2

On a Server 2008 R2 (member of a domain but not a domain controller) we suddenly can't perform any administrative task. Every action (like net stop ..., whoami, ...) is denied with an access denied message. We can access the eventlogs but the only conspcious event is LSA 40961 (The Security System could not establish a secured connection ... )

Starting a program from explorer.exe works. Starting the same program from cmd.exe isn't possible (access denied).

What we tried so far

  • Using local administrator instead of domain administrator => same behaviour
  • Using elevated cmd.exe (right click run as administrator)
  • Trying to disable uac (not possible due to access denied)
  • Analyzing with sysinternals procmon => procmon can't be started
  • anlyzing eventlogs => no conspicuous events

Edit
The attempt to disable UAC by the registry fails with the registry error: Error writing the value's new contents

Any ideas?

marsh-wiggle
  • 2,145
  • 5
  • 29
  • 45
  • explorer.exe is not fully covered by UAC protection. And it just looks like as UAC issue (even with local admin). Have you run CMD as Administrator (Right click -> Run as Administrator)? Mentioned action should give you 100% admin privileges and then you can try to change the UAC settings via CMD or run needed applications – Strepsils Apr 03 '19 at 07:35
  • @Strepsils yes, we tried that – marsh-wiggle Apr 03 '19 at 08:02
  • You can try to disable UAC by editing registry - /k C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f Hope that works and allow you to do the changes in registry... If not, I would try to rejoin it to the domain – Strepsils Apr 03 '19 at 08:23
  • @Strepsils The customer decided to restore the system from backup but before doing this we will test your suggestions. This may last some days. I'll let you know the result. Thanks for your help!! – marsh-wiggle Apr 03 '19 at 10:26
  • @Strepsils Also a fail. I edited the question. – marsh-wiggle Apr 04 '19 at 16:06
  • Safe Mode might have helped, or booting to removable media to attempt [offline repair using dism](https://www.ghacks.net/2018/03/16/use-dism-to-fix-issues-sfc-cant/). You could also turn off UAC from removable media, but I'm not sure how much that would help. If no backup had been available, an in-place "upgrade" (also known as a repair install) would have been another option. – Harry Johnston Apr 07 '19 at 21:17

0 Answers0