Key Points
- LocalAccountTokenFilterPolicy is a DWORD value in the Windows registry that controls remote access to user accounts belonging to the local Administrators group.
- Remote UAC Restrictions refer to a security setting that allows or disallows local administrators to connect to the computer remotely.
- Disabling UAC remote restrictions increases the attack surface area and drastically increases the chances of your system being infiltrated.
The User Access Control (UAC) is a Windows feature that introduces an additional security prompt so that only authorized people and apps can make changes to the system and its configurations. In a previous post, we discussed several ways to disable UAC. However, it does not come without its implications.
In this article, we are going to talk about a similar item, which is a registry value in the Windows systems by the name “LocalAccountTokenFilterPolicy.” This DWORD is closely associated with the UAC feature of Windows and needs to be configured if you want to access a computer’s resources remotely using a local administrator account.
Let us dig into the details further to learn what LocalAccountTokenFilterPolicy is and how it should be configured to allow remote access.
Table of Contents
On This Page
What is LocalAccountTokenFilterPolicy
The LocalAccountTokenFilterPolicy is a DWORD value in the Windows registry. This value controls whether remote access is permitted to the user accounts connecting remotely, belonging to the local Administrators group.
The LocalAccountTokenFilterPolicy DWORD does not exist by default and needs to be created and configured manually. It needs to be present at the following path to allow remote connections and also to enable the Windows Remote Management (WinRM) service.
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
When the Value Data for LocalAccountTokenFilterPolicy is set to “1,” the WinRM service is enabled and thus the local administrator’s user account is permitted to connect remotely. This also disables the remote UAC restrictions for all users that are a member of the local Administrators group.
When to Disable UAC Remote Restrictions
If you see the “Access is denied” error prompt, or a similar error such as the one above, when attempting to connect remotely to a computer on the network, especially when using the net use “\\RemoteComputerName\Directory” command, or while using the PsExec utility from PsTools by SysInternals, that is when you should consider disabling the remote UAC restrictions on the target computer.
That being said, note that you only need to disable the UAC remote restrictions if you are using a local administrator account to access it.
As per Microsoft’s documentation, the local user accounts, when connecting remotely, has no elevation potential on the remote computer, and the user cannot perform administrative tasks. Therefore, to gain complete administrative privileges remotely, you must either connect to the computer using the Remote Desktop Connection utility, or you can use the LocalAccountTokenFilterPolicy DWORD to disable the UAC remote restrictions.
On the other hand, if you are connecting remotely using a domain administrator account, then you do not need to disable the UAC remote restriction. Microsoft says that “the domain user will run with a full administrator access token on the remote computer, and UAC won’t be in effect.” Therefore, if you are connecting remotely with a domain administrator, you do not need to configure the LocalAccountTokenFilterPolicy DWORD.
Is it Safe to Disable UAC Remote Restrictions?
As mentioned earlier, you can disable the UAC remote restrictions using the LocalAccountTokenFilterPolicy DWORD and settings its Value Data to “1”. However, the question is, whether you should do it or not.
When the UAC remote restriction is disabled, any local administrator user can remotely connect to the computer with full high-integrity tokens. This means that they will have full administrative rights, enabling them to make all sorts of changes to the system.
If the LocalAccountTokenFilterPolicy exists, and its value is “1”, then the computer will be vulnerable to remote connections, giving hackers a convenient way to gain unauthorized access to the computer.
Many Microsoft documentation even recommends that you set the LocalAccountTokenFilterPolicy to 1. However, as mentioned above, it is not the wisest choice.
That said, there are certain scenarios where you must absolutely disable the UAC remote restrictions and access the computer with complete administrative privileges. For those scenarios, you must disable UAC remote restrictions. However, it is recommended that you re-enable the remote restrictions once your work is done.
Disable UAC Remote Restrictions With LocalAccountTokenFilterPolicy
Now that you completely understand what the LocalAccountTokenFilterPolicy is and what it does, if you still wish to disable the UAC remote restrictions, here are a few methods to do so.
Note: All of the methods below make changes to the Windows Registry. Misconfiguration of critical values in the system’s registry could be fatal for your operating system. Therefore, we insist that you create a system restore point or a complete system image backup before proceeding forward with the process.
You can also use our top selection of disk imaging and backup software so you never lose your data or operating system again.
Disable UAC Remote Restrictions through Registry Editor
Here are the steps to create and configure the LocalAccountTokenFilterPolicy manually through the Registry editor:
-
Press the Windows Key + R shortcut keys to launch the Run Command box.
-
Type in “regedit” and press Enter.
Open the Registry Editor -
Navigate to the following path from the left pane:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Navigate to the System key in Windows Registry -
Right-click “System,” expand New, then click “DWORD (32-bit) Value.”
Create a new DWORD -
Name the DWORD “LocalAccountTokenFilterPolicy“.
Create the LocalAccountTokenFilterPolicy DWORD -
Double-click “LocalAccountTokenFilterPolicy,” type in “1” in the Value Data field, and then click Ok.
Set Value Data for LocalAccountTokenFilterPolicy to 1 -
Restart the computer.
When the computer restarts, the UAC remote restrictions will now be disabled, and you should be able to access the remote computer using your local administrator account with full administrative privileges.
To re-enable the UAC remote restrictions, simply change the Value Data for the LocalAccountTokenFilterPolicy to “0” and restart the computer.
If you want to skip all of the complicated steps above, you can also disable the UAC remote restrictions using the command line, with a single command.
Disable UAC Remote Restrictions from Command Line
You can use the following command that will create and configure the LocallAccountTokenFilterPolicy DWORD to disable the UAC remote restrictions.
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v LocalAccountTokenFilterPolicy /t Reg_DWORD /d 1This command can be executed inside the Run Command box, or an elevated Command Prompt or PowerShell instance. After running the command, restart the computer for the changes to take effect.
If you want to re-enable it later on, use this command instead:
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v LocalAccountTokenFilterPolicy /t Reg_DWORD /d 0Disable UAC Remote Restrictions from Group Policy
You can also configure the UAC remote restrictions by managing your Group Policy. However, the Windows OS natively does not include any policies to manage the UAC remote restrictions. Therefore, you need to use the Windows version-specific Security Baseline to manage it.
This method is also helpful if you are experiencing the LocalAccountTokenFilterPolicy automatically changing its value each time you restart your computer. It is likely because the Group Policy is configured differently than what you are setting in the Registry Editor.
To begin, download the Windows version respective Security Baseline from this Microsoft Security Compliance Toolkit.
Once downloaded, proceed to perform the following steps to disable the UAC remote restrictions using the Group Policy Editor:
-
Extract the downloaded Security Baseline.
Extract the Security Baseline -
Navigate to the “Scripts” folder inside the extracted Security Baseline folder.
-
Right-click “Baseline-LocalInstall” and then click “Run with PowerShell.”
Run baseline script with PowerShell The PowerShell window will now appear briefly and close automatically, to run the script.
-
Now, jump back a folder and enter the “Templates” folder.
-
Copy the “SecGuide.admx” file and paste it at the following location:
C:\Windows\PolicyDefinitions
If asked for administrative privileges, provide them.
-
Now, back inside the extracted Security Baseline folder, go to “Templates\en-US“.
Note: The “en-US” folder can have a different name, depending on the language you have downloaded it in.
-
Copy the item “SecGuide.adml” and paste it at the following path:
C:\Windows\PolicyDefinitions\en-US
Note: The “en-US” folder can have a different name, depending on the language of your OS.
-
Restart the computer for the changes to take effect.
-
After the restart, press the Windows Key + R to open the Run Command box.
-
Type in “gpedit.msc” and press Enter.
Open the Group Policy Editor -
Navigate to the following from the left pane:
Local Computer Policy > Computer Configuration > Administrative Templates > MS Security Guide
Navigate to the MS Security Guide folder in the Group Policy Editor Note: If you do not see the “MS Security Guide” folder, then you either did not apply the Security Baseline correctly (Step 3) or did not copy the SecGuide.admx or the SecGuide.adml correctly (Steps 4 through 7). Go back and repeat these steps.
-
Double-click the policy “Apply UAC restrictions to local accounts on network logons.”
Apply UAC restrictions to local accounts on network logons group policy -
Select “Disabled,” and then click Apply and Ok.
Disable the UAC restrictions from Group Policy -
Now either restart the computer or run the following command in an elevated Command Prompt for the changes to take effect:
GPUpdate /Force
Once the computer restarts, UAC remote restriction will now be disabled. You should now be able to access the remote computer using a local administrator account with full administrative privileges.
In the case you want to re-enable remote restriction, simply select “Enabled” from the “Apply UAC restrictions to local accounts on network logons” Group Policy and restart the PC.
Note that when this policy is set to “Not Configured,” which is the default state when you install the Windows Security Baseline, the UAC remote restriction is enabled by default. Therefore, if you make any changes only to the LocalAccountTokenFilterPolicy in the Registry, the Group Policy will revert it when the computer restarts.
Takeaway
This article lists 3 methods to disable the UAC remote restrictions and allow the local administrator users to connect t the target computer with full administrative rights. This would allow them to make any changes to the system at their discretion.
Even Microsoft advises that you should set the LocalAccountTokenFilterPolicy to “1” from the Windows Registry, and disable the UAC remote restrictions. However, this is not always the wisest decision. Disabling UAC remote restrictions increase the attack surface area and drastically increases the chances of your system being infiltrated.
Therefore, we advise that you do not leave the UAC remote restrictions disabled for long, and re-enable it as soon you no longer require remote access.
