Error when you try to access an administrative share on a Windows-based computer from another Windows-based computer that's a member of a workgroup: Logon unsuccessful: Windows is unable to log you on
This article describes a logon unsuccessful behavior when you try to access an administrative share on a Windows-based computer from another Windows-based computer that's a member of a workgroup.
Original KB number: 947232
Error message description
Consider the following scenario:
- You work on a Windows-based computer that's a member of a workgroup.
- From this computer, you try to access an administrative share that's located on another Windows-based computer.
- The computer that you try to access is a member of a workgroup or a member of a domain. For example, you try to access the C$ administrative share.
- When you're prompted for your user credentials, you provide the user credentials of an administrative user account on the destination computer.
In this scenario, you receive the following error message:
Logon unsuccessful:
Windows is unable to log you on.
Make sure that your user name and password are correct.
If you try to map a network drive to the administrative share by using the Net Use command, you receive the following error message after you provide the correct credentials:
System error 5
has occurred. Access is denied.
Cause
By default, Windows prevents local accounts from accessing administrative shares through the network.
Resolution
To let users have access, we recommend that you create shares on the Windows-based computer by using the appropriate permissions. If, for some reason, you can't apply this resolution, you might want to try the workaround.
To share a folder on a Windows-based computer that has file sharing enabled, follow these steps:
Click Start > Computer.
Locate the folder that you want to share.
Right-click the folder that you want to share, and then click Share.
If you have password protected sharing enabled, select which users can access the shared folder and their permission level. To let all users have access, select Everyone in the list of users. By default, the permission level is "Reader." Users who have this permission level can't change files or create new files in the share. To let a user change files, change folders, create new files, and create new folders, use the "Co-owner" permission level.
If you have password protected sharing disabled, select the Guest account or the Everyone account. This is the same as simple sharing in Windows XP.
Click Share > Done.
Workaround
To allow administrative share access in a workgroup for Windows, use the following workaround.
Important
This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
Click Start, type regedit in the Start Search box, and then press Enter.
Note
If you're prompted for an administrator password or for confirmation, type the password or provide confirmation.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
On the Edit menu, point to New, and then click DWORD (32-bit) Value.
Type LocalAccountTokenFilterPolicy to name the new entry, and then press Enter.
Right-click LocalAccountTokenFilterPolicy, and then click Modify.
In the Value data box, type 1, and then click OK.
Exit Registry Editor.
The LocalAccountTokenFilterPolicy entry in the registry can have a value of 0 or 1. These values set the behavior of the entry as follows:
- 0 = build a filtered token
This is the default value. The administrator credentials are removed. These credentials are required for remote administration of the print drivers.
- 1 = build an elevated token
This value enables the remote administration of the print drivers on a server within a workgroup.
Did this fix the problem?
Check whether the problem is fixed. If it's fixed, you're finished with this article. If it isn't fixed, you can contact support.
Status
This behavior is by design.
More information
When the destination Windows-based computer and the computer from which you want to access the administrative share are on the same domain, you can access the share by using domain administrator credentials.
You can't access this administrative share if the destination Windows-based computer is joined to a domain and you try to connect to it by using a computer that is joined to a workgroup. This is true even if you supply correct domain administrator credentials for the domain where the destination computer is located.
For more information about how to share folders or printers in Windows Vista, visit the following Microsoft Web site: