5

We have about 15 PCs on our network. I can make changes to all the PCs except one. I keep getting the message "The requested operation requires elevation".

When I try to run a program as an admin, it asks for my username and password. After I hit enter, I get the same message: "The requested operation requires elevation"

This is really weird because I am a domain admin. I went into active directory and I didn't notice anything different between this PC and the others. It has the same security options checked and it is in the same group as the others.

I have worked here for a couple years but I just took over this role last month. The one who I am replacing doesn't know either. He told me it was always like this. So, basically, he was never able to add or remove software. I need to remove some junkware and install some useful programs for the user. The PC is running windows 8 just like the other ones.

What am I missing? How come this one PC is not recognizing me as an admin? What can I do about this?

Lumo5
  • 213
  • 1
  • 3
  • 8
  • When you enter your credentials, do you specifically see an access denied message, or simply the prompt popping up again? If it's the prompt, you might need to check if the PC can actually access a DC, it might not be able to validate your credentials. – Reaces Feb 12 '15 at 10:26
  • When windows starts, users (including myself) have to log into the domain. I log in with my username and password. Then I can go to control panel and try to uninstall a program. Then a prompt appears asking for my username and password. I enter my username and password. Then the same prompt pops up again but this time with red letters saying "the requested operation..." From this point, I thought I would try to uninstall through the cmd. I try to run as an adminsitrator but then it give me the prompt. I enter my credentials. The prompt goes away and comes back with the warning message – Lumo5 Feb 12 '15 at 13:50
  • If you run `net users %username%` , you can see what local group membership is. Also compare output of `gpresult /h` with a working machine. Add the output of these commands to your question. – BlueCompute Feb 12 '15 at 23:37
  • @BlueCompute running "net users %username%" didn't seem to produce any information. What exactly should I be looking for with that? I ran "gpresult /h gp.html" on a machine that works and on the machine that I am having problems with. The result is identical. The local group membership is the same. – Lumo5 Feb 16 '15 at 15:50

3 Answers3

3

Make sure that the "Domain Admins" group is present in the local Administrators group.

Mark R.
  • 363
  • 1
  • 5
  • I don't see anything that specifically says "Local Administrators". However, "Domain Admins" is a Member Of "Administrators", which is the standard Builtin group. "Domain Admins" is also a member of "Denied RODC Password Replication Group". I can make changes to all computers except for this one computer. – Lumo5 Feb 12 '15 at 07:59
  • @Tony are you looking in the Local Users and Groups MMC snap-in on the workstation or in Active Directory Users and Computers when confirming that the *"Domain Admins" group is present in the local Administrators group*? – I say Reinstate Monica Feb 15 '15 at 03:48
  • @Twisty I am using active directory. To be honest, I don't even know how to use the MMC snap-in. Does it make a difference? – Lumo5 Feb 16 '15 at 15:52
  • Yes, it does. Run the command `LUSRMGR.MSC` on the workstation in question and check the membership of the Administrators group there per Mark R.'s answer. – I say Reinstate Monica Feb 16 '15 at 17:57
  • @Twisty My username does not show up0 in the Administrators group. So, I guess that is the problem. But, why am I a domain admin, yet I don't show up in this Admin group. This PC is part of the domain. – Lumo5 Feb 18 '15 at 14:06
  • The Domain Admins group is automatically made a member of a computer's local Administrators group when the machine is joined to the domain; however, an Administrator could always change that later or a group policy could be configured to make such a change. Rarely would one *want* to do this, but it's certainly possible. – I say Reinstate Monica Feb 21 '15 at 03:07
1

This smells like a UAC problem.
As suggested in some similar technet forums you might be having this issue because the administrators group is the only group that has permissions on the folder of those applications.

You could try turning off UAC temporarily, or using the work-around that involves creating a second group, granting it permissions to the folders affected and adding your users to that group.

Reaces
  • 5,597
  • 4
  • 38
  • 46
  • I can't turn off the UAC because it requires elevation. I am about ready to reformat this PC and reconnect it to the network but I really want to find the bug for learning purposes. – Lumo5 Feb 16 '15 at 15:54
1

I had the same problem on a server of mine, do you know the local admin password? I started a remote session with the local admin account domain\administrator, then went to "manage user accounts," where my domain admin account was set to "remote user" and so I changed it to "administrators" instead. Now, when I remote in using my domain admin account I have admin privileges. It's a weird oversight but nonetheless, hope this helps.

CapnTom
  • 11
  • 2