When a user in another domain is a member of the Administrators group on the local computer, the user cannot connect to the local computer remotely with Administrator privileges. By default, remote connections from other domains run with only standard user privilege tokens. However, you can use the LocalAccountTokenFilterPolicy registry entry to change the default behavior and enable remote users who are members of the Administrators group in another domain to run Windows PowerShell with Administrator privileges in the local domain.
If users try to connect to a remote computer when they do not have sufficient permission, Windows PowerShell generates the following error message.
Copy Code | |
---|---|
ERROR:ACCESS IS DENIED |
Caution: |
---|
The LocalAccountTokenFilterPolicy registry entry disables user account control (UAC) remote restrictions for all users of all affected computers. Consider the implications of this setting carefully before changing the policy. |
To enable administrators in other domains to connect remotely to the local computer
-
Set the value of the LocalAccountTokenFilterPolicy registry entry to 1.
For example, the following command uses the New-ItemProperty cmdlet and the Windows PowerShell Registry Provider to create the LocalAccountTokenFilterPolicy registry entry on the local computer and set its value to 1.
Copy Code new-itemproperty -name LocalAccountTokenFilterPolicy -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -propertyType DWord -value 1