Windows 10: AD Domain Admin with missing rights?
Maybe my title is not correct but I wouldn't know how else to name it at this point.
If I log into a Windows 10 machine with the main AD Domain Admin Account, I get an error message when entering the language settings app.
(My Windows is in another language so this is not the actual string in English but just my translation:)
c:\windows\system32\SystemSettingsAdminFlows.exe
Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.
It seems I can make my changes just fine, they even get saved, I just have to keep clicking the error message away, at least 5-6 times.
This issue doesn't appear when I log in with the local admin account on the same machine.
I checked the local Admin Group, the AD Domain Admin is part of it. And I really can do pretty much everything otherwise.
I can't even provide a good question here, I'd just like to understand what's happening and if I missed something in the configuration.
Update:
C:\Users\Administrator>icacls c:\windows\System32\SystemSettingsAdminFlows.exe
c:\windows\System32\SystemSettingsAdminFlows.exe NT SERVICE\TrustedInstaller:(F)
VORDEFINIERT\Administratoren:(RX)
NT-AUTORITÄT\SYSTEM:(RX)
VORDEFINIERT\Benutzer:(RX)
ZERTIFIZIERUNGSSTELLE FÜR ANWENDUNGSPAKETE\ALLE ANWENDUNGSPAKETE:(RX)
1 Dateien erfolgreich verarbeitet, bei 0 Dateien ist ein Verarbeitungsfehler aufgetreten.
C:\Users\Administrator>whoami /groups
GRUPPENINFORMATIONEN
--------------------
Gruppenname Typ SID Attribute
==================================================== =============== ============================================= ================================================================================
Jeder Bekannte Gruppe S-1-1-0 Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
VORDEFINIERT\Benutzer Alias S-1-5-32-545 Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
VORDEFINIERT\Administratoren Alias S-1-5-32-544 Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe, Gruppenbesitzer
NT-AUTORITÄT\INTERAKTIV Bekannte Gruppe S-1-5-4 Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
KONSOLENANMELDUNG Bekannte Gruppe S-1-2-1 Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
NT-AUTORITÄT\Authentifizierte Benutzer Bekannte Gruppe S-1-5-11 Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
NT-AUTORITÄT\Diese Organisation Bekannte Gruppe S-1-5-15 Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
LOKAL Bekannte Gruppe S-1-2-0 Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
OFFICE\Group Policy Creator Owners Gruppe S-1-5-21-1731680816-2417063338-1172291106-520 Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
OFFICE\Denied RODC Password Replication Group Alias S-1-5-21-1731680816-2417063338-1172291106-572 Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
OFFICE\Enterprise Admins Gruppe S-1-5-21-1731680816-2417063338-1172291106-519 Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
OFFICE\Schema Admins Gruppe S-1-5-21-1731680816-2417063338-1172291106-518 Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
OFFICE\Domain Admins Gruppe S-1-5-21-1731680816-2417063338-1172291106-512 Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
Verbindliche Beschriftung\Hohe Verbindlichkeitsstufe Bezeichnung S-1-16-12288
Look like it's a problem between 'User Account Control' and the 'Built-in Administrator' account. I had the same issue and this worked for me:
- Win + R and type 'secpol.msc' for open the Local Security Policy console.
- In the Security Settings tree, open Local Policies > Security Options.
- Find the policy: User Account Control: Admin Approval Mode for the Built-in Administrator account and enable it.
- Log out - log in, voilá!
Just had this issue on a few computers I administer. In case it helps anyone:
PCs built from scratch with Windows 10 (education edition) using Lite Touch Installation from Windows server - the issue did not arise.
Some (but not all !?) PCs upgraded to Windows 10 (education edition) - exact same source media as used for the LTI build - from Windows 8.1 exhibited the problem. The only possible pattern I can see so far is that the PCs with the problem were the Surface Pro 2s - the ones that did not exhibit the problem were Surface Pro 3s - apart from driver / firmware etc. differences between the 2 types, the pre-upgrade builds on the 2 types were identical, so this feels very strange.
I also had a few upgrades from Windows 10 Pro that didn't have a problem, but all these were Surface Pro 3s and there weren't enough of them to add anything useful.
The English message is:
Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item.
- Instead of using local security policy on individual machines, you can use domain group policy - same policy setting, under Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies / Security Options - which seems to fix it.