Staring at a blank desktop, due to Interactive missing from Users group

Ran into an issue this week that was strange.  When you TS’d to the box it would just show a blank background and nothing else.  If you tried to launch task manager it would just fail silently to the user (actually access denied in the debugger).  My user account was in the admin group and the server was completely accessible remotely with administrative perms.  It was just when I (or anyone) tried to logon to the server locally or through TS that it was messed up.  Another piece of the puzzle was that if you disabled UAC and rebooted the server the issue no longer repro’d. 

So what was there with UAC and logging onto this server?

When logging on this event was triggered:

Log Name:      Application
Source:        Microsoft-Windows-Winlogon
Date:          5/27/2008 5:13:28 PM
Event ID:      4006
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      XXXX
The Windows logon process has failed to spawn a user application. Application name: . Command line parameters: C:\Windows\system32\userinit.exe.

Turns out that they removed the Account "NT AUTHORITY\INTERACTIVE" from the Users group on the machine.   We added that account back into the users group and like magic it worked again.  I'm working on getting a KB filed and written for this issue, but until then at least people can find it if they notice this event in the event log.


UAC Architecture

While the Windows Vista logon process externally appears to be the same as the logon process in Windows XP, the internal mechanics have greatly changed. The following illustration details how the logon process for an administrator differs from the logon process for a standard user.

Windows Vista logon process

When an administrator logs on, the user is granted two access tokens: a full administrator access token and a "filtered" standard user access token. By default, when a member of the local Administrators group logs on, the administrative Windows privileges are disabled and elevated user rights are removed, resulting in the standard user access token. The standard user access token is then used to launch the desktop (Explorer.exe).

HatTip to Ben on my Team who actually figured this out after I tried to debug it for 3 days...

Technorati Tags: Vista,Windows 2008,UAC,Winlogon