I’m finding there is a huge gulf between playing with Windows Server 2008 in a lab and working with it in a production environment. The biggest difference for me is that I typically use a built-in Administrator account in the lab environment, but work with an account with delegated permissions in production. This means I encounter…er…challenges with User Account Control (UAC) on a fairly regular basis. I have already blogged about some scenarios in which UAC doesn’t error or fail gracefully here, here and here.
Today’s blog entry is all about the following UAC-related Group Policy setting:
Computer Configuration -> Windows Settings -> Security Settings -> Local Polices -> Security Options -> User Account Control: Run all administrators in Admin Approval Mode
Enabled by default, this setting basically forces all users, including Administrators to run as standard users. Any tasks that need to be run as Administrator have to be launched with elevated privilege. It is a setting that is entirely sensible from a security perspective, but can cause frustration and confusion in certain situations. Here’s an example scenario.
Let’s say you are logged into a Windows Sever 2003 (or Vista) machine with an account that is a member of the local Administrators group. By default the Administrators group has Full Control permissions over files and folders on the machine. With the above-mentioned Group Policy enabled, however, you may not be able to, for example, create new text files by right-clicking within Windows Explorer (unless you have rights to do so through either explicit permissions or through membership of other groups). For example, when right clicking in the root of C:\ you are only likely to have the ability to create a new folder by default, as shown below.
No problem, you might think, my account is a member of the local Administrators group so I’ll just fire up Windows Explorer in elevated mode by right-clicking the icon and choosing “Run as Administrator”. Doing this gives all the appearance of running in elevated mode, but in reality does nothing.
So how the heck do you create new text files? Or, for that matter, how do you do all those other things that require elevated privileges that you typically would do from within Windows Explorer in earlier versions of the OS? Well, there may be other methods, but the workaround I found was to open Notepad in elevated mode. Then from within Notepad select File -> Open and this gives you, effectively, an elevated Windows Explorer to work with, as shown below.
Another option would be to open a command window using “Run as Administrator” and create the text file from there. You could then edit and save it using an elevated Notepad session. Again, a rather clumsy workaround for something that you did without thinking in previous versions of the OS.
If nothing else, UAC in Windows Server 2008 and Vista forces you to think outside the box. The old ways in which you used to work with the user interface in earlier versions of the OS may no longer apply. I can be deeply frustrating, but I suspect UAC is here to stay because of the security benefits it delivers. We may as well get used to it.