locked
Domain Admin login and get: The requested operation requires elevation RRS feed

  • Question

  • I have tried searching through and finding other questions relevant to exactly what I am doing but have not come across answers that seem to fit my situation.

    I have logged into a Server 2008 R2 system with an account which is part of the 'Domain Admin' group.  Then I go to the command prompt and try to add a route and get the error 'The requested operation requires elevation'.   I turned UAC off for this account and logged off and logged back in and still receive the error.

    I can add the route using local administrator login.  I'm concerned though that something isn't correct.  Because if I am a 'Domain Admin' which is a member of the Administrator group on the computer shouldn't I be able to do Administrative functions on this computer.   Is this something specific to Server 2008 R2? or to routing? or is something else not correct.

    Tuesday, February 14, 2012 10:08 PM

Answers

  • Hi,

    You must restart your computer when you enable or disable UAC. Changing levels of notification does not require that you restart your computer.

    For details:

    How do I change the behavior of User Account Control by using the slider?
    http://windows.microsoft.com/en-US/windows7/How-do-I-change-the-behavior-of-User-Account-Control-by-using-the-slider

    The requested operation requires elevation: please try to right click the cmd and Run as an Administrator.

    Hope this helps!

    Best Regards
    Elytis Cheng


    Elytis Cheng

    TechNet Community Support

    • Marked as answer by Elytis Cheng Tuesday, February 21, 2012 8:28 AM
    Wednesday, February 15, 2012 1:47 AM
  •  
    > I can add the route using local administrator login.
     
    For the local builtin administrator, UAC is disabled by default, so this
    works. Changes in the UAC configuratino - as Elytis wrote - require
    rebooting the computer.
     
    You may always check wether your command line is running elevatet: If
    true, the title bar usually states "Administrator: Command Prompt". If
    not, you may type "whoami /groups". If you are running elevatet, you
    will find this line as the last entry in the output:
     
    Mandatory Label\High Mandatory Level         Label           
    S-1-16-12288                                   Mandatory group, Enabled
    by default, Enabled group, Local Group
     
    If you are running "normal", it reads
     
    Mandatory Label\Medium Mandatory Level       Label           
    S-1-16-8192                                    Mandatory group, Enabled
    by default, Enabled group, Local Group
     
    (Medium instead of High)
     
    sincerely, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    • Marked as answer by Elytis Cheng Tuesday, February 21, 2012 8:28 AM
    Wednesday, February 15, 2012 11:45 AM

All replies

  • Hi,

    You must restart your computer when you enable or disable UAC. Changing levels of notification does not require that you restart your computer.

    For details:

    How do I change the behavior of User Account Control by using the slider?
    http://windows.microsoft.com/en-US/windows7/How-do-I-change-the-behavior-of-User-Account-Control-by-using-the-slider

    The requested operation requires elevation: please try to right click the cmd and Run as an Administrator.

    Hope this helps!

    Best Regards
    Elytis Cheng


    Elytis Cheng

    TechNet Community Support

    • Marked as answer by Elytis Cheng Tuesday, February 21, 2012 8:28 AM
    Wednesday, February 15, 2012 1:47 AM
  •  
    > I can add the route using local administrator login.
     
    For the local builtin administrator, UAC is disabled by default, so this
    works. Changes in the UAC configuratino - as Elytis wrote - require
    rebooting the computer.
     
    You may always check wether your command line is running elevatet: If
    true, the title bar usually states "Administrator: Command Prompt". If
    not, you may type "whoami /groups". If you are running elevatet, you
    will find this line as the last entry in the output:
     
    Mandatory Label\High Mandatory Level         Label           
    S-1-16-12288                                   Mandatory group, Enabled
    by default, Enabled group, Local Group
     
    If you are running "normal", it reads
     
    Mandatory Label\Medium Mandatory Level       Label           
    S-1-16-8192                                    Mandatory group, Enabled
    by default, Enabled group, Local Group
     
    (Medium instead of High)
     
    sincerely, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    • Marked as answer by Elytis Cheng Tuesday, February 21, 2012 8:28 AM
    Wednesday, February 15, 2012 11:45 AM
  • I received the same error after a fresh installation of windows 2008 server r2.  I am building a standalone development environment and created a separate user in AD which I gave domain admin privelages to. I was having some DNS issues and decided to attempt to execute mmc.exe with a runas command underneath the credentials of the account I created.

    runas /user:mycontoso\superstud "mmc.exe" [password]

    The Requested operation requires eleveation in an Administrator command prompt. Go figure :) Lowered the the User Access Control Settings, rebooted and it worked.

    Wednesday, April 24, 2013 9:09 PM
  • refer: http://technet.microsoft.com/en-us/library/dd835561(v=ws.10).aspx

    for your example, the account you are using is a member of "Domain Admins", which is equivalent to a member of "Admins".
    even though you are logged in with an account that has machine admin privileges, the default (from Vista forwards) is to operate as the limited/standard user token.
    so, you must "runasadmin" (aka elevate) to "switch" to the other token.

    as Martin says, if you logon to the machine by using the local/builtin Administrator account (not a Domain account), by default the limited/standard user token is not used, so in this case you are already/always "elevated".

    this is all part of the MS approach since Vista (and forwards), to default to limited/standard privilege/token, and you must take a conscious action to elevate.
    disabling UAC is certainly an option, but is similar to riding a motorcycle without a helmet - you are running extra risk, by discarding an engineering safeguard.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Wednesday, April 24, 2013 10:38 PM