Is it possible to disable "Admin Approval Mode" for a single account on a server?
A console-app runs on a single server in a domain and is tasked with deleting some home areas of users, who are no longer active. These homeareas are located on 50+ different servers spread around the network.
The account runs under the context of an account, that is also a member of the Local Administrator group on each storage server, which has "Full Control" access to the relevant folders.
This works great on a bunch of older servers, but on Windows 2008 it runs into problems. On these servers, "Admin Approval Mode" is enabled for the "Local Administrator" group.
For instance, if I right-click a folder and try to access properties/security (using the same service account), I get this prompt:
I can press continue, and then proceed to use the full control permissions. If I do the same when deleting files, things work like intended.
Is it possible to disable this on a per-user/per server basis, so it would continue to apply to all other accounts - but not to the service-account in question here?
Forgive me if I mess up some of the terminology here. I am just a developer. :)
Edit: Made it clear, that I was talking about a console app on a single server, accessing homeareas on many different servers on the network.
This feature is called UAC (User Account Control). It can only be disabled per-server not per-user, to do so go to the start menu, type "msconfig" then open the only entry in the list. In this new window choose the "Tools" tab and select "Change UAC Settings", then pull the sliding scale down to disabled.
I'm pretty sure in Windows 8 onwards you can't disable U.A.C. (without registry hacks, but then the Windows Apps don't work). A better way is to disable Admin Approval Mode (A.A.M.):
When accessing a folder in Windows Explorer, it prompts saying "You don't currently have permission to access this folder". Now I know this folder has the following permissions set on it:
- SYSTEM - Full Control
- Administrators - Full Control
- Users - Create Folder append data
My user account is a member of Administrators. I should have permission to access this folder.
Well A.A.M. will give all "Administrators" group members a "Standard User" access token on start-up of Explorer. So when you click the folder a User Access Control (U.A.C.) will pop-up asking for permission. This will add your user as a separate A.C.L. (Access Control List) entry and give you the same permissions as "Administrators".
Two Solutions to this:
- Create a new group with the same permissions as an Admin, add your user to this group, add this group to the folder you want to access. You will have full access without prompt or a separate User A.C.L. entry being added.
-
Disable A.A.M. Click Here
- Essentially, +R GPEDIT.msc
- Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> Security Options
- User Account Control: Admin Approval Mode for the Built-in Administrator account
- User Account Control: Behaviour of the elevation prompt for administrators in Admin Approval Mode
- User Account Control: Run all administrators in Admin Approval Mode
- Set the policies settings as follows in the following order:
- Disabled
- Elevate without prompting
- Disabled