On Windows Vista when you map a drive under your admin account you will find that your mapped drive is not available after you switch to your full token via a RunAs or Consent dialog. This is by design because there are actually two tokens in play here. What happens is the LSA recognized that you are admin at logon and creates two logons. The first with a "filtered" token or non-admin which is used to render your desktop and the other containing your full token to be available after consent dialogs.
Because there are two separate logons there are separate logon ID's. When network shares are mapped they are linked to the current logon session for the current process token. Meaning you don't have access to the network drive from the alternate logon. This can come into play with logon scripts and a number of other areas where you may require access to a network share from both tokens.
If you set the following key it will change how SMB shares are mapped. They will be mapped to a token, which means that LSA will check to see if there is a linked token associated with the user session and add the network share to that location as well. Basically all of this means that after setting this drives will be accessible from both tokens no matter which they are mapped under.
Disclaimer: This is not supported by Microsoft and was never tested. Use at your own risk.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
EnableLinkedConnections = 1 (DWord)
Here are some more great tips
Posted
Feb 20 2007, 05:28 PM
by
Josh Phillips
Follow Me on Twitter
Did you enjoy this article? If yes, then subscribe to our
or
