locked
UAC - Cannot logon with administrative rights at all on a fresh build RRS feed

  • Question

  •  

    I previously wrote a long piece to help people that were having problems adding or joining Windows Vista to a domain. When I wrote the 'article', I was astonished that this could occur for a new install, as it would mean everyone would get the problem. Which they don't.

     

    http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=1298601&SiteID=17

     

    Well, I reinstalled Vista on the same box due to a HDD explosion, and this time it all worked. It added fine. But...

     

    Despite having a domain and GPOs which have been running for a long time, I was unable to either remove UAC or get admin rights to my new box. Of course, UAC makes a mockery of the concept of rights: it pretends the whole time - and because of this, you can never be 100% sure of your rights. That's a big design gamble.

     

    UAC was popping up for the first few reboots, I had to edit the Domain GPO and try and work out what was going on. While editing the GPO I got the Unable to Save error and a path to SysVol GptTmpl.inf a few times, after which all my edits were gone - they were there in the editor UI but not reported in the Settings tab in the GPO Management console. I had to break my GPO into chunks and add just a couple of settings in each one to get them to stick.

     

    Why is this partially flakey? The KB article for the error points to permissions, but I'm running as the domain admin, and it seems okay for some settings - or maybe I'm not really running as admin. UAC?

     

    After a number of reboots the dark UAC prompts went away! Hurrah! Alas, I still didn't have admin rights. So I tried to make changes by right-clicking and Run as Administrator, this only served to give me a prompt saying that the operation requires elevation! Now I cannot elevate at all. This is a clean installation, remember.

     

    Some Windows updates and reboots later, this went away - phew. And I thought I was home free. But, on trying to make a folder on my D: I kept getting Access Denied, a little UAC shield and a Continue option which just closed the dialog. So I can't do anything - Windows UAC seems to be half switched on still.

     

    I cannot log in as Administrator because its disabled. I can't get UAC to pi55 off and give me my computer back, and then things get worse...

     

    I have a Domain Local group called UKWorkstationAdministrators which contains Domain Admins and me. This is set as the soul member of Administrators in the GPO under Restricted Groups.

     

    So, logging-on as admin should give me rights by way of these memberships. The UKW... group appears in the Vista local Administrators group, so I know the GPO has done its job, and UAC isn't prompting, but I still cannot do anything in Device Manager.

     

    I run the GPO Management console and run a RSOP using the bottom-most node (the real RSOP says I don't have sufficient rights, even when I do Run As!) and all is fine except that in the section about my group memberships I don't seem to be a member of the UKW... group, although my other domain groups are listed.

     

    I figure that my machine account is corrupt or something, as I've used the same machine name as the last Vista install. So I reset the account.

     

    Now, I reboot and I get the error about trust relationship between server etc. that means I'm properly messed up.

     

    At this stage my administrator account is disabled, UAC is blocking me from being admin, I cannot log on to the domain, and even as my original local account made during setup, the Run As option doesn't actually Run As (cmd pops up but the phrase 'running as' is missing) and I certainly have no rights to anything.

     

    Game over.

     

    I've just reinstalled again.

     

    I used to work for MS as a support engineer for Windows NT 4.0. I'm a very experienced .NET developer working on Vista products. But I hope MS consign Windows 6.0 to the history books soon, because this is a regrettable, and forgettable, OS iteration.

     

    I am a Microsoft fan so it saddens me that as times goes on mistakes are becoming abundant. Even posting on this forum tonight was a nightmare because I get logged out immediately, as I do on my work machines. MS seem to expect that the people wanting help on this site have to become an IE expert and jump through hoops before they can get help. Its a problem with their site. They should fix it! End of story.

     

    Get a grip MS: you're losing it.

     

     

    Sunday, May 25, 2008 10:01 PM

All replies

  •  

    After a very late night and early morning, my Vista box resembles what I'd like it to. No UAC + real admin rights.

     

    I must say that after installing Service Pack 1 and discovering that the GPMC (Group Policy Managment Console) has been removed was a nice surprise, considering that to fix my issue requires modifying the GPO - or be locked out of Vista forever.

     

    A little known and not publicised fat it that to get GPMC back, you can install the RAT Pack (Remote Administration Tools Pack) and this will give you your MMC snap-ins for the GPMC and some others.

     

    Important: You won't actually get the snap-ins listed unless you go into Control Panel > Programs and Features and switch 'on' the RAT Pack in the 'on' / 'off' section. If you're a developer, you'll also see why countless other things haven't been working. They're installed, but not 'switched on' - why would anyone install something and not want it switched on??? Imagine taking your car down to get a new exhaust and they fit and attach it but don't hook it up to the manifold. That it'd be good service eh?

     

    Thanks to a guy named Matty-B on these forums for saving a few people's sanity on that tip.

     

    Anyway.

     

    The problem, I have discovered is that a domain local group UKWorkstationAdministrators is applied to the Administrators group of all Vista machines using Restricted Groups in a GPO.

     

    On the Vista box the group is there, as well as GlobalWorkstationAdministrators (a domain global group). My account is in the UK one, so I should have admin rights?

     

    Well, according to a VBScript I knocked up, I'm in the UK group alright. But the Group Policy Results node in GPMC seems to think that I am not (see 'Security Group Membership when Group Policy was applied' tab). I added myself to the global one and now that's listed correctly. I'm now in both local and global but it only shows the global one.

     

    Is this a known issue? I'm logging-on to a computer in the domain with an account in the domain in which that domain local group is defined, so I should have these rights.

     

    I've added Domain Admins directly to the Administrators group to ensure this strange behaviour doesn't land me in the same doggy doo it did last night again.

     

    [And I still cannot log in to the forums on my XP box]
    Monday, May 26, 2008 1:32 PM