Disable Remote UAC via Security Policy

Windows 7 / Server 2008 R2 restrict local admin account permissions --when accessed both locally and remotely-- via the UAC mechanism, requiring elevation to gain true admin permissions. This means a person attempting to remotely access administrative shares (ADMIN$, IPC$, C$, etc) will be denied access even if they are using valid administrator credentials, because the local admin account token has been 'filtered' of its admin permissions.

Microsoft offers a registry tweak to 'fix' this: http://support.microsoft.com/kb/951016, but I don't like registry tweaks. I think this setting should be included in Windows' Security Policy, so here's how to make that happen.

first make a backup copy of %SYSTEMROOT%\inf\sceregvl.inf

edit %SYSTEMROOT%\inf\sceregvl.inf as follows:

under [Register Registry Values], add:

MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy,4,%LocalAccountTokenFilterPolicy%,0

and under [Strings] add:

LocalAccountTokenFilterPolicy = User Account Control: Disable Remote UAC

Save

Start>Run: cmd /c regsvr32 scecli.dll

DONE! - a new option 'User Account Control: Disable Remote UAC' will be available in Security Settings\Local Policies\Security Options

Note: May need to change the owner of sceregvl.inf and grant yourself full control, but be sure to set owner back to what it was (NT SYSTEM\TrustedInstaller in my case)