It mentions the following:

 

"When a user with an administrator account in a Windows Vista computer's local Security Accounts Manager (SAM) database remotely connects to a Windows Vista computer, the user has no elevation potential on the remote computer and cannot perform administrative tasks. If the user wants to administer the workstation with a SAM account, the user must interactively log on to the computer to be administered."

 

We came across an interesting manifestation of this when using the "net use" command to connect to an admin share on a Vista machine (MachineV for now) from an XP machine (MachineX). Both machines were in separate unrelated domains. When using "net use m: \\MachineV\c$ * /user:MachineA\Abby" from MachineX (where Abby is member of the administrators group on MachineV) we got an error 5 or Access Denied. So apparently when the SAM account Abby was logged on to MachineV, we got the filtered token. If Abby were a domain account and both machines were in the same domain, I would be able to connect to the admin share c$.

 

There is however a UAC flag in the registry that allows you to toggle this behavior for local accounts:

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy.

  •    0 - build filtered token (Remote UAC enabled)
  •    1 - build elevated token (Remote UAC disabled)

 

If you set the DWORD entry to 1, you will be able to connect to the admin share since the remote login is not filtered.

 

Obviously this is not restricted to "net use" but applies to all variations of remote account logins.

 

Maarten