User Account Control (UAC) and Server Core

User Account Control (UAC) and Server Core

  • Comments 6
  • Likes

A slight detour from the Windows Server 2008 R2 posts this time around to cover a topic that has been coming up recently: UAC on Server Core.

UAC is not available in Server Core, since it is a command line only interface, doesn’t have IE, or support for user applications. In addition, to use UAC with the command prompt you need to have the Explorer Shell so that you can click Start, right click on Command Prompt, and select run as administrator, which obviously isn’t possible on Server Core.

If the registry entry that controls UAC is modified on a Server Core installation, it will make doing anything at the command prompt very difficult. Running most anything will result in access denied or other related errors, depending on how UAC aware what you are trying to run is. A quick way to determine if UAC is what is causing the error is to run regedit. If UAC is enable you will receive an error dialog that says “The specified service does not exist as an installed service.” and clicking Ok will return “Access is denied.” on the command line.

 

To resolve this you can:

 

·         If you are using Group Policy to configure your servers and put a server running the Server Core installation into an OU that enables UAC, move the server to another OU that doesn’t enforce UAC and let Group Policy change the setting.

·         If UAC was manually configured, disable UAC by remotely modifying the registry

·         Logon using the built-in administrator to perform your admin task or disable UAC.

To disable UAC on Server Core you can use reg.exe or regedit.exe to set the EnableLUA value under the following Registry path to 0 and reboot:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

More on Windows Server 2008 R2 next time.

Comments
  • PingBack from http://www.ditii.com/2009/01/20/user-account-control-uac-and-server-core/

  • It would probably be a good idea for Server Core to ignore UAC being set from group policy.

  • Of course, you could always use runas.exe and run as administrator at the command line to get a UAC compatible window, you don't need the Windows explorer shell to right-click and Run As.  That being said, it would be rather absurd to do that as it's not anymore secure for the reasons listed (no IE, no user applications, etc).

  • I agree with Joshua above!  If the GUI can't support it, why is Server Core even looking and obeying UAC registry entries / group policy!?  Bizarre...

  • Hang on - Looks like this article is incorrect.  According to this article, blogs.msdn.com/.../disabling-user-account-control-uac-on-windows-server.aspx, UAC is always enabled on 2008 R2.  However, it was possible to enable it on 2008.

  • "Hang on - Looks like this article is incorrect.  According to this article, blogs.msdn.com/.../disabling-user-account-control-uac-on-windows-server.aspx, UAC is always enabled on 2008 R2.  However, it was possible to enable it on 2008."

    You missed the part at the very end that said:

    "Note also that UAC is always disabled on Windows Server 2008 R2 Server Core and should always be kept disabled on Windows Server 2008 Server Core. A hotfix is available for Windows Server 2008 Server Core (KB 969371) to prevent UAC from being enabled accidentally."

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment