2

I have a Restricted Group in a group policy in an organizational unit called org_unit_a. This organizational unit has all the computers.

  • The restricted group is My_domain\Workstation Admins
  • Has members: My_domain\settings
  • Is a member of: Administrators (or Järjestelmänvalvojat in Finnish)

In the local computer:

  • net localgroup "Administrators" shows the My_domain\Workstation admins as a member group
  • net user /domain settings show the group membership to My_domain\Workstation Admins
  • If I try to enter My_domain\settings to UAC prompt, it just slaps me in the face with:

The requested operation requires elevation

If user settings has been set as a local administrator via restricted groups then why Windows doesn't accept those credentials when entered in the UAC prompt?

Simo Kivistö
  • 188
  • 1
  • 2
  • 11
  • Sounds to me like your restricted group is working as designed. Just because you are an Administrator doesn't mean you no longer need to elevate past UAC to perform certain operations. If you don't like UAC, you can (essentially) turn it off. – Ryan Ries Feb 26 '15 at 13:16
  • Corrected the UAC part of the explanation: the settings-account is not valid for the UAC prompt -pop up – Simo Kivistö Feb 26 '15 at 13:31
  • I'm not clear on the question. What exactly isn't working? – Bill_Stewart Mar 09 '15 at 15:45
  • Added the exact question in one sentence at the bottom of the question. – Simo Kivistö Mar 09 '15 at 16:24
  • The reason is that "membership in Administrators group" != "program is running elevated." – Bill_Stewart Mar 09 '15 at 16:55
  • This does not seem to be related to group policies or restricted groups. – Greg Askew Mar 09 '15 at 16:55
  • I understand the program is not running elevated. I understand I need to provide my credentials and elevate. What I don't understand is why can't I elevate with the restricted group admin account when I can elevate perfectly fine with normal local admin or domain admin account. – Simo Kivistö Mar 09 '15 at 17:42
  • How are you provoking the UAC prompt? – Bill_Stewart Mar 09 '15 at 20:15
  • Trying to install modem drivers on the computer for example. – Simo Kivistö Mar 09 '15 at 20:24
  • Try downloading a free software I wrote called [Elevation Toolkit](http://www.westmesatech.com/misctools.html). Right-click the IsElevated32.exe and choose `Run as administrator`. Enter your credentials. It will display a message box telling you whether it was elevated or not. – Bill_Stewart Mar 10 '15 at 15:27

1 Answers1

0

If user settings has been set as a local administrator via restricted groups then why Windows doesn't accept those credentials when entered in the UAC prompt?

Because that's the way UAC works.

In a nutshell, both regular users and administrative users run now with the same security context - that of an unprivileged user. As an administrative user you actually receive two tokens with identical user-specific information, a standard one and an administrative one. When you attempt to perform an action that requires administrative privileges, UAC kicks in and depending on its configuration prompts either for your credentials or for an approval of escalation, and then performs whatever action you originally requested using the administrative token.

In short, you are not really an administrator even when you are an administrator (User Account Control Overview).

You can modify how "noisy" User Access Control - What are User Account Control settings?

  • Yes but why can I elevate with normal local admin account but not with the group policy restricted group local admin account? – Simo Kivistö Mar 09 '15 at 17:44
  • @SimoKivistö I'm still not clear. Can you or can your not successfully elevate privileges with your My_domain\settings user account? –  Mar 09 '15 at 18:18
  • I can not. That is what I was trying to accomplish setting that restricted group. – Simo Kivistö Mar 09 '15 at 18:23
  • @SimoKivistö Stupid question - Is that account locked out or disabled? What does the Security EventLog say? –  Mar 09 '15 at 18:25
  • Neither locked nor disabled. I'll take a look at the event logs when I get to the office. – Simo Kivistö Mar 09 '15 at 18:59