After you turn on User Account Control in Windows Vista, programs may be unable to access some network locations

After you turn on User Account Control in Windows Vista, programs may be unable to access some network locations

Article ID : 937624
Last Review : July 20, 2007
Revision : 1.2

SYMPTOMS

After you turn on User Account Control in Windows Vista, programs may be unable to access some network locations. This problem may also occur when you use the command prompt to access a network location.

Note To turn on User Account Control, you click Allow in a User Account Control dialog box.

Back to the top

CAUSE

This problem occurs because User Account Control treats members of the Administrators group as standard users. Therefore, network shares that are mapped by logon scripts are shared with the standard user access token instead of with the full administrator access token.

When a member of the Administrators group logs on to a Windows Vista-based computer that has User Account Control enabled, the user runs as a standard user. Standard users are members of the Users group. If you are a member of the Administrators group and if you want to perform a task that requires a full administrator access token, User Account Control prompts you for approval. For example, you are prompted if you try to edit security policies on the computer. If you click Allow in the User Account Control dialog box, you can then complete the administrative task by using the full administrator access token.

When an administrator logs on to Windows Vista, the Local Security Authority (LSA) creates two access tokens. If LSA is notified that the user is a member of the Administrators group, LSA creates the second logon that has the administrator rights removed (filtered). This filtered access token is used to start the user’s desktop. Applications can use the full administrator access token if the administrator user clicks Allow in a User Account Control dialog box.

If a user is logged on to Windows Vista and if User Account Control is enabled, a program that uses the user’s filtered access token and a program that uses the user’s full administrator access token can run at the same time. Because LSA created the access tokens during two separate logon sessions, the access tokens contain separate logon IDs.

When network shares are mapped, they are linked to the current logon session for the current process access token. This means that, if a user uses the command prompt (Cmd.exe) together with the filtered access token to map a network share, the network share is not mapped for processes that run with the full administrator access token.

Back to the top

RESOLUTION

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 (/Feedback.aspx?kbNumber=322756/) How to back up and restore the registry in Windows

To resolve this problem, configure the EnableLinkedConnections registry value. This value enables Windows Vista to share network connections between the filtered access token and the full administrator access token for a member of the Administrators group. After you configure this registry value, LSA checks whether there is another access token that is associated with the current user session if a network resource is mapped to an access token. If LSA determines that there is a linked access token, it adds the network share to the linked location.

To configure the EnableLinkedConnections registry value, follow these steps:

1. Click Start, type regedit in the Start Search box, and then press ENTER.
2. Locate and then right-click the following registry subkey:

HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion Policies System
3. Point to New, and then click DWORD Value.
4. Type EnableLinkedConnections, and then press ENTER.
5. Right-click EnableLinkedConnections, and then click Modify.
6. In the Value data box, type 1, and then click OK.
7. Exit Registry Editor, and then restart the computer.

Back to the top


APPLIES TO
• Windows Vista Home Basic
• Windows Vista Home Premium
• Windows Vista Ultimate
• Windows Vista Business
• Windows Vista Enterprise
• Windows Vista Starter
• Windows Vista Home Basic 64-bit Edition
• Windows Vista Home Premium 64-bit Edition
• Windows Vista Ultimate 64-bit Edition
• Windows Vista Business 64-bit Edition
• Windows Vista Enterprise 64-bit Edition
• Windows Vista Home Basic N 64-bit Edition
• Windows Vista Business N 64-bit Edition

Back to the top

Keywords: 
kbtshoot kbexpertiseinter kbprb KB937624

Back to the top

 

Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
Microsoft Corporation. All rights reserved. Terms of Use | Trademarks


You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

AddThis Social Bookmark Button

Leave a Reply

*
To prove that you're not a bot, enter this code
Anti-Spam Image