to enable it first before you can use it. Run
lusrmgr.msc
from the Run prompt on either XP or Vista and you'll get the "Local Users and Groups" window. From here you can see all the users and groups, and you can check account status, disable or enable accounts, including the Administrator account. You can even enable it temporarily and then disable it later on when no longer needed.There is also a very neat command you can run to activate the built-in administrator account.
To enable:
To disable:
This is a very useful command, even necessary for those of you poor souls who didn't pay M$ enough money and are now sitting with one of those intentionally limited versions of Windows Vista. Those include the Starter, Home Basic and Home Premium. These versions don't have the "Group Policy Editor" and the "Local Users and Groups".
I'm a sucker too, I payed for the Vista Premium FPP (full product package), full version, but these useful tools were apparently not considered a "premium" so M$ didn't bother including them. They didn't include the 64-bit DVD either, that was an "extra" I had to order separately. You might consider yourself lucky if you are on Vista Professional or Vista Ultimate (or Vista Enterprise) because those have all the tools you will ever need. Hence, the commands above will be useful for the less privileged Windows users (economically and technically speaking). Don't forget to disable the built-in administrator account once you're done with it.
Using the "net use" command
This is another useful command. You can use the
net use
command to remove timed-out network sessions. Often time when an established connection to a share has not been in use for some time it will become disconnected. Sometimes this can cause errors when you try to use the share again. In this case, you need to flush that out. You can do that by either rebooting the remote computer, or preferably rebooting both the remote and the local computer. But if you don't like rebooting, don't have time for it, can't afford it because of other work being done, or whatever the reason, you can use this command instead.Here's how it works.
You open up a Command Prompt window (or cmd) and you only issue the bare
net use
command. It will return all active or in-active network sessions. Here's an example.You can see here that I'm disconnected from
\\tosh\c$
because I am not actively using it right now. If this is causing you problems, then you can safely remove it. Let's do that.You can see here that it's been deleted. You just have to add in the
/delete
switch followed by the UNC path to the share and hit Enter. So let's see if it's removed now.You can see here that there are no entries now. So it's gone now. Now, when you connect to the share again, you will be prompted for credentials (i.e. user name and password) again. By the way, you can connect to it again by using the Run prompt. Just press Windows key and R and in the Run prompt type in the UNC path to the share, e.g.
\\tosh\c$
and hit Enter. Provide the credentials and hit Enter and you should be right where you started. I have done that now already. So let's use thenet use
command again to check the status.So as you can see now, it says "OK". So we are connected and back to business again.
By the way, I should point out that you will probably have to use this command after a failed connection to a Windows XP computer where Simple File Sharing was not disabled when you attempted to connect. What might happen when you try to connect to the XP computer when the Simple File Sharing is still enabled is that you will get connected to stuff like
\\tosh\ipc$
(yet fail to connect toc$
) and you need to flush that out before you attempt to connect the second time, after disabling Simple File Sharing.You basically want to start off with a clean window, i.e. without any saved connections. What might happen if you don't flush that old stuff out is that you will get those annoying errors where Windows says you're trying to use the same user name for more than one connection, something along those lines. If you get that type of error then you want to flush out the old saved credentials for old connections, and you do that by using the
net use
command (as in my example above).Examples:
You can be connected to either one of them in order to access the administrative share c$ but you will have to use the correct credentials, otherwise you will have to start all over again, because what you type in the first time is remembered for the duration of the login session. The remedy in that case is to either flush it with the
net use
command or reboot the system.Essentially if you connect to
\\tosh\
you will get connected to\\tosh\ipc$
and you can browse the most basic shares, like the Shared Documents share (or Public in Vista). But if you had Simple File Sharing disabled before you connected, then you can now go ahead and connect to\\tosh\c$
and it will get you connected to\\tosh\c$
. This time you will get into root of C: directly without any prompt for user name and password, because they are remembered now since you are connected to\\tosh\
. And because Simple File Sharing was disabled before you started the connection you will get access to it without any errors.To sum this up...
Any questions? Leave them in the comments.
That would be all good folks!