Here's a common issue that every Windows System Administrators will experience sooner or later when dealing with Windows Server (or Windows 10) and its odd way to handle the Administrators group and the users within it.
Let's start with the basics: as everyone knows, all recent Windows versions (Windows Server 2012, Windows Server 2016, Windows 8.x, Windows 10 and so on) come with a built-in Administrator account, which is member of the Administrators group. It goes without saying that such account has full rights, as clearly stated in the Administrators group description:
Administrators have complete and unrestricted access to the computer/domain.
This also means that any users we put within the Administrators group will inherit these access rights as well, right?
WRONG.
As a matter of fact, if we create another user and put it in the Administrators group, it will NOT have the same rights as the built-int Administrator user itself: to be more precise, it will be unable to do a lot of administrative tasks. Here are some examples:
- A file is owned by SYSTEM and the Administrators group has full control. If we try to manipulate that file's permissions with the built-in Administrator account, it will work without problems: if we try to do the same with any other user within the Administrators group, we won't be able to do that.
- IE Enhanced Security Configuration is set OFF for Administrators, ON for Users: with the the built-in Administrator account that setting will be OFF, but it will be ON for all other users, even if they're member of the Administrators group.
Long story short, users in Administrators group have not the same rights as the built-in Administrator account. Is there a logic explanation for such odd behaviour? Of course there is: keep reading.
The Problem
Such highly counter-intuitive permissions mess is caused by User Account Control, a feature which makes so that, even if a standard user is entitled to have administrative rights, it won't actually be granted with them unless it explicitly request them. This security behaviour is governed by two distinct policies, both found in this gpedit node:
1 |
Computer Settings\Windows settings\Security settings\Local policies\Security options |
The first one of them handles the built-in Administrator account, while the other one handles all administrative users:
- User Account Control: Admin Approval Mode for the built-in Administrator account (disabled by default)
- User Account Control: Run all administrators in Admin Approval Mode (enabled by default)
As we can see, the former one (when disabled, which is by default) is basically an exception to the latter, meaning that the built-in Administrator account won't be affected by UAC, while all other administrative users will. That's why all standard users won't actually have administrative rights, even if they're members of the Administrators group.
The Solution
The fix for that is very simple, we just need to do the following:
- Launch gpedit from an elevated command prompt.
- Navigate to Computer Settings\Windows settings\Security settings\Local policies\Security options
- Locate the following policy: User Account Control: Run all administrators in Admin Approval Mode, which you'll find Enabled.
- Set it to Disabled.
As soon as we do that, Windows will ask for a reboot to re-load the updated UAC configuration: once done, all the users within the Administrators group will be finally able to act just like the Administrator account.