Fix for accessing administrative shares when deploying Windows Server 2012 R2 using MDT

If you deployed a Windows Server 2012 R2 image with MDT to a machine (physical or virtual) you quickly learned that connecting to the administrative shares, C$, D$ etc. as Administrator is not very easy.

The reason is that MDT sets the FilterAdministratorToken registry value to 1 during deployment, which prevents access to the administrative shares. If you try to do a net use or similar, you are greeted by a non-shiny: System error 5 has occurred. Access is denied.

image
Trying to connect to C$ as Administrator when FilterAdministratorToken is set to 1.

Note: This is typically not a problem in a normal production environment, where you are using a different admin account, are joined to the domain etc. But when testing stuff in a lab or other standalone / workgroup setup, this is useful info to know about.

The Fix

Simply navigate to the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system registry key, and change the FilterAdministratorToken registry value to 0. No reboot required. Here is how to set the value using PowerShell:

$RegKey ="HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system"
Set-ItemProperty -Path $RegKey -Name FilterAdministratorToken -Value 0

if you want to check the value using PowerShell you can use the following command:

$RegKey ="HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system"
(Get-ItemProperty -Path $RegKey).FilterAdministratorToken
image
Setting (and reviewing) the value in PowerShell.
image
Reviewing the FilterAdministratorToken value using the Registry Editor.

And happiness, connection now works 🙂

image
Connecting working as expected after changing the FilterAdministratorToken value.
About the author

Johan Arwidmark

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

>