Windows Server Summit 2024
Mar 26 2024 08:00 AM - Mar 28 2024 04:30 PM (PDT)
Microsoft Tech Community
LIVE

Windows Server 2019 DC/Std odd permission issues with UI options

Brass Contributor

We are in the process of getting some test servers up to replace some basic 2008 R2s, etc. 

 

Both of these scenarios are ran using domain admin accounts:

 

We have noticed that after it is domain-joined, when we run windows updates and are ready to install (through the GUI), if we attempt to hit the restart button within the WU settings screen, we get this error: We're having trouble restarting to finish the install. Try again in a little while. If you keep seeing this, try searching the web or contacting support for help. This error code might help: (0x80070005)

 

We can restart the system just fine using the start menu.

 

Another place I have seen some weird permission issues like this was when I attempted to change the time zone of a server. If you right click the time and go to adjust time/timezone, selecting a new time zone in the new Settings UI, it will change the selection, but the time will not change on the system, and when you switch to a different settings page and back, it has reverted. If you go to open up the classic date and time control panel window, when you attempt to change the time zone, we get a "You do not have permission to perform this task, please contact your computer administrator for help."

 

To get that running, we can run timedate.cpl as admin and it works just fine. 

 

I ran both of these scenarios on a fresh, non-domain joined VM and did both of these tasks just fine when it was not on the domain. It seems there may be some permission or UAC issue within 2019, as this works just fine in the other OS versions.

 

Is anyone else seeing this behavior? I've seen these scenarios come up in 2-3 threads on reddit or the technet forums, but not seeing any resolutions or communication from MS on if this is a bug.

 

UPDATE: In an attempt to try and nail down exactly what is going on, I've narrowed down the replication steps, at least for us. In a fresh VM with the ISO provided from the VLSC, these tasks (changing timezone, and restarting via that restart button with the Settings app) work just fine using local admin. I created a second local admin account (still not domain joined) and assigned it to the Administrators group. This second admin account fails to get the proper permissions to be able to change the time zone and gets the error when trying to restart. 

 

In the local security policy, under the User Rights Assignment section, I added this second admin account to "Change the time zone" and "Shutdown the system" explicity (Administrators is already included in the scope). Relogging on to this second admin account, I am able to successfully change the timezone and restart from the Settings app after an update. Removed the account from both and tested again, back to not having permission.

 

In our domain environment, we have domain admins included in local administrators group, so this would explain why we those domain admin accounts are experiencing this behavior. 

11 Replies

We have also the same problem here, home that someone or microsoft have a fix for this.

I have also created a reddid post but no answer.

https://www.reddit.com/r/sysadmin/comments/9ygcbj/windows_server_2019_reboot_after_update_button/

Error after press ,,restart now'' buttonError after press ,,restart now'' button

I've edited my original post with an update, but in case it gets missed, here is what I updated:

 

In an attempt to try and nail down exactly what is going on, I've narrowed down the replication steps, at least for us. In a fresh VM with the ISO provided from the VLSC, these tasks (changing timezone, and restarting via that restart button with the Settings app) work just fine using local admin. I created a second local admin account (still not domain joined) and assigned it to the Administrators group. This second admin account fails to get the proper permissions to be able to change the time zone and gets the error when trying to restart. 

 

In the local security policy, under the User Rights Assignment section, I added this second admin account to "Change the time zone" and "Shutdown the system" explicity (Administrators is already included in the scope). Relogging on to this second admin account, I am able to successfully change the timezone and restart from the Settings app after an update. Removed the account from both and tested again, back to not having permission.

 

In our domain environment, we have domain admins included in local administrators group, so this would explain why we those domain admin accounts are experiencing this behavior. 

Hi Jordan,

 

Thank you for your feedback and your great troubleshooting steps.

We have now added to the servers the domain admin group and another admin group from the active directory that we have for all admins in our environment.

For us it is working now.

 

Regards sys-adm

This issue is still present after updating with the February patches.
Still an issue with March patches. Anyone from MS that can respond?

I hope it'll be fixed soon...

I'm waiting for it to upgrade my servers.

I upgraded one of my sccm distribution point and have the reboot/shutdown issue.

@Michaël Becker  @Jordan Paris  KB4482887 Cumulative Update March 1, 2019 or later should fix this issue.  That is build 17763.348 or later.  The workaround for earlier builds is to do the restart from the start menu.

@ChrisC2020  It looks like it may resolve the Restart Now from Windows update, but 2 servers so far with these patches still cannot change the time zone through the new settings GUI.

Having this problem with our domain-joined Windows 10 PCs.  "Restart now" in Windows Updates gives error "We're having trouble restarting to finish the install. Try again in a little while. If you keep seeing this, try searching the web or contacting support for help. This error code might help: (0x80070005)"  

 

Unfortunately the suggested fix here of adding the user explicitly to "Local Policy -> User Rights Assignment -> Shut down the system" did not work for us.  Rebooting from Start is a workaround, but we've found if users don't manually restart in a timely manner after updates, the Updates nag screen comes up the next day, takes over the screen, and apparently immediately hangs so the user cannot continue.  Likely this is also related to the problem. A mystery!

We are also having this issue with all 8 of our Server 2019 installs, some upgraded and some fresh installs with all updates installed. another issue is that Server Manager throws an error and will not open using an account with "Domain Admins" or "Group Policy Creator Owners" group permissions but will work just fine with local Administrator or "Administrators" group added to the domain user's account without the above mentioned groups that have issues.

in summary, if a user account has "Domain Admins" or "Group Policy Creator Owners" group attached to it, it has problems (regardless of what other groups the user belongs to.)

@n3ologic update: the "Domain Admins" and the "Group Policy Creator Owners" groups were created on 9/14/2002 so they were a part of the upgrade on the DC. would there be any problem deleting these groups and re-adding them to the DC?