User Account Control (UAC) and Server Core

A slight detour from the Windows Server 2008 R2 posts this time around to cover a topic that has been coming up recently: UAC on Server Core.

UAC is not available in Server Core, since it is a command line only interface, doesn’t have IE, or support for user applications. In addition, to use UAC with the command prompt you need to have the Explorer Shell so that you can click Start, right click on Command Prompt, and select run as administrator, which obviously isn’t possible on Server Core.

If the registry entry that controls UAC is modified on a Server Core installation, it will make doing anything at the command prompt very difficult. Running most anything will result in access denied or other related errors, depending on how UAC aware what you are trying to run is. A quick way to determine if UAC is what is causing the error is to run regedit. If UAC is enable you will receive an error dialog that says “The specified service does not exist as an installed service.” and clicking Ok will return “Access is denied.” on the command line.

To resolve this you can:

· If you are using Group Policy to configure your servers and put a server running the Server Core installation into an OU that enables UAC, move the server to another OU that doesn’t enforce UAC and let Group Policy change the setting.

· If UAC was manually configured, disable UAC by remotely modifying the registry

· Logon using the built-in administrator to perform your admin task or disable UAC.

To disable UAC on Server Core you can use reg.exe or regedit.exe to set the EnableLUA value under the following Registry path to 0 and reboot:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

More on Windows Server 2008 R2 next time.