Home

Windows Server 2019 Fresh Active Directory Promotion Bugs

%3CLINGO-SUB%20id%3D%22lingo-sub-359499%22%20slang%3D%22en-US%22%3EWindows%20Server%202019%20Fresh%20Active%20Directory%20Promotion%20Bugs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-359499%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Everyone%2C%3C%2FP%3E%3CP%3EAnyone%20having%20issue%20with%20a%20fresh%20domain%20controller%20promotion%20issue%3F%20I've%20found%20quite%20a%20number%20of%20users%20mention%20about%20Start%20Menu%20unable%20to%20change%20after%20promoting%20the%20server%20to%20a%20domain%20controller%20however%20seems%20no%20one%20mention%20about%20this.%3C%2FP%3E%3CP%3EWhat%20I%20encounter%20is%20apart%20from%20the%20issue%20with%20the%20Start%20Menu%2C%20anything%20that%20relating%20to%20administrative%20privileges%20it%20will%20say%20%22Windows%20cannot%20access%20the%20specific%20device%20path%20or%20file.%20You%20may%20not%20have%20the%20appropriate%20permission%20to%20access%20them%22%20also%20the%20%22Authenticated%20Users%22%20is%20not%20inputted%20into%20the%20C%20drive%20and%20the%20%22Windows%22%20folder.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20problem%20is%20still%20there%20after%20updating%20%22March%201%2C%202019%E2%80%94KB4482887%20(OS%20Build%2017763.348)%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hade%20this%20problem%20with%20windows%202016%20server%20in%20the%20beginning%2C%20but%20Microsoft%20fixed%20it%20with%20some%20updates.%20Why%20can't%20they%20do%20it%20now%20with%20windows%202019%20server%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EClasseJohansson%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-359499%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-364756%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Server%202019%20Fresh%20Active%20Directory%20Promotion%20Bugs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-364756%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20%22fix%22%20is%20to%20turn%20on%20UAC%20admin%20approval%20mode.%20AFAICT%2C%20this%20was%20never%20fixed%20in%202016%2C%20so%20hardly%20surprising%20it's%20still%20buggy%20in%202019.%20Shame%20on%20you%2C%20MS.%20%3A(%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EApply%20this%20to%20Domain%20Controllers%20via%20GPO%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CH5%20id%3D%22toc-hId-1088559642%22%20id%3D%22toc-hId-1119961121%22%3EPolicies%20-%26gt%3B%20Windows%20Settings%20-%26gt%3B%20Security%20Settings%20-%26gt%3B%20Local%20Policies%2FSecurity%20Options%20-%26gt%3B%20User%20Account%20Control%3CBR%20%2F%3EAdmin%20Approval%20Mode%20for%20the%20Built-in%20Administrator%20account%3A%20Enabled%3CBR%20%2F%3EAllow%20UIAccess%20applications%20to%20prompt%20for%20elevation%20without%20using%20the%20secure%20desktop%3A%20Enabled%3CBR%20%2F%3EBehavior%20of%20the%20elevation%20prompt%20for%20administrators%20in%20Admin%20Approval%20Mode%3A%20Elevate%20without%20prompting%3C%2FH5%3E%3C%2FLINGO-BODY%3E
ClasseJohansson
New Contributor

Hi Everyone,

Anyone having issue with a fresh domain controller promotion issue? I've found quite a number of users mention about Start Menu unable to change after promoting the server to a domain controller however seems no one mention about this.

What I encounter is apart from the issue with the Start Menu, anything that relating to administrative privileges it will say "Windows cannot access the specific device path or file. You may not have the appropriate permission to access them" also the "Authenticated Users" is not inputted into the C drive and the "Windows" folder. 

 

The problem is still there after updating "March 1, 2019—KB4482887 (OS Build 17763.348)"

 

I hade this problem with windows 2016 server in the beginning, but Microsoft fixed it with some updates. Why can't they do it now with windows 2019 server?

 

ClasseJohansson

1 Reply

The "fix" is to turn on UAC admin approval mode. AFAICT, this was never fixed in 2016, so hardly surprising it's still buggy in 2019. Shame on you, MS. :(

 

Apply this to Domain Controllers via GPO:

 

Policies -> Windows Settings -> Security Settings -> Local Policies/Security Options -> User Account Control
Admin Approval Mode for the Built-in Administrator account: Enabled
Allow UIAccess applications to prompt for elevation without using the secure desktop: Enabled
Behavior of the elevation prompt for administrators in Admin Approval Mode: Elevate without prompting
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
ChirmyRam in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies