前面一篇文章已經提到了問題所在：

直接通過 對映網路(map network drive) 硬碟，run as Administrator的AP會出現無法訪問的情況，這是因為直接通過explorer上的map network drive按鈕進行對映網路硬碟的動作是沒有run在Admnistrator許可權下的，訪問許可權不match導致run as Adninistrator的AP無法訪問對映網路硬碟。

參考：

http://woshub.com/how-to-access-mapped-network-drives-from-the-elevated-apps/

    解決辦法有很多種：

方法一：前文提到的修改登錄檔中EnableLUA來解決，是Disable UAC，修改EnableLUA=0，disable UAC。它不同於我們經常使用的Disable UAC notification，而是真正的disable UAC。

參考：https://msdn.microsoft.com/zh-cn/library/ff715520.aspx

EnableLUA specifies whether Windows® User Account Controls (UAC) notifies the user when programs try to make changes to the computer. UAC was formerly known as Limited User Account (LUA).

https://social.technet.microsoft.com/Forums/en-US/b06a0e1f-0d2e-4978-8eb5-49a7d766d49f/if-i-use-windows-10-default-administrator-account-i-cant-open-applications-else-my-operation?forum=win10itprogeneral

This behavior is by design.  The built-in administrator account is disabled and should only be enabled when there are no other administrator accounts available.  Enabling and using the built-in administrator account is not recommended and opening certain applications with that account will yield the "This app can't open" message.

During the out of box setup an account is created and added to the default administrators group.  This is the account that should be used.

文中提出瞭解決辦法是，重新建立一個非administartor許可權的使用者，在這個使用者上執行。筆者嘗試新建一個standard user，在這個使用者上執行calc.exe成功。

    很明顯，上述策略需要在不同的使用者去執行不同許可權的AP，這不是我們想要的結果。那麼我們只能繼續尋找其他方法。

方法二：在Administartor下利用net use來建立網路對映，net use使用說明如下：

NET USE
[devicename | *] [\\computername\sharename[\volume] [password | *]]
        [/USER:[domainname\]username]
        [/USER:[dotted domain name\]username]
        [/USER:[[email protected] domain name]
        [/SMARTCARD]
        [/SAVECRED]
        [[/DELETE] | [/PERSISTENT:{YES | NO}]]


NET USE {devicename | *} [password | *] /HOME


NET USE [/PERSISTENT:{YES | NO}]

簡單舉個例子：

net use x: \\10.0.0.1\dir PASSWD /user:USERNAME

USERNAME和PASSWD分別為 \\10.0.0.1\dir的使用者名稱和密碼

利用Administartor執行後其他執行在Administartor的AP便可訪問x盤。這個方法的優點是不需要修改登錄檔、使用者資訊，缺點是每次啟動需要手動執行或者建立bat加入自啟動。

方法三：修改登錄檔項EnableLinkedConnections

• Open the registry editor (regedit.exe)
• Go toHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
• Create a new parameter (DWORD type) with the name EnableLinkedConnections and the value 1 
• restart

這種方法的原理如下，不同許可權對應於不同的access token，普通許可權map的network drive用的是token2，administtrator許可權用的是token1，這樣無法利用token1訪問token2 map的network drive。而EnableLinkedConnections=1，在map network drive的同時，check是否有多個token，如果有則同時為所有的token做一份copy，保證每個token都可以訪問此network mapped drive.

root cause:

Why does it happen? This peculiarity is connected with UAC mechanism for a user with the local administrator privileges. The matter is that when this user signs in, two access tokens are created: the first token provides access without the administrator privileges (the filtered access token, with which most apps are run) and the second is the administrator token with full privileges in the system (all apps approved elevated in UAC are run using it).

When connecting shared network folders, they are associated with the current session for the current process access token and are not available with another token.

How it works. After you enable EnableLinkedConnections parameter of the registry, LanmanWorkstation and LSA will check if there is the second access token associated to the session of the current user. If this token is found, the list of the mounted network drives will be copied from one token to another. Thus, the network drives mounted elevated will be seen in the standard mode, and vice versa.

參考：

http://woshub.com/how-to-access-mapped-network-drives-from-the-elevated-apps/

總結下最簡單方法的方法：

• Open the registry editor (regedit.exe)
• Go toHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
• Create a new parameter (DWORD type) with the name EnableLinkedConnections and the value 1 
• restart