none
Domain Administrator no permissions, Local Admin has permissions RRS feed

  • Frage

  • Just installed a fresh copy of Windows 10 Pro x64 on a new Lenovo Yoga.  Install went fine.  Activate and updates done.

    I've run into several spots where I'm getting the error message:

    "C:\Windows\system32\rundll32.exe

    Windows cannot access the specified device, path, or file.  You may not have the appropriate permissions to access the item."

    I'm sure you all are familiar with this message since if you don't have Admin rights on the Domain you'll get this type of message when trying to install software or access Admin priv required settings.  So I log out of the Domain Admin account and log into the Local Admin, boom it works.  I can do things like add Desktop Icons, for example, with the Local Admin but not with Domain Admin.  Seems like the Domain Admin account isn't getting elevated permissions when logging in.

    Interesting note, if I add Domain Users to the admin group and log in as one of them the account gets properly elevated and I can manage the settings the Domain Admin can't.  Any ideas?

    Donnerstag, 30. Juli 2015 16:02

Antworten

  • Hi,

    For your question, please run gpedit.msc to open Group Policy Editor, then switch to Computer Configuration---> Windows Settings---> Security Settings ---> Local Policies---> Security Options, then enable "User Account Control: Admin Approval Mode for the Built-in Administrator account", after all restart Windows to take effect. Figure as below:

    Thanks


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Allen Wang
    TechNet Community Support

    Montag, 3. August 2015 12:15

Alle Antworten

  • Maybe unrelated but do you know what the functional level of your domain is?
    • Als Antwort vorgeschlagen Pete Moran Donnerstag, 20. September 2018 09:39
    Donnerstag, 30. Juli 2015 16:19
  • 2008 R2.  Shouldn't make a difference since Domain Admin account has less privs than a Domain User account I gave Admin rights to in Advanced Local Users and Groups.  And yes, Domain Admins does already exist in that group.
    Donnerstag, 30. Juli 2015 16:24
  • I have the same issue. Local Administrator account is fine when changing Desktop Icon Settings, however, when trying to change 'Desktop Icon Settings' in Domain Administrator account, Windows gives the following error:

    "C:\Windows\system32\rundll32.exe"

    "Windows cannot access the specified device, path, or file.  You may not have the appropriate permissions to access the item."

    Troubleshooting:

    UAC was tested with slide bar being moved to all locations from very top to all the way down to the bottom and no difference in permissions. PC was rebooted each time after UAC setting was changed. Windows 8.1 did not have this issue. Windows 10 bug?

    NOTE: Also receive same error when clicking on 'Advanced Sound Settings' and 'Mouse Pointer Settings'.

    AND: Other created local user accounts work ok.

    Donnerstag, 30. Juli 2015 20:59
  • You hit the nail on the head.  Exact same problem I have.  All of those options produce the same error message.  I also was unable to adjust some other things in Settings (I'm trying now to remember which ones gave the error) and was met with the same error message.

    All other accounts work.  Domain Admin gets bricked.

    Donnerstag, 30. Juli 2015 21:12
  • Hi,

    For your question, please run gpedit.msc to open Group Policy Editor, then switch to Computer Configuration---> Windows Settings---> Security Settings ---> Local Policies---> Security Options, then enable "User Account Control: Admin Approval Mode for the Built-in Administrator account", after all restart Windows to take effect. Figure as below:

    Thanks


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Allen Wang
    TechNet Community Support

    Montag, 3. August 2015 12:15
  • Yes! That did it! I have made note of it for other Windows 10 PCs.

    Thank you.

    Montag, 3. August 2015 14:57
  • Hi,

    Thank you for your response, if it's help please mark it as answer.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Allen Wang
    TechNet Community Support

    • Als Antwort vorgeschlagen lostmatt996 Montag, 8. Mai 2017 12:58
    Dienstag, 4. August 2015 06:08
  • Hi,

    For your question, please run gpedit.msc to open Group Policy Editor, then switch to Computer Configuration---> Windows Settings---> Security Settings ---> Local Policies---> Security Options, then enable "User Account Control: Admin Approval Mode for the Built-in Administrator account", after all restart Windows to take effect. Figure as below:

    Thanks


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Allen Wang
    TechNet Community Support

    But domain administrator still cannot open the Microsoft edge and app store, when I click them, just show the frame and then disappeared. For left click start menu, it shows nothing and any response. However everything is work smooth under local administrator login. Any help? Thanks.
    Donnerstag, 6. August 2015 18:55
  • Thank You this was the answer I was looking for. I was able to do this on multiple domain PC's and it solved the issue Thank You
    • Als Antwort vorgeschlagen TMPerson Sonntag, 4. Dezember 2016 17:42
    • Nicht als Antwort vorgeschlagen TMPerson Sonntag, 4. Dezember 2016 17:42
    Mittwoch, 14. Oktober 2015 12:38
  • Thanks for your answer. This works for the domain admin account. It solved the issue i had when going to the "desktop icons".

    Regards,

    Mittwoch, 26. Oktober 2016 09:36
  • Fix my issue. thanks!
    Donnerstag, 30. März 2017 19:22
  • No. It doesn't work

    The answer should not be marked correct


    Thanks & Regards Ramandeep Singh


    Samstag, 3. Juni 2017 14:21
  • This did not solve the issue I am having. It is similar, but when I have a standard domain user logged into my Windows 10 build, Domain admins cannot elevate access to install programs or run programs that require elevated access. Only local admins can elevate successfully. The provided gpedit.msc suggestion does not fix this issue.
    Mittwoch, 21. Juni 2017 19:11
  • Perfect!

    Applied GPO at Default Domain Policy and it works!

    Samstag, 12. August 2017 05:20
  • Worked for me on Windows Server 2016, too. Applied the GPO at the DC and could access the rundll32.exe normally.

    Many thanks!

    Donnerstag, 23. November 2017 12:27
  • Thanks,  for good solution.
    Samstag, 16. Dezember 2017 09:23
  • I cannot change this selection group policy, it is grayed out. It doesn't matter if I am logged in as local admin or domain admin.
    Dienstag, 19. Dezember 2017 20:18
  • worked for us. thank you
    Mittwoch, 28. März 2018 14:25
  • Yes, it healped. Thanks.
    Mittwoch, 23. Mai 2018 13:49
  • That was the ticket Mate!!! Point Gryffindor!! 
    Mittwoch, 19. September 2018 19:00
  • The bigger issue here is why is this happening in the first place.
    Samstag, 17. November 2018 17:49
  • Allen, thank you for taking the time to create this, this was the most helpful suggestion I have found in hours of searching! 
    Freitag, 11. Januar 2019 19:15
  • Thank You.

    Works for me also on windows 2016.

    Donnerstag, 24. Januar 2019 11:06
  • This fix also resolved the issue in Server 2019.  Unfortunately it breaks the Server Manager application.  With this GPO active Server Manager hangs with very high (50% +) CPU utilization.  Disabling the GPO fixes the problem with Server Manager, but the other issues then return.
    Donnerstag, 31. Januar 2019 16:11
  • run gpedit.msc to open Group Policy Editor, then switch to Computer Configuration---> Windows Settings---> Security Settings ---> Local Policies---> Security Options, then Disable "User Account Control: Admin Approval Mode for the Built-in Administrator account", after all restart Windows to take effect.

    By default, this option is Enabled. You need to disable it, restart the machine and it works. It worked on my Server 2016. Kudos!

    Dienstag, 26. März 2019 13:33
  • worked on my new 2019 dc in azure
    Freitag, 9. August 2019 11:10
  • worked on my new 2019 dc in azure
    But not my other one!!!
    Donnerstag, 15. August 2019 11:13
  • i have this set as a gpo on my servers ou and it does not work for me. when i run group policy reports the policy IS applied and when i run the gpedit.msc on the server i see that the user account control admin approval mode for build in admins policy IS enabled.

    i still cant add desktop icons like control panel and computer.

    have restarted many times.

    im logging in as domain\administrator to said server (2019 (1809))

     ?

    Donnerstag, 12. Dezember 2019 23:51
  • Thanks!  That did it.

    Dienstag, 31. Dezember 2019 20:44