14

Maybe my title is not correct but I wouldn't know how else to name it at this point.

If I log into a Windows 10 machine with the main AD Domain Admin Account, I get an error message when entering the language settings app.

(My Windows is in another language so this is not the actual string in English but just my translation:)

  c:\windows\system32\SystemSettingsAdminFlows.exe   
  Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

It seems I can make my changes just fine, they even get saved, I just have to keep clicking the error message away, at least 5-6 times.

This issue doesn't appear when I log in with the local admin account on the same machine.

I checked the local Admin Group, the AD Domain Admin is part of it. And I really can do pretty much everything otherwise.

I can't even provide a good question here, I'd just like to understand what's happening and if I missed something in the configuration.

Update: 

C:\Users\Administrator>icacls c:\windows\System32\SystemSettingsAdminFlows.exe
c:\windows\System32\SystemSettingsAdminFlows.exe NT SERVICE\TrustedInstaller:(F)
                                                 VORDEFINIERT\Administratoren:(RX)
                                                 NT-AUTORITÄT\SYSTEM:(RX)
                                                 VORDEFINIERT\Benutzer:(RX)
                                                 ZERTIFIZIERUNGSSTELLE FÜR ANWENDUNGSPAKETE\ALLE ANWENDUNGSPAKETE:(RX)

1 Dateien erfolgreich verarbeitet, bei 0 Dateien ist ein Verarbeitungsfehler aufgetreten.

C:\Users\Administrator>whoami /groups

GRUPPENINFORMATIONEN
--------------------

Gruppenname                                          Typ             SID                                           Attribute
==================================================== =============== ============================================= ================================================================================
Jeder                                                Bekannte Gruppe S-1-1-0                                       Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
VORDEFINIERT\Benutzer                                Alias           S-1-5-32-545                                  Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
VORDEFINIERT\Administratoren                         Alias           S-1-5-32-544                                  Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe, Gruppenbesitzer
NT-AUTORITÄT\INTERAKTIV                              Bekannte Gruppe S-1-5-4                                       Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
KONSOLENANMELDUNG                                    Bekannte Gruppe S-1-2-1                                       Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
NT-AUTORITÄT\Authentifizierte Benutzer               Bekannte Gruppe S-1-5-11                                      Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
NT-AUTORITÄT\Diese Organisation                      Bekannte Gruppe S-1-5-15                                      Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
LOKAL                                                Bekannte Gruppe S-1-2-0                                       Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
OFFICE\Group Policy Creator Owners                   Gruppe          S-1-5-21-1731680816-2417063338-1172291106-520 Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
OFFICE\Denied RODC Password Replication Group        Alias           S-1-5-21-1731680816-2417063338-1172291106-572 Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
OFFICE\Enterprise Admins                             Gruppe          S-1-5-21-1731680816-2417063338-1172291106-519 Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
OFFICE\Schema Admins                                 Gruppe          S-1-5-21-1731680816-2417063338-1172291106-518 Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
OFFICE\Domain Admins                                 Gruppe          S-1-5-21-1731680816-2417063338-1172291106-512 Verbindliche Gruppe, Standardmäßig aktiviert, Aktivierte Gruppe
Verbindliche Beschriftung\Hohe Verbindlichkeitsstufe Bezeichnung     S-1-16-12288
sventevit
  • 103
  • 3
vic
  • 973
  • 1
  • 9
  • 21
  • Can you include the output of `icacls c:\windows\system32\SystemSettingsAdminFlows.exe` and `whoami /groups` ? – Greg Askew Oct 25 '15 at 16:20
  • I updated my question to include this information. It's in German but most of it will be self-explanatory. "Vordefiniert" means "Pre-Defined", probably translated as "Builtin". – vic Oct 25 '15 at 20:15
  • Those permissions and Administrator group membership look ok. What build do you have (run the `ver` command)? You may also want to try deleting the profile for that account and try logging on again and running it. – Greg Askew Oct 25 '15 at 20:41
  • Ver is 10.0.10240. I just joined a newly deployed Win10 computer to the domain and logged in with the (Domain) Administrator account. Same issue there. – vic Oct 25 '15 at 20:55
  • Does it happen on a fresh Windows install with no applications installed? – Greg Askew Oct 25 '15 at 20:58
  • Didn't try it on a fresh install. However, Firefox, Thunderbird, 7-Zip, and a small contact manager is all the software that is installed. If you think this really could be the issue, I'll try it with a fresh install on one of the machines. P.S. Thanks for bearing with me so far. – vic Oct 25 '15 at 21:03
  • I'm wondering if this may be some kind of security policy setting. You may want to get the output of `gpresult /v` from an elevated command prompt, clean it up (remove server names, group memberships, and any other sensitive information), and include that. It's possible that some policy setting denies some type of access to Domain Admins on workstations (a good security practice by the way). – Greg Askew Oct 25 '15 at 21:18
  • gpresult /v: Almost every section just says "not applicable". The computer is a member of quite a few security groups (including Admins). The user is member of even more security groups, and about 20 privileges are specifically listed. There is nothing else of relevance in the list. It's all in German so I didn't paste it. – vic Oct 25 '15 at 21:27
  • Fresh install on bare metal, winpro 10 64bit, no software installed, joined the computer to the domain - same error message when entering the language settings via the button next to the system clock. Either this is a bug or I'm severely misunderstanding something. Just for clarification: If I enter the regular control panel, I don't get any error messages at all. It's really only this new Win10 language applet that's giving me those messages. – vic Oct 25 '15 at 22:15

3 Answers3

21

Look like it's a problem between 'User Account Control' and the 'Built-in Administrator' account. I had the same issue and this worked for me:

  1. Win + R and type 'secpol.msc' for open the Local Security Policy console.
  2. In the Security Settings tree, open Local Policies > Security Options.
  3. Find the policy: User Account Control: Admin Approval Mode for the Built-in Administrator account and enable it.
  4. Log out - log in, voilá!
HEDMON
  • 477
  • 3
  • 17
  • Hey, that did the trick. Just another thing which doesn't really make sense but solves the problem. How did you even think of that, did you consult any official sources? – vic Jun 04 '16 at 10:01
  • Really I don't remember how I found it, but took me few days ;) I think was something in Technet that put me to the right way. And yes, not only doesn't make sense, also I don't understand why MS won't solve something so simple?! – HEDMON Jun 04 '16 at 10:08
  • 2
    If you find it again, please don't forget to add it to your answer, I would like to understand this in more detail. But anyway, thanks! :) – vic Jun 04 '16 at 10:10
  • 3
    I had the same thing on a freshly installed Windows 2016 Standard, and this solved it too for me. – LPChip Nov 24 '17 at 11:25
  • 2
    I think the reason for this is that some Apps will not run in elevated mode. If this option is not enabled all apps run by this user are elevated. If this option is enabled UAC is active also for built-in admins (also domain admins) and the apps will run fine. It's the Microsoft way of shooting your own knee. – SkyBeam Jul 28 '18 at 13:40
  • 1
    you saved my day! – Dominic Jonas Feb 28 '19 at 12:41
  • This is also discussed at: https://social.technet.microsoft.com/Forums/en-US/fb3bad72-82fb-4d74-9777-ddff71692707 – TakingItCasual Sep 15 '20 at 07:12
4

Just had this issue on a few computers I administer. In case it helps anyone:

  1. PCs built from scratch with Windows 10 (education edition) using Lite Touch Installation from Windows server - the issue did not arise.

  2. Some (but not all !?) PCs upgraded to Windows 10 (education edition) - exact same source media as used for the LTI build - from Windows 8.1 exhibited the problem. The only possible pattern I can see so far is that the PCs with the problem were the Surface Pro 2s - the ones that did not exhibit the problem were Surface Pro 3s - apart from driver / firmware etc. differences between the 2 types, the pre-upgrade builds on the 2 types were identical, so this feels very strange.

  3. I also had a few upgrades from Windows 10 Pro that didn't have a problem, but all these were Surface Pro 3s and there weren't enough of them to add anything useful.

  4. The English message is:

Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item.

  1. Instead of using local security policy on individual machines, you can use domain group policy - same policy setting, under Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies / Security Options - which seems to fix it.
David Nutting
  • 41
  • 2
  • Just don't do the uac Amin approval mode in your environment, it opens a huge security hole. – Jim B Jul 09 '16 at 22:31
  • Have to say I'm struggling to make sense of this. Enabled looks as though it should be MORE restrictive? Explanation of the policy is: "This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The options are: • Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation. • Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege." – David Nutting Jul 12 '16 at 11:25
  • @Jim B, please can you provide more information about the risk with this solution? The same as @ David Nutting, I found the solution, but I'm not understand 100% they why of this. From my view, it's a Windows bug, but again, I'm not complete sure. – HEDMON Jul 15 '16 at 07:04
-2

If you define a user with Administrator right in control pannel/user accounts BEFORE you log with it for the first time, new Win10 applet works...

Patchman
  • 11
  • I'm not sure I follow. I do have a local account with admin rights. I used it to make the installation in the first place. – vic Oct 28 '15 at 10:40