Windows Remote UAC Setting in a Group Policy Workaround

Document ID : KB000118437
Last Modified Date : 24/10/2018
Show Technical Document Details
Introduction:
PAM Admin would like to know how to set the GPO Option for our UAC Policy for Windows Remote:

If User Access Control is enabled on the target server, and the administrator account for password management is a local administrator, set this registry value. This registry setting gives the Windows Remote Connector access to perform SMB and WMI operations on the target server: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = dword:00000001
Environment:
PAM 3.x
Instructions:
LocalAccountTokenFilterPolicy can not be set through an explicit configuration option within the Group Policy Management Editor.  Instead it needs to be set through the definition of a custom registry key property.  Within the Group Policy Management Editor this can be done at the following location:
  1. gpmc.msc
  2. Create an Organizational Unit called "PAM Windows Remote Servers"
  3. Add all PAM Windows Remote Servers to this list
  4. Right Click on this new Organizational Unit
  5. Select "Create a GPO in this domain, and Link it here"
  6. Give the GPO a "NAME" (IE: PAM WMI Registry Settings GPO)
  7. Select this newly create GPO
  8. Right click on it and select "Edit"
  9. Under Computer Configuration >> Preferences >> Windows Settings 
  10. Right Click Registry >> New >> Registry Item:
Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Value Name: LocalAccountTokenFilterPolicy
Value Type: REG_DWORD
Value Data: 1

Example:


User-added image