question

ZhivkoGospodinov-9740 avatar image
1 Vote"
ZhivkoGospodinov-9740 asked FanFan-MSFT commented

What event does GPU raise in event log when it turns UAC On on Windows server 2019?

I work on a Win2019 server and there's a group policy which is being applied daily. It turns on my User account control prompt, which I'd like to avoid.
the policy name is:
"User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode"
I'd like to have a scheduled job which scans the EventLog for an entry and run a PS script to disable UAC prompt, however I can't find the Event ID logged in when the GPU updates the UAC policy for prompting on elevation.
Does someone know the Event ID?
Thank you in advance!

windows-serverwindows-group-policy
· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image FanFan-MSFT ·

Hi,
 
Just checking in to see if the information provided was helpful.
 
If the reply helped you, please remember to accept it as an answer.
If no, please reply and tell us the current situation in order to provide further help

Best Regards,

0 Votes 0 ·
FanFan-MSFT avatar image FanFan-MSFT ·

Welcome to share here if you have any updates.
Best Regards,

0 Votes 0 ·

1 Answer

FanFan-MSFT avatar image
1 Vote"
FanFan-MSFT answered

Hi,

To disable the policy User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" We just need to edit the GPO on which defined the policy by run command as administrator :gpresult /h report.html.

Then on this GPO ,navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options. On the right pane ,find the policy: User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode = Right click policy setting, click Properties. Check the box Define this policy setting and choose Elevate without prompting.

For the events, we need to enable the audit policy :
The policy in interest is found at: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy

Audit Privilege Use will give you information about elevated usage using the UAC consent.exe dialog box in the System Event log. The Event IDs created by this: 4648 and 4624.

Audit Process Tracking will give you information about processes and their creation/termination. Event Id created by this: 4688.

Also, look at event id 4696 to see when a new token (user-logon handle) was assigned to process. Using all these events, you can get a clear picture of the timeline for every process that requested an elevated rights with UAC dialog.
Normally , the audit policy is used for troubleshooting .No need to be enabled all the time.

Best Regards,





5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.