Case of the unexplained: Windows troubleshooting with Mark Russinovich https://youtu.be/qouxznNC2XU
-Soli Deo Gloria
There are 10 types of people in the world: those are understand binary and those who do not.
Case of the unexplained: Windows troubleshooting with Mark Russinovich https://youtu.be/qouxznNC2XU
-Soli Deo Gloria
This was an interesting one. I was converting some computers over from an older domain to a new one and was getting this logged in as a non-admin user when trying to change the domain membership:
Attempts to do a runas on Command Prompt ended up with this even more bizarre error message:
At first I thought it was the OS being corrupted on the computer, but I encountered this error on more and more computers. If I logged in as a user with administrator rights, everything worked fine.
After digging for a while, I figured this had to be a UAC policy as we don’t use AppLocker.
The issue: https://msdn.microsoft.com/en-us/library/cc232762.aspx
ConsentPromptBehaviorUser
Key: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Value: “ConsentPromptBehaviorUser”
0x00000000
This option SHOULD be set to ensure that any operation that requires elevation of privilege will fail as a standard user.
0x00000001
This option SHOULD be set to ensure that a standard user that needs to perform an operation that requires elevation of privilege will be prompted for an administrative user name and password. If the user enters valid credentials, the operation will continue with the applicable privilege.
The previous IT staff (who are no longer here) had set a policy disabling UAC elevation. Doing so causes all kinds of crazy error messages like this one. Why would they do that? Well, the one guess I can come up with is that they didn’t want help desk calls from people encountering a UAC prompt. Of course, this also interferes with any IT staff attempting to do any work as all attempts to elevate to admin are blocked.
Some users had admin rights and some didn’t…the ones that didn’t were the ones where this issue was popping up on. Thankfully, this policy isn’t set in the new domain.