Access Denied to Administrative Shares

Posted on by Andy

As described in MS KB article 951916, Microsoft introduced as part of UAC a little known feature called “UAC remote restrictions”. It filters the access token for connections made with local user accounts or Microsoft accounts (the latter typically have the format MicrosoftAccount\EMailAddress). In other words, it removes the SID for “Administrators”. Connections made with domain accounts remain unchanged.

From KB951016:

If the user wants to administer the workstation with a Security Account Manager (SAM) account, the user must interactively log on to the computer that is to be administered with Remote Assistance or Remote Desktop, if these services are available.

One may like this or not, the solution is luckily pretty simple. UAC remote restrictions can be disabled by setting the registry value LocalAccountTokenFilterPolicy to 1. Open Powershell as Administrator and run:

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

Now the connection for local computer account should work.

Source: https://helgeklein.com/blog/access-denied-trying-to-connect-to-administrative-shares-on-windows-7/

Repairing the Domain Trust Relationship

Posted on by Andy

If a computer is restored from an old restore point or a snapshot that was created before the computer’s password was changed in AD, the machine password in the snapshot will differ from the AD computer object password.

When the trust relationship between a workstation and the Active Directory domain is broken, you will encounter errors such as:

The trust relationship between this workstation and the primary domain failed.

or

The security database on the server does not have a computer account for this workstation trust relationship.

To restore trust between the machine and the domain, you must log on to the computer locally using an account with local administrator privileges. Open your elevated terminal session and check if you have a valid trust relationship with the AD Domain with following PowerShell command:

Test-ComputerSecureChannel -Verbose

Should the result be something like

VERBOSE: The secure channel between the local computer and the domain <DOMAIN> is broken.

You can fix it by running the repair command:

Test-ComputerSecureChannel -Repair -Credential <DOMAIN>\<ADMINUSER> -Verbose

Result should be like this:

VERBOSE: The secure channel between the local computer and the domain <DOMAIN> was successfully repaired.

No reboot or delete/add to AD is needed.

Enable EXT4 quotas on root partition

Posted on by Andy

Enabling quota handled by EXT4 on a root partition is not doable as it needs the device to be unmounted and can only be done if booted from a live disk or alike… Yeah whoever took that decision needs to be punished. I found a script which tunes the FS before it is getting mounted at boot time. Here the script:

#!/bin/bash


cat > /etc/initramfs-tools/scripts/init-premount/ext4_quota <<"EOF"
#!/bin/sh

PREREQ=""

prereqs() {
    echo "$PREREQ"
}

case "$1" in
    prereqs)
        prereqs
        exit 0
        ;;
esac


/sbin/tune2fs -l "${ROOT}" | grep -q features || (echo "no ext4 found in ${ROOT}"; exit 0)
echo "Enabling ext4 quota on ${ROOT} "
/sbin/tune2fs -O quota "$ROOT" || echo "tune2fs: $?"
EOF

chmod 0755 /etc/initramfs-tools/scripts/init-premount/ext4_quota

cat >/etc/initramfs-tools/hooks/tune2fs <<"EOF"
#!/bin/sh

PREREQ=""

prereqs() {
    echo "$PREREQ"
}

case "$1" in
    prereqs)
        prereqs
        exit 0
        ;;
esac

. /usr/share/initramfs-tools/hook-functions
copy_exec /sbin/tune2fs /sbin
EOF

chmod 0755 /etc/initramfs-tools/hooks/tune2fs

update-initramfs -k all -u
rm -v /etc/initramfs-tools/scripts/init-premount/ext4_quota /etc/initramfs-tools/hooks/tune2fs

I found the script over here:

https://anton.dollmaier.name/2024/10/enable-native-filesystem-quotas-in-ext4

Thank you a ton dear Anton!