Local user accounts (Security Account Manager user account)
When a user who is a member of the local administrators group on the target remote computer establishes a remote administrative connection by using the net use * \\remotecomputer\Share$ command, for example, they will not connect as a full administrator. The user has no elevation potential on the remote computer, and the user cannot perform administrative tasks. If the user wants to administer the workstation with a Security Account Manager (SAM) account, the user must interactively log on to the computer that is to be administered with Remote Assistance or Remote Desktop, if these services are available.
Domain user accounts (Active Directory user account)
A user who has a domain user account logs on remotely to a Windows Vista computer. And, the domain user is a member of the Administrators group. In this case, the domain user will run with a full administrator access token on the remote computer, and UAC will not be in effect.
To fix this issue
- Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - If the LocalAccountTokenFilterPolicy registry entry does not exist, follow these steps:
- On the Edit menu, point to
New, and then click DWORD Value. - Type
LocalAccountTokenFilterPolicy, and then press ENTER.
- On the Edit menu, point to
- Right-click LocalAccountTokenFilterPolicy, and then click
Modify. - In the Value data box, type
1, and then click OK. - Exit Registry Editor.