none
UAC settings Domain GPO overrides local GPO -> reboot needed

    Question

  • Hi Guys

    I knbow that the Domain GPO has to override the local GPO and it's working also on our Server 2012 R2 that way, but we run into a problem with the UAC settings.

    The default settings in the local Policy enables the UAC.........but afterwards the Domain GPO is disabling the UAC and changing the registry key "enableLUA" from 1 to 0.....everything is fine and working, but on this way we always get the annoying notification from the Action Center, that we have to restart the server to turn off UAC.

    Do we really have to edit all the local Policies on all our servers we need to disable UAC to get rid of this?

    Thx

    Wayne

    Friday, September 25, 2015 7:07 AM

All replies

  • Hello,

    It is not always necessary to use registry keys to disable UAC. You can do this via GPO.

    If you are changing registry, you would need a reboot as this takes effect once a server is restarted.

    You can go through the below link to check GPO UAC Settings

    http://www.techrepublic.com/blog/the-enterprise-cloud/disable-uac-for-windows-servers-through-group-policy/


    If you find this helpful, kindly mark as answer. If you have any queries, please post back as a reply. Will look forward to your feedback. Thanking You Soumyajyoti Biswas

    Friday, September 25, 2015 10:54 AM
  • Hi

    We are not doing any Registry changes, we do everything with Domain GPO's, but the if we disable the "Run all administrators in Admin Approval Mode" it changes the Registry Key "EnableLUA" from 1 to 0.

    That's why we have this reboot loop because the Local Security Policy has it on enable, than the Domain GPO change it to disable.

    Of course we could just disable it on all the local Security policies on all our servers, but what for we have centralized Domain GPO's if we have to go to each server and change such a setting locally.....

    A bit annoying

    Friday, September 25, 2015 12:38 PM
  • Hello,

    I thought you went the registry key way as you mentioned that only. Did you try a RSOP on the server ?

    If yes can you share the results


    If you find this helpful, kindly mark as answer. If you have any queries, please post back as a reply. Will look forward to your feedback. Thanking You Soumyajyoti Biswas

    Friday, September 25, 2015 1:30 PM
  • The RSOP won't show you anything new, it shows you only the UAC settings we deploy by the "Disable UAC" policy. The settings apply well, but after the local security policy has set the EnableLUA back to 1 after a reboot. So the Domain Policy switch this key back to 0 and therefore we get the "reboot is needed to turn off UAC" notification.

    I guess we have no other option than just to change the local security policy on our servers to keep the UAC definitely and constantly off.

    Friday, September 25, 2015 2:02 PM
  • As you have observed the your local policy take effect first, change the key to 1, then domain policy update it to 0.

    And by default, change UAC settings need a reboot. As you have realized, you might have to update your local policy first.

    Monday, September 28, 2015 7:27 AM
  • This notification can be supressed by changing your Action Center settings. However, UAC changes need a restart to take effect, simply supressed this notification won't help in this case. We might need to update the local policy, I think.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Monday, September 28, 2015 7:57 AM
    Moderator
  • Hi,
     
    Just checking in to see if above information was helpful.
     
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Tuesday, October 6, 2015 9:52 AM
    Moderator
  • Hi,
     
    I'm marking the reply as answer as there has been no update for a couple of days.
     
    If you come back to find it doesn't work for you, please reply to us and unmark the answer.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Monday, October 12, 2015 2:21 AM
    Moderator
  • Hi Ethan

    As you mentioned already, the point is that UAC is still active without rebooting the computer again and again, so no, for me the problem is not solved just with turning off the notification in the Action Center.

    Where is the sense and the benefit of GPO's if we have to modify the local policies on all computers?

    It would be nice when MS could change the behavior of UAC in the future and is giving corporate users a real possibility to disable it on some devices within GPO and not with the local policy.

    Regards

    Wayne

    Monday, October 12, 2015 11:49 AM
  • Thanks for your update, I'm unmarking it as it doesn't solve the issue. We will pass the information to relevant product team.
     
    Thanks again for your feedback.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Friday, October 16, 2015 2:37 AM
    Moderator