After you turn on User Account Control in Windows Vista or in Windows 7, programs may be unable to access some network locations. This problem may also occur when you use the command prompt to access a network location.  This primarily affects users of applications that require drive mappings to network locations on the LAN.  If the drive mapping is accomplished by way of a Logon script running on the server, Windows refuses to the let the application access the mapped drive.

This has been observed in Made2Manage 6.0 and Visual CRM 6.2 and up, neither of which is officially supported on Windows 7.  (Upgrade to a newer version needed).

Why does this happen?

This problem occurs because User Account Control treats members of the Administrators group as standard users.

When a member of the Administrators group logs on to a Windows Vista-based computer or to a Windows 7-based computer that has User Account Control enabled, the user runs as a standard user. Standard users are members of the Users group. If you are a member of the Administrators group and if you want to perform a task that requires a full administrator access token, User Account Control prompts you for approval. For example, you are prompted if you try to edit security policies on the computer. If you click Allow in the User Account Control dialog box, you can then complete the administrative task by using the full administrator access token.

When an administrator logs on to Windows Vista or to Windows 7, the Local Security Authority (LSA) creates two access tokens. If LSA is notified that the user is a member of the Administrators group, LSA creates the second logon that has the administrator rights removed (filtered). This filtered access token is used to start the user’s desktop. Applications can use the full administrator access token if the administrator user clicks Allowin a User Account Control dialog box.

If a user is logged on to Windows Vista or to Windows 7, and if User Account Control is enabled, a program that uses the user’s filtered access token and a program that uses the user’s full administrator access token can run at the same time. Because LSA created the access tokens during two separate logon sessions, the access tokens contain separate logon IDs.

Got all that?  Didn’t think so.  Here’s how you fix it:

Registry Fix

To work around this problem, configure the EnableLinkedConnections registry value. This value enables Windows Vista or Windows 7 to share network connections between the filtered access token and the full administrator access token for a member of the Administrators group. After you configure this registry value, LSA checks whether there is another access token that is associated with the current user session if a network resource is mapped to an access token. If LSA determines that there is a linked access token, it adds the network share to the linked location.

To configure the EnableLinkedConnections registry value, follow these steps:

  1. Click Start, type regedit in the Start Search box, and then press Enter.
  2. Locate and then right-click the following registry subkey:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  3. Point to New, and then click DWORD Value.
  4. Type EnableLinkedConnections, and then press Enter.
  5. Right-click EnableLinkedConnections, and then click Modify.
  6. In the Value data box, type 1, and then click OK.
  7. Exit Registry Editor, and then restart the computer.