Windows Server 2019 Fresh Active Directory Promotion Bugs

%3CLINGO-SUB%20id%3D%22lingo-sub-359499%22%20slang%3D%22en-US%22%3EWindows%20Server%202019%20Fresh%20Active%20Directory%20Promotion%20Bugs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-359499%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Everyone%2C%3C%2FP%3E%3CP%3EAnyone%20having%20issue%20with%20a%20fresh%20domain%20controller%20promotion%20issue%3F%20I've%20found%20quite%20a%20number%20of%20users%20mention%20about%20Start%20Menu%20unable%20to%20change%20after%20promoting%20the%20server%20to%20a%20domain%20controller%20however%20seems%20no%20one%20mention%20about%20this.%3C%2FP%3E%3CP%3EWhat%20I%20encounter%20is%20apart%20from%20the%20issue%20with%20the%20Start%20Menu%2C%20anything%20that%20relating%20to%20administrative%20privileges%20it%20will%20say%20%22Windows%20cannot%20access%20the%20specific%20device%20path%20or%20file.%20You%20may%20not%20have%20the%20appropriate%20permission%20to%20access%20them%22%20also%20the%20%22Authenticated%20Users%22%20is%20not%20inputted%20into%20the%20C%20drive%20and%20the%20%22Windows%22%20folder.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20problem%20is%20still%20there%20after%20updating%20%22March%201%2C%202019%E2%80%94KB4482887%20(OS%20Build%2017763.348)%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hade%20this%20problem%20with%20windows%202016%20server%20in%20the%20beginning%2C%20but%20Microsoft%20fixed%20it%20with%20some%20updates.%20Why%20can't%20they%20do%20it%20now%20with%20windows%202019%20server%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EClasseJohansson%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-359499%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-364756%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Server%202019%20Fresh%20Active%20Directory%20Promotion%20Bugs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-364756%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20%22fix%22%20is%20to%20turn%20on%20UAC%20admin%20approval%20mode.%20AFAICT%2C%20this%20was%20never%20fixed%20in%202016%2C%20so%20hardly%20surprising%20it's%20still%20buggy%20in%202019.%20Shame%20on%20you%2C%20MS.%20%3A(%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EApply%20this%20to%20Domain%20Controllers%20via%20GPO%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CH5%20id%3D%22toc-hId-1088559642%22%20id%3D%22toc-hId-1119961121%22%3EPolicies%20-%26gt%3B%20Windows%20Settings%20-%26gt%3B%20Security%20Settings%20-%26gt%3B%20Local%20Policies%2FSecurity%20Options%20-%26gt%3B%20User%20Account%20Control%3CBR%20%2F%3EAdmin%20Approval%20Mode%20for%20the%20Built-in%20Administrator%20account%3A%20Enabled%3CBR%20%2F%3EAllow%20UIAccess%20applications%20to%20prompt%20for%20elevation%20without%20using%20the%20secure%20desktop%3A%20Enabled%3CBR%20%2F%3EBehavior%20of%20the%20elevation%20prompt%20for%20administrators%20in%20Admin%20Approval%20Mode%3A%20Elevate%20without%20prompting%3C%2FH5%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi Everyone,

Anyone having issue with a fresh domain controller promotion issue? I've found quite a number of users mention about Start Menu unable to change after promoting the server to a domain controller however seems no one mention about this.

What I encounter is apart from the issue with the Start Menu, anything that relating to administrative privileges it will say "Windows cannot access the specific device path or file. You may not have the appropriate permission to access them" also the "Authenticated Users" is not inputted into the C drive and the "Windows" folder. 

 

The problem is still there after updating "March 1, 2019—KB4482887 (OS Build 17763.348)"

 

I hade this problem with windows 2016 server in the beginning, but Microsoft fixed it with some updates. Why can't they do it now with windows 2019 server?

 

ClasseJohansson

1 Reply
Highlighted

The "fix" is to turn on UAC admin approval mode. AFAICT, this was never fixed in 2016, so hardly surprising it's still buggy in 2019. Shame on you, MS. :(

 

Apply this to Domain Controllers via GPO:

 

Policies -> Windows Settings -> Security Settings -> Local Policies/Security Options -> User Account Control
Admin Approval Mode for the Built-in Administrator account: Enabled
Allow UIAccess applications to prompt for elevation without using the secure desktop: Enabled
Behavior of the elevation prompt for administrators in Admin Approval Mode: Elevate without prompting