Windows Users in Administrators Group without Administrator rights – How to Fix

How to block File Sharing for one or more IP Addresses in Windows

Here’s a common issue that every Windows System Administrators will experience sooner or later when dealing with Windows Server (or Windows 10) and its odd way to handle the Administrators group and the users within it.

Let’s start with the basics: as everyone knows, all recent Windows versions (Windows Server 2012, Windows Server 2016, Windows 8.x, Windows 10 and so on) come with a built-in Administrator account, which is member of the Administrators group. It goes without saying that such account has full rights, as clearly stated in the Administrators group description:

Administrators have complete and unrestricted access to the computer/domain.

This also means that any users we put within the Administrators group will inherit these access rights as well, right?

WRONG.

As a matter of fact, if we create another user and put it in the Administrators group, it will NOT have the same rights as the built-int Administrator user itself: to be more precise, it will be unable to do a lot of administrative tasks. Here are some examples:

  • A file is owned by SYSTEM and the Administrators group has full control. If we try to manipulate that file’s permissions with the built-in Administrator account, it will work without problems: if we try to do the same with any other user within the Administrators group, we won’t be able to do that.
  • IE Enhanced Security Configuration is set OFF for Administrators, ON for Users: with the the built-in Administrator account that setting will be OFF, but it will be ON for all other users, even if they’re member of the Administrators group.

Long story short, users in Administrators group have not the same rights as the built-in Administrator account. Is there a logic explanation for such odd behaviour? Of course there is: keep reading.

The Problem

Such highly counter-intuitive permissions mess is caused by User Account Control, a feature which makes so that, even if a standard user is entitled to have administrative rights, it won’t actually be granted with them unless it explicitly request them. This security behaviour is governed by two distinct policies, both found in this gpedit node:

The first one of them handles the built-in Administrator account, while the other one handles all administrative users:

  • User Account Control: Admin Approval Mode for the built-in Administrator account (disabled by default)
  • User Account Control: Run all administrators in Admin Approval Mode (enabled by default)

As we can see, the former one (when disabled, which is by default) is basically an exception to the latter, meaning that the built-in Administrator account won’t be affected by UAC, while all other administrative users will. That’s why all standard users won’t actually have administrative rights, even if they’re members of the Administrators group.

The Solution

The fix for that is very simple, we just need to do the following:

  • Launch gpedit from an elevated command prompt.
  • Navigate to Computer Settings\Windows settings\Security settings\Local policies\Security options
  • Locate the following policy:  User Account Control: Run all administrators in Admin Approval Mode, which you’ll find Enabled.
  • Set it to Disabled.

As soon as we do that, Windows will ask for a reboot to re-load the updated UAC configuration: once done, all the users within the Administrators group will be finally able to act just like the Administrator account.

IMPORTANT: please be aware that altering those settings can have a major impact in terms of security and should only be done by System Administrators that know what they’re doing and are fully aware of the overall implications of performing such changes. Read the Comments section for further details.

 

About Ryan

IT Project Manager, Web Interface Architect and Lead Developer for many high-traffic web sites & services hosted in Italy and Europe. Since 2010 it's also a lead designer for many App and games for Android, iOS and Windows Phone mobile devices for a number of italian companies. Microsoft MVP for Development Technologies since 2018.

View all posts by Ryan

4 Comments on “Windows Users in Administrators Group without Administrator rights – How to Fix”

  1. Dear Ryan,
    I think it would be helpful to add to your article that by doing this fix, the UAC is turned off entirely for the computer, which is a security risk and not recommended. I believe it is actually turned off for all users, not just the admin accounts that you are trying to give access to. I get this information from a few different articles, including this article which states ” in short, yes it’s by design that UAC will get turned off if you disable Admin Approval Mode.”
    https://social.technet.microsoft.com/Forums/Lync/en-US/6fe85045-ae27-4741-9412-be283f311d24/difference-between-uac-and-admin-approval-mode?forum=w7itprosecurity
    And a second article which gives instructions on how to disable the UAC completely, and the instructions are to make exactly the setting you are suggesting:
    https://www.online-tech-tips.com/windows-10/ott-explains-uac-user-account-control-in-windows-10/

    I made the group policy setting you suggested, and then saw that the slider in “Change User Account Control Settings” was pulled all the way to down to level 1, which is not recommended and has the effect of “Never notify me”, so this also points in the direction that by disabling “User Account Control: Run all administrators in Admin Approval Mode”, UAC for the entire computer is disabled.

    I had the problem with admin accounts using search to open things like the local group policy editor, I got errors saying I may not have the appropriate permissions, while opening via another route worked fine. Your fix worked for this issue, but to avoid turning off the UAC, a more promising fix may be to register the msxml3.dll file with the regsvr32 C:\Windows\system32\msxml3.dll command . I haven’t tried it yet. It was suggested in this article: https://community.spiceworks.com/topic/127420-active-directory-administrator-doesn-t-have-permissions
    Unfortunately, this won’t address the two issues you gave in your article.

    1. Hello there,
      thank you for your reply.

      I am 100% sure that enabling such policy (User Account Control: Run all administrators in Admin Approval Mode) doesn’t shut down UAC for all users. The policy that does that is the following one, which the post is never referring to:

      • User Account Control: Turn on Admin Approval Mode

      The link you posted further clarifies this. No one is talking about changing that policy, and the one we’re talking about only impacts the users put in the “Administrators” group.

      That said, I 100% agree that you should never turn off Admin Approval Mode for all users, and I would also like to add that even disabling that feature for the Administrators group only could raise serious security issues if you (need to) have “standard” users added to that group: altering those settings can have a major impact in terms of security and should only be done by System Administrators that know what they’re doing. I added a WARNING disclaimer to the article to better clarify that.

  2. I tried to install paid for legitimate software, as an Administrator in a Domain, software refused to install? Something about not having sufficient privileges to install the software. I am the administrator, so if the administrator cannot install software, which can? I scanned the software to be installed with Trend WFBS and no security threats detected.

    Made the change suggested here and could install the software. It is only Server 2019 as a VM for training purposes, so not an issue, but really, MicroSoft need to sort this type of stuff out. We are not the people writing the code in Microsoft world, it is not intuitive, it needs to be made obvious that the domain administrator account has limitations?

  3. Thank you sincerely for the help! So, WHY even have an Admin GROUP if its members don’t have Admin RIGHTS? Wouldn’t it have made more sense to do something like….oh, I don’t know…….maybe bring back the old Power Users for those who need elevated rights but not admin rights and leave the Admin Group the way it was….for granting admin rights? This all made sense in Windows NT and XP, then everything started rolling downhill like snowball headed for MS hell! The new generation of programmers who put their mark on Wins 10 REALLY did a number and should be proportionately punished…..something public.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.