Mapped network drives in Windows or Windows Server are not visible in an application.
Symptoms
An application that is running as administrator (elevated) doesn't show the user mappings. When the application is run regularly, without the run as administrator
the mapped network drivers are visible.
Cause
A user's administrator account access token is split into two access tokens, full administrator access token and standard user access token.
Let's look at the information Microsoft provides us:
Microsoft KB937624
When UAC is enabled, the system creates two logon sessions at user logon. Both logon sessions are linked to one another. One session represents the user during an elevated session, and the other session where you run under least user rights.
When drive mappings are created, the system creates symbolic link objects (DosDevices) that associate the drive letters to the UNC paths. These objects are specific for a logon session and are not shared between logon sessions.
Note: The EnableLinkedConnections registry entry forces the symbolic links to be written to both linked logon sessions that are created, when UAC is enabled.
When the UAC policy is configured to Prompt for credentials, a new logon session is created in addition to the existing two linked logon sessions. Previously created symbolic links that represent the drive mappings will be unavailable in the new logon session.
Microsoft KB3035277
This problem occurs because User Account Control treats members of the Administrators group as standard users.
When a member of the Administrators group logs on to a Windows Vista-based and newer computer that has User Account Control enabled, the user runs as a standard user. Standard users are members of the Users group. If you are a member of the Administrators group and if you want to perform a task that requires a full administrator access token, User Account Control prompts you for approval. For example, you are prompted if you try to edit security policies on the computer. If you click Allow in the User Account Control dialog box, you can then complete the administrative task by using the full administrator access token.
When an administrator logs on to Windows Vista or newer, the Local Security Authority (LSA) creates two access tokens. If LSA is notified that the user is a member of the Administrators group, LSA creates the second logon that has the administrator rights removed (filtered). This filtered access token is used to start the user’s desktop. Applications can use the full administrator access token if the administrator user clicks Allow in a User Account Control dialog box.
If a user is logged on to Windows Vista or newer, and if User Account Control is enabled, a program that uses the user’s filtered access token and a program that uses the user’s full administrator access token can run at the same time. Because LSA created the access tokens during two separate logon sessions, the access tokens contain separate logon IDs.
When network shares are mapped, they are linked to the current logon session for the current process access token. This means that, if a user uses the command prompt (Cmd.exe) together with the filtered access token to map a network share, the network share is not mapped for processes that run with the full administrator access token.
Resolution
Possible workarounds or resolutions:
Resolution 1
- Map the drives again in the evelated session. This can be done using a script that is being executed with the same permissions: run the script with
run as administrator
.
Resolution 2
- In Local Group Policy Editor, locate the following Group Policy path:
Local Computer Policy\Windows Settings\Security Settings\Local Policies\Security Options
- Configure the following policy to Prompt for consent: User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode.
Resolution 3
- In Registry Editor, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- Right-click Configuration, select New, and then select DWORD (32-bit) Value.
- Name the new registry entry as EnableLinkedConnections.
- Double-click the EnableLinkedConnections registry entry.
- In the Edit DWORD Value dialog box, type 1 in the Value data field, and then select OK.
- Exit Registry Editor, and then restart the computer.
Resolution 4
To work around this issue, use the net use command together with a UNC name to access the network location. For example, at a command prompt, type the following command, and then press Enter:
net use \\< computername >\< sharename > /user:< username >
See Also
- Mapped drives are not available from an elevated prompt when UAC is configured to Prompt for credentials https://docs.microsoft.com/en-US/troubleshoot/windows-client/networking/mapped-drives-not-available-from-elevated-command
- Programs may be unable to access some network locations after you turn on User Account Control in Windows Vista or newer operating systems https://support.microsoft.com/en-us/topic/programs-may-be-unable-to-access-some-network-locations-after-you-turn-on-user-account-control-in-windows-vista-or-newer-operating-systems-a3dd1683-9769-8ae2-7ec7-eae45147280b