Another cool tip from Kevin Royalty – a little group policy to make accessing the harddrives in Vista and Win7 easier to do:

The source of this tip started here:

In an SBS 2008 environment, I need to access the hard drive of client computers from the server occasionally for support purposes.  So, I took the info above and turned it into a GPO (Group Policy Object) that would apply to only Vista/7 systems.  Here is how I did it:

Log into your SBS 2008 Server, and go to start…administrative tools…Group Policy Management

Open up your Forest, then Domains, then your internal.local domain.  Locate the “Group Policy Objects” folder and open that, then right-click on “windows SBS Client – Windows Vista Policy” and select “edit”.

You should now be looking at the GPO.  Open up Computer Configuration, Preferences, Windows Settings and click on Registry.  We’re going to create a registry entry that will be dropped onto all the vista/7 computers only in this domain. Right-click in the window to the right and select “new > registry item”.  Match the following:

Action: Create


Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Value Name: LocalAccountTokenFilterPolicy

Value Type: REG_DWORD

Value data: 1

Base: Decimal

Click OK and you should see your new registry entry on the right side of the editor.  Close the editor and within a few minutes your registry entry should be pushed out to the vista/7 workstations and you should be able to get to them with start…run \\computername\c$ as long as you have the necessary other services running on the workstation and the ports opened in the firewall on that PC as well.


2 Responses to Kevin Royalty tip of the day – a little group policy to make accessing the harddrives in Vista and Win7 easier to do:

  1. Lee says:

    This shouldn’t be necessary and I really wouldn’t recommend it in a domain environment. As the original article states, you’re making your network less secure. If you just want access to the hidden admin shares for admin purposes, from a server, and you are logged on as a domain administrator then you will/should be able to access the admin shares of all domain member PCs anyway. If you can’t, it’s probably not because of this.

    The tip is useful in non-domain environments where you are trying to access a remote machine with a local-to-that-machine administrator credential (which is where the UAC bit comes in) but I would definately say to avoid this in domain environments as it’s completely unecessary (and you’ll just be giving domain non-admins another opportunity to try and do something they really shouldn’t need to do anyway)


  2. Dean says:

    Lee is correct. Here is the original KB article

    You only need to add that key for LOCAL accounts.

    Plus I would bet that there is a Powershell way around it without having to edit the registry. Can’t say for sure though.