I was playing around with a trial version of server 2008 a couple days ago and I set it up like I did with any other server – created users and added them to the administrators group. I figured in 2003 it worked fine, so why wouldn’t it work in 2008? As you possibly guessed by now, it didn’t go as planned. I didn’t have access to any admin shares, nor did I have access to any shares I created if I just used the administrators group for the permissions. If I added each person to the share, it would be fine, however that group just didn’t work.
Then after reading around a bit I found out there is new security in Server 2008 and the only way to possibly get around this is by hacking the registry and adding a key. I didn’t feel that was right so I went on to plan B – create another group and add them with permissions instead…
I found this on a site (sorry but I can’t remember where I found it). This should “fix” that issue, however I guess its best security practice to follow what they do. Also, if they log in to console – they are admin for that session. Just not admin for the shares unless you give it to them in another group (from what I understood anyway.)
Why can’t I access the administrative shares or remote administrative functions from a remote computer?
Windows Vista prevents local administrators from using their administrator powers over the network. This results in the inability to remotely administer a computer using filesharing and tools that use similar technology (such as the computer manager MMC snap-in and the administrative shares, such as C$). However, this DOES NOT affect Remote Desktop in any way.
To allow administrators local to a computer to use their administrator powers when accessing the Vista computer remotely, please follow these steps:
CAUTION: Improperly modifying the registry can harm your system.
- Click start
- Type: regedit
- Press enter
- In the left, browse to the following folder: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\
- Right-click a blank area in the right pane
- Click New
- Click DWORD Value
- Type: LocalAccountTokenFilterPolicy
- Double-click the item you just created
- Type 1 into the box
- Click OK
- Restart your computer