Skip to main content This browser is no longer supported. Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Copying files from a mapped drive to a local directory fails with error (Location is not available) if UAC is enabled
In this articleThis article solves the Location is not available error when you try to copy files from a mapped drive. Applies to: Windows Server
2012 R2 SymptomsWith User Account Control (UAC) enabled, you may receive the following error when attempting to copy a file from a mapped drive to a local directory:
CauseThe underlying cause is UAC and the interaction with split token. When an administrator signs in to a machine with Admin Approval Mode (AAM) enabled, the user is granted two access tokens:
By default, when a member of the local Administrators group signs in, the administrative Windows privileges are disabled and elevated user rights are removed. It results in the standard user access token. The standard user access token is then used to launch the desktop (Explorer.exe). Explorer.exe is the parent process from which all other user-initiated processes inherit their access token. As a result, all applications run as a standard user by default, unless a user provides consent or credentials to approve an application to use a full administrative access token. Contrasting with this process, when a standard user signs in, only a standard user access token is created. This standard user access token is then used to launch the desktop. The following conditions must be in place for the error to occur:
The user has mapped a drive using either the Map Network Drive option in Windows Explorer or by running the
Running the same command in an elevated command prompt, there's no mapped drive listed.
It clearly shows that the elevated session doesn't see the standard user's mapped drive. So it can't complete the copy operation. This behavior is by design. Note By default, AAM is enabled for accounts that are members of the local Administrators group. The setting can be found in the Security Options node of Local Policy, under Security Settings and is configurable with the Local Group Policy Editor (secpol.msc) and with the Group Policy Management Console (GPMC) (gpedit.msc). For more information on UAC, see User Account Control. Resolution
More informationWhen the administrative user signs in to, Windows processes the logon scripts using the elevated token. The script actually works and maps the drive. However, Windows blocks the view of the mapped network drives because the desktop uses the filtered token while the drives were mapped using the elevated (full administrator) token. Before Windows 2000 SP2, device names (for example, mapped drives) remained globally visible until explicitly removed or the system restarted. For security reasons, we modified this behavior starting with Windows 2000 SP2. From this point forward, all devices are associated with an authentication ID (LUID). LUID is an ID generated for each logon session. A process running in LocalSystem context can create a device name in the Global device namespace, although local namespace objects can hide global namespace objects. These mapped drives are associated with LUID. And elevated applications are using a different LUID generated during a separate login event. So, the elevated application will no longer see any mapped drives for this user. You'll notice the same behavior previously using The result is that if you elevate a command prompt, you'll no longer see any local
namespace mapped drives created from your original login (whether created through a logon script, using the Which resource sharing protocol allows folders or hard drives to be shared over a network?Feature description. The Server Message Block (SMB) protocol is a network file sharing protocol that allows applications on a computer to read and write to files and to request services from server programs in a computer network. The SMB protocol can be used on top of its TCP/IP protocol or other network protocols.
Which of the following are required to join a local homegroup?A homegroup requires a password to join, and you are able to share files across the network without requiring the users to have individual accounts on all computers.
What is a centrally administrated network?A centralized network is built around a single, central server that handles all major management and data processing functions. Other types of servers may connect to this master server and manage other specific functions, but those other servers cannot work independently of the central server.
What is a clientA client-server network is a communications model in which multiple client programs share the services of a common server program.
|