none
Domain Administrator no permissions, Local Admin has permissions

    Question

  • Just installed a fresh copy of Windows 10 Pro x64 on a new Lenovo Yoga.  Install went fine.  Activate and updates done.

    I've run into several spots where I'm getting the error message:

    "C:\Windows\system32\rundll32.exe

    Windows cannot access the specified device, path, or file.  You may not have the appropriate permissions to access the item."

    I'm sure you all are familiar with this message since if you don't have Admin rights on the Domain you'll get this type of message when trying to install software or access Admin priv required settings.  So I log out of the Domain Admin account and log into the Local Admin, boom it works.  I can do things like add Desktop Icons, for example, with the Local Admin but not with Domain Admin.  Seems like the Domain Admin account isn't getting elevated permissions when logging in.

    Interesting note, if I add Domain Users to the admin group and log in as one of them the account gets properly elevated and I can manage the settings the Domain Admin can't.  Any ideas?

    Thursday, July 30, 2015 4:02 PM

Answers

  • Hi,

    For your question, please run gpedit.msc to open Group Policy Editor, then switch to Computer Configuration---> Windows Settings---> Security Settings ---> Local Policies---> Security Options, then enable "User Account Control: Admin Approval Mode for the Built-in Administrator account", after all restart Windows to take effect. Figure as below:

    Thanks


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Allen Wang
    TechNet Community Support

    Monday, August 03, 2015 12:15 PM

All replies

  • Maybe unrelated but do you know what the functional level of your domain is?
    Thursday, July 30, 2015 4:19 PM
  • 2008 R2.  Shouldn't make a difference since Domain Admin account has less privs than a Domain User account I gave Admin rights to in Advanced Local Users and Groups.  And yes, Domain Admins does already exist in that group.
    Thursday, July 30, 2015 4:24 PM
  • I have the same issue. Local Administrator account is fine when changing Desktop Icon Settings, however, when trying to change 'Desktop Icon Settings' in Domain Administrator account, Windows gives the following error:

    "C:\Windows\system32\rundll32.exe"

    "Windows cannot access the specified device, path, or file.  You may not have the appropriate permissions to access the item."

    Troubleshooting:

    UAC was tested with slide bar being moved to all locations from very top to all the way down to the bottom and no difference in permissions. PC was rebooted each time after UAC setting was changed. Windows 8.1 did not have this issue. Windows 10 bug?

    NOTE: Also receive same error when clicking on 'Advanced Sound Settings' and 'Mouse Pointer Settings'.

    AND: Other created local user accounts work ok.

    Thursday, July 30, 2015 8:59 PM
  • You hit the nail on the head.  Exact same problem I have.  All of those options produce the same error message.  I also was unable to adjust some other things in Settings (I'm trying now to remember which ones gave the error) and was met with the same error message.

    All other accounts work.  Domain Admin gets bricked.

    Thursday, July 30, 2015 9:12 PM
  • Hi,

    For your question, please run gpedit.msc to open Group Policy Editor, then switch to Computer Configuration---> Windows Settings---> Security Settings ---> Local Policies---> Security Options, then enable "User Account Control: Admin Approval Mode for the Built-in Administrator account", after all restart Windows to take effect. Figure as below:

    Thanks


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Allen Wang
    TechNet Community Support

    Monday, August 03, 2015 12:15 PM
  • Yes! That did it! I have made note of it for other Windows 10 PCs.

    Thank you.

    Monday, August 03, 2015 2:57 PM
  • Hi,

    Thank you for your response, if it's help please mark it as answer.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Allen Wang
    TechNet Community Support

    • Proposed as answer by lostmatt996 Monday, May 08, 2017 12:58 PM
    Tuesday, August 04, 2015 6:08 AM
  • Hi,

    For your question, please run gpedit.msc to open Group Policy Editor, then switch to Computer Configuration---> Windows Settings---> Security Settings ---> Local Policies---> Security Options, then enable "User Account Control: Admin Approval Mode for the Built-in Administrator account", after all restart Windows to take effect. Figure as below:

    Thanks


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Allen Wang
    TechNet Community Support

    But domain administrator still cannot open the Microsoft edge and app store, when I click them, just show the frame and then disappeared. For left click start menu, it shows nothing and any response. However everything is work smooth under local administrator login. Any help? Thanks.
    Thursday, August 06, 2015 6:55 PM
  • Thank You this was the answer I was looking for. I was able to do this on multiple domain PC's and it solved the issue Thank You
    • Proposed as answer by TMPerson Sunday, December 04, 2016 5:42 PM
    • Unproposed as answer by TMPerson Sunday, December 04, 2016 5:42 PM
    Wednesday, October 14, 2015 12:38 PM
  • Thanks for your answer. This works for the domain admin account. It solved the issue i had when going to the "desktop icons".

    Regards,

    Wednesday, October 26, 2016 9:36 AM
  • Fix my issue. thanks!
    Thursday, March 30, 2017 7:22 PM
  • No. It doesn't work

    The answer should not be marked correct


    Thanks & Regards Ramandeep Singh


    Saturday, June 03, 2017 2:21 PM
  • This did not solve the issue I am having. It is similar, but when I have a standard domain user logged into my Windows 10 build, Domain admins cannot elevate access to install programs or run programs that require elevated access. Only local admins can elevate successfully. The provided gpedit.msc suggestion does not fix this issue.
    Wednesday, June 21, 2017 7:11 PM
  • Perfect!

    Applied GPO at Default Domain Policy and it works!

    Saturday, August 12, 2017 5:20 AM
  • Worked for me on Windows Server 2016, too. Applied the GPO at the DC and could access the rundll32.exe normally.

    Many thanks!

    Thursday, November 23, 2017 12:27 PM