1
I'm having an issue where an admin account created during deployment is having major permission issues. One example is the inability to install applications as it doesn't have correct permissions to Program File (x86)
The account is created in unnatended.xml with the following to commands;
cmd /c net user /add newadmin password
cmd /c net localgroup administrators newadmin /add
Those commands are done during the Specialize>Microsoft-Windows-Deployment phase and are two separate run synchronous commands. The commands succed at least partially since the account is created and when checking it through the local users mmc snap-in I see that the account belongs to the administrators group.
To further troubleshoot, I created another admin account through the standard GUI. The end result was;
- Built in administrator account has correct permissions and can install applications and carry out all expected actions
- Admin account created through standard GUI has correct permissons
- Admin account created in unatended seem to have bad permissions and cant carry out expected actions
I just noticed that the permissions issue only occurs when manually launching the program as a different user using the run-as option. If I just double click the program and have it spawn the windows dialog to run as a different user, then it completes. So it looks like the program only manifests in instances where I need to use the runas option.
George Kendros
Posted 2016-08-22T19:46:30.977
Reputation: 353
1If you remove this account from the Administrator group, place it in another user group, then reverse the process what is the result? – Ramhound – 2016-08-22T19:53:14.873
I haven't checked but it makes a lot of sense to try that. I will test in a minute and reply back – George Kendros – 2016-08-22T20:11:00.490
Unfortunately it didn't help. The account still acts as if it has the privileges of the standard user group. – George Kendros – 2016-08-22T20:36:26.847
How are you testing this? Are you running into problems with UAC? You know that the UAC will filter away the administrator privilege right? Unless you elevate the process. – Zoredache – 2016-08-22T21:55:01.577
Are you doing anything else during the unattended setup that is related to permissions? Are all of the local security policies at their default setting? – I say Reinstate Monica – 2016-08-23T01:09:36.443
UAC is enabled. I'm trying to run the program using the standard runas command from shift+right click. When running with the admin account created through the GUI after deployment I get the expected result of a UAC popup. When doing the exact same with this account created during the deployment through the commands in the unatended.xml I get the error. – George Kendros – 2016-08-23T02:50:14.730