Can't access ADMIN$ share using a local user or LAPS account

When supplying the appropriate user credentials that have local administrator access, you attempt to access a supported device and receive one of the following errors:

  • Access Denied - Failed to connect to ADMIN$ share
  • Access to the path '\\TARGET\\ADMIN$' is denied

Before you start

Verify the following is correct:

  • Device meets requirements: System Requirements
  • Firewall Exceptions are set up correctly: Windows Firewall Ports and Exceptions.
  • File and Printer Sharing is enabled
  • GPO/SRP or Antivirus is not blocking access to the ADMIN$
  • Unable to access \\X.X.X.X\ADMIN$ (Replace X.X.X.X with the IP address of the target machine throwing the error) 
  • Appropriate credentials of local administrative users have been set (and tested)
  • If using a LAPS account, you should be able to retrieve the password and use these credentials to log in and open an elevated CMD prompt

Troubleshooting steps

The most likely cause is that the target computer has Remote UAC enabled. Remote UAC prevents local administrative accounts (including LAPS accounts) from accessing ADMIN$ by preventing local admin accounts from running in an elevated mode from a network connection. To access ADMIN$ using a local account or a LAPS account, Remote UAC will need to be disabled.

 

This in no way impacts regular GUI-based (userland) UAC

To disable Remote UAC, an entry will need to be made in the registry of the affected target computer. Navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Create a DWORD value called LocalAccountTokenFilterPolicy and assign it a value of 1.

A reboot is recommended but not required, however, restarting the Server service is necessary.

Additional Troubleshooting

Remote Repair Tool
You can also use the Remote Repair tool to troubleshoot ADMIN$ (and other) issues. To use to the tool, select the troublesome machine, click Help on the main console menu and select Open Remote Repair (or press Ctrl+~).

GPO and Scripts
Check to make sure a GPO or a logon/logoff script is not specifically denying access to the ADMIN$.

Administrative Shares are Missing
In rare cases, the administrative shares are missing on the target machine(s). You can check to see if this is the case by running the following from a command prompt and reading the results.

net share

If those shares are missing, you will need to recreate them. To do so, please see this article:
https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/problems-administrative-shares-missing

Multiple Administrators
In particular, in cases where more than one administrator is listed in PDQ's credentials, both administrators must have explicit administrative rights on the target machine as well as the PDQ console.

Malware or Virus
In certain rare cases, a virus or malware could also cause interesting administrative share issues.

Was this article helpful?
Still have a question or want to share what you have learned? Visit our Community Discord to get help and collaborate with others.