question

Finaria avatar image
0 Votes"
Finaria asked Finaria commented

Server2019, Admin user asked for password

Hy!

I have a server in a domain (test.local). On the server I added 2 domain users to Local Administrator group. (Bob, Bab) [[ Local Users and Groups -> Groups -> Administrators]]

Everybody using Remote Desktop.

  1. Both of the users have Admin rights BUT the server always asks for admin password when they start a task "Run as administrator". They type their password and it's working. But If I login with my account (Domain Admin) I can execute programs without typing my password.

  2. On these accounts the "Administrator tools" is missing from the user interface, but If they start one of them in CMD it will run (and asks for password). [example they when they type "Creat and form partiton" on the search bar, it's not showing but they can start it from cmd)

So they have admin rights, and they can use everything If they type their password. How can I config the server to not ask a password from them? I want to config them to became a full right Administrators. It looks like when they login the server, they become a regular user without any rights, but there account is able to do any Admin thing.


Thanks for the help.

windows-serverremote-desktop-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

LeonLaude avatar image
0 Votes"
LeonLaude answered Finaria commented

Hi @Finaria,

This is due to the User Account Control (UAC) behaviour, you'll find more information over here:
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode

To avoid elevation prompts for members in administrators group without disabling UAC, you can set User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode security policy to Elevate without prompting in group policies or local policies.


If the reply was helpful please don't forget to upvote and/or accept as answer, thank you!


Best regards,
Leon

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hy, thanks for answer.

I made a completely new user (test) and added to local Administrator, and It's working without asking for password... Why it's happening? Why the 2 older Domain User asked for password and a new user not?


To avoid elevation prompts for members in administrators group without disabling UAC, you can set User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode security policy to Elevate without prompting in group policies or local policies.

I already done this, forget to mention in the original post.



0 Votes 0 ·

Did you try rebooting the server after, or at least log out your users and log back in and try again?

Also check what current policies are applied to your server(s).

1 Vote 1 ·

Tthanks for helping, One of the solution was good, logout or restart (and I also removed and add the users to Local Adming groups)

0 Votes 0 ·