| Author |
 Topic  |
|
|
Pesos
Honorable But Hopeless Addict
USA
3506 Posts
Status: offline |
 Posted - 05/08/2012 : 3:10:58 PM
|
So we have noticed that on 2008r2 and win7 boxes, members of the domain admins group seem to be watered down by UAC. The default "administrator" account seems to be automatically exempted from UAC on all machines, but other domain admins are not, leading to administration hassles when these users try to change file server permissions or install msi files, etc
What is special about the administrator account and how do we extend this specialness to all domain admins without disabling UAC?
|
-Wes |
|
|
chamezzzz
Honorable But Hopeless Addict
United Kingdom
2298 Posts
Status: offline |
Posted - 05/09/2012 : 09:49:38 AM
|
Hi Wes,
What I believe happens is the Domain Administrator account has Admin Approval mode for UAC disabled by default.
So too does the Windows 7 Local Administrator account, which is also disabled by default in Windows 7.
I think you need to apply group policy to your Domain Admins so that
"User Account Control: Use Admin Approval Mode for the built-in Administrator account" is disabled"
http://windows.microsoft.com/en-GB/windows7/User-Account-Control-Use-Admin-Approval-Mode-for-the-built-in-Administrator-account
Because the accounts you subsequently create in Domain Admins are not *default accounts* but *additional accounts you have created* Admin Approval mode is enabled for them.
I can't find anything on Microsoft Support site to confirm this, hope this points you in the right direction.
Regards
EDIT - this is where I am getting my assumption from
http://technet.microsoft.com/en-us/library/dd446675(v=ws.10).aspx
http://goo.gl/Lbzvy
No mention of the initial Domain Administrator account. I am assuming that the initial Domain Administrator account is treated the same as the built-in Administrator account. It explains the behavior you are seeing.
The built-in Administrator account in Windows Server 2008 R2 does not run in Admin Approval Mode
The built-in Administrator account in Windows Server 2008 R2, which is the first account created on a server, does not run in Admin Approval Mode. All subsequently created administrator accounts in Windows Server 2008 R2 do run in Admin Approval Mode.
The built-in Administrator account is disabled by default in Windows 7
The built-in Administrator account is disabled by default in Windows 7. The built-in Administrator account, by default, cannot log on to the computer in Safe Mode. |
James |
Edited by - chamezzzz on 05/09/2012 09:57:53 AM |
 |
|
|
Pesos
Honorable But Hopeless Addict
USA
3506 Posts
Status: offline |
Posted - 06/22/2012 : 2:57:22 PM
|
Thanks James - we applied this admin approval mode, and once the policy is picked up and boxes rebooted, it works. HOWEVER, it has an annoying side effect. It appears to alter the way in which UAC works. Prior to this change, when we were logged in as a regular user, we could elevate to do admin tasks by simply signing in when the UAC prompts popped up. This admin approval mode appears to basically disable UAC altogether so UAC prompts don't appear. We have to actually switch user and log in as domain admin to get anything done, which is a bit of a hassle.
What is so special about the standard builtin administrator account that lets it bypass all this annoying rigamarole? |
-Wes |
|
|
|
Pesos
Honorable But Hopeless Addict
USA
3506 Posts
Status: offline |
|
|
JeffWouters
Here To Stay
Netherlands
147 Posts
Status: offline |
Posted - 06/24/2012 : 07:07:34 AM
|
Search for a session called "Raiders of the elevated token" by a Dutch Windows Client MVP named Raymond Comvalius.
He explained the answer to this question beautifully :-) |
Greetsz,
Jeff. |
|
|
|
chamezzzz
Honorable But Hopeless Addict
United Kingdom
2298 Posts
Status: offline |
|
| |
Topic |
|
When is a domain admin not a domain admin? (UAC)
