locked
Built-In Admin RRS feed

  • Question

  • Hey guys,

    i know I've seen a few posts regarding this issues but i have yet to see a genuine solution so here goes.

    Context: Work Domain, 13 Users, Group Policy management, 1 month into Win 10, No viruses or malware.

    Built In Admin can't access Built In Apps as we all know by know, I've been given 3 possible fixes and here are the results.

    1) Make separate account as admin (not Original built in admin used to set up PC)

           Admin account used to update all PC's, users logging in have admin access but use existing domain login (so can't be the built in admin) 

           Doesn't do anything to resolve issue

    2) Turn on User Account Controls

           Works until PC is reset at which point UAC is disabled without a message or prompt

    3) Disable Built-In Admin

          Have attempted to disable all built in admins via Group Policy to no avail

          Next step is to disable built in admin in each individual PC but am weary that even this will bring about more problems

    Question: Is this all a Windows 10 Bug? Is a solution in the works?

    Tuesday, May 3, 2016 6:31 PM

Answers

  • Hi AlexCGTS,

    "but upon a second restart value was reset to 0"
    I suspect the gpo has been misconfigured.

    Have you configured the gpos from the domain controller?

    User Account Control: Run all administrators in Admin Approval Mode
    User Account Control: Admin Approval Mode for the built-in Administrator account

    Please run "gpresult /r /z >C:\gpresult.txt" to check the gp result.

    Put the machine out of the domain to troubleshoot whether the issue is related to the domain policy.

    Best regards


    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Friday, May 20, 2016 2:18 AM

All replies

  • Current testing for me is with UAC on the apps works. UAC is on by default, so what turns it off in the first place for these machines, and why does it not stay on when on is selected? Group Policy would be the place I guess, so use Group Policy on for Windows 10 machines to keep UAC on and the apps should work.

    Tuesday, May 3, 2016 8:27 PM
  • I have one machine that isn't having the issue anymore but UAC is off on this one. I did nothing different for that pc so I'm not sure why it's behaving differently yet. The only differentiation for the pc is that a there  is a firewall and antiviral exclusion for just one network drive. But that was added after finding out that: UAC was off and Built-in apps were working.

    In Group Policy I found 3 tiers of admins, all 3 were members of "domainname.local/Built-In" 

    Removed membership for all 3 tiers and still no change, even weirder though, users that were never members of any admin groups are also (and have been the whole time) having this issue. I am hesitant to just force UAC on for all workstations as having UAC on in the past was far less secure and I quite plainly don't know enough about it to definitively say this won't compromise our security.

    I was told of a new option: Connecting a microsoft account, sync, restart, turn on UAC, restart...Testing underway but no positive results yet.

    Tuesday, May 3, 2016 10:48 PM
  • Well only seen this with local admin users, that is domain users with local admin rights. To begin with the settings;

    Local Security Policy - Run "secpol.msc"

    Local Policy->Security options->Enable"Admin Approval for built in account"

    Navigate hklm/software/Microsoft/windows/currentversion/policies/system ->Set EnableLUA as 1

    Reboot the machine. (from Build-in Administrator account can’t run Metro app. Why? the same secpol setting can be set with Group Policy) worked.

    Now trying turning on UAC for Windows 10 machines. They are in a separate OU so just for now, but do not follow your 'all workstations as having UAC on in the past was far less secure' as UAC is more secure?

    Tuesday, May 3, 2016 10:58 PM
  • Hi AlexCGTS,

    As -Mr Happy- suggested, we could try to configure that gpo. Please remember to restart the machine to make it take effect.
    The corresponding registry key should be:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

    Best regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, May 4, 2016 3:07 AM
  • Adding and syncing the MS account worked for a few days and then one by one pc's started reverting back to the same issues as patches and updates were applied. This however seems to have stuck even through updates. Thank you mr happy!
    Tuesday, May 17, 2016 6:02 PM
  • Solution worked for about a week (or so i thought) come to find out that the problem persisted just without prompt or notification. SecPol changes stuck, Registry changes did not. After changing value of EnableLUA to 1 and restarting everything was fine, but upon a second restart value was reset to 0. Additionally im getting the built in admin error message when i open settings now as well..... I'm at my wits end with this. I can confirm no malicious software forcing change, i have disabled built in admin via every avenue possible (secpol, gpo, cmd line, boot cmd line, and even local users) At this point i'm ready to switch to macs and never give windows the time of day again. 
    • Edited by AlexCGTS Thursday, May 19, 2016 7:34 PM
    Thursday, May 19, 2016 7:28 PM
  • Hi AlexCGTS,

    "but upon a second restart value was reset to 0"
    I suspect the gpo has been misconfigured.

    Have you configured the gpos from the domain controller?

    User Account Control: Run all administrators in Admin Approval Mode
    User Account Control: Admin Approval Mode for the built-in Administrator account

    Please run "gpresult /r /z >C:\gpresult.txt" to check the gp result.

    Put the machine out of the domain to troubleshoot whether the issue is related to the domain policy.

    Best regards


    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Friday, May 20, 2016 2:18 AM