Forum Discussion
Windows Server 2019 DC/Std odd permission issues with UI options
I've edited my original post with an update, but in case it gets missed, here is what I updated:
In an attempt to try and nail down exactly what is going on, I've narrowed down the replication steps, at least for us. In a fresh VM with the ISO provided from the VLSC, these tasks (changing timezone, and restarting via that restart button with the Settings app) work just fine using local admin. I created a second local admin account (still not domain joined) and assigned it to the Administrators group. This second admin account fails to get the proper permissions to be able to change the time zone and gets the error when trying to restart.
In the local security policy, under the User Rights Assignment section, I added this second admin account to "Change the time zone" and "Shutdown the system" explicity (Administrators is already included in the scope). Relogging on to this second admin account, I am able to successfully change the timezone and restart from the Settings app after an update. Removed the account from both and tested again, back to not having permission.
In our domain environment, we have domain admins included in local administrators group, so this would explain why we those domain admin accounts are experiencing this behavior.
Hi Jordan,
Thank you for your feedback and your great troubleshooting steps.
We have now added to the servers the domain admin group and another admin group from the active directory that we have for all admins in our environment.
For us it is working now.
Regards sys-adm
- n3ologicJun 19, 2020Copper ContributorWe are also having this issue with all 8 of our Server 2019 installs, some upgraded and some fresh installs with all updates installed. another issue is that Server Manager throws an error and will not open using an account with "Domain Admins" or "Group Policy Creator Owners" group permissions but will work just fine with local Administrator or "Administrators" group added to the domain user's account without the above mentioned groups that have issues.
in summary, if a user account has "Domain Admins" or "Group Policy Creator Owners" group attached to it, it has problems (regardless of what other groups the user belongs to.)